From ebe8b4130900b7a9a97509b94bb6d2f98dcd3a5b Mon Sep 17 00:00:00 2001 From: Mitch Nethercott <86002315+mitcherthewitcher@users.noreply.github.com> Date: Mon, 3 Mar 2025 11:03:44 -0500 Subject: [PATCH] Update Redis Enterprise to set tls_verify to true by default in check code (ECOINT-109) (#2607) * Update redis_enterprise to set tls_verify to false in check code and add corresponding test * Fix linting * Remove reduntant test code and push version to 2.0.0 for breaking change * Update install instructions to v2.0.0 * Update tls_verify default handling, spec.yaml, and tests * Update version to 1.1.2 * Change .get() to .setdefault(), sync ddev with latest for tls_cipher changes --- redis_enterprise/CHANGELOG.md | 6 ++++++ redis_enterprise/README.md | 2 +- redis_enterprise/assets/configuration/spec.yaml | 3 ++- .../datadog_checks/redis_enterprise/__about__.py | 2 +- .../datadog_checks/redis_enterprise/check.py | 1 + .../redis_enterprise/config_models/defaults.py | 2 +- .../redis_enterprise/config_models/instance.py | 1 + .../redis_enterprise/data/conf.yaml.example | 12 +++++++++++- redis_enterprise/tests/support.py | 2 ++ redis_enterprise/tests/test_redis_enterprise.py | 15 ++++++++++++++- 10 files changed, 40 insertions(+), 6 deletions(-) diff --git a/redis_enterprise/CHANGELOG.md b/redis_enterprise/CHANGELOG.md index 9894418b36..35f4852a5b 100644 --- a/redis_enterprise/CHANGELOG.md +++ b/redis_enterprise/CHANGELOG.md @@ -1,5 +1,11 @@ # CHANGELOG - Redis Enterprise +## 1.1.2 / 2025-02-28 + +***Changed***: + +* Update `tls_verify` handling in check code to ensure default is set to 'True' + ## 1.1.1 / 2025-01-21 ***Changed***: diff --git a/redis_enterprise/README.md b/redis_enterprise/README.md index 82ca604889..5aab055e66 100644 --- a/redis_enterprise/README.md +++ b/redis_enterprise/README.md @@ -16,7 +16,7 @@ For a full list of supported metrics, see the [Metrics](#metrics) section below. 1. Run the following command to install the Agent integration: ```shell - datadog-agent integration install -t datadog-redis_enterprise==1.1.1 + datadog-agent integration install -t datadog-redis_enterprise==1.1.2 ``` 2. Configure the integration by setting the `openmetrics_endpoint` to your cluster's master node. See [Integration][2] for further information. diff --git a/redis_enterprise/assets/configuration/spec.yaml b/redis_enterprise/assets/configuration/spec.yaml index 6fce79ad2c..5ec66c350a 100644 --- a/redis_enterprise/assets/configuration/spec.yaml +++ b/redis_enterprise/assets/configuration/spec.yaml @@ -14,9 +14,10 @@ files: The endpoint should be the URL of the metric exporter of the enterprise instance openmetrics_endpoint.display_priority: 3 tls_verify.value.example: false + tls_verify.value.display_default: true tls_verify.enabled: true tls_verify.display_priority: 1 extra_metrics.value.example: [ foo, bar ] extra_metrics.enabled: false exclude_metrics.value.example: [ foo, bar ] - exclude_metrics.enabled: false + exclude_metrics.enabled: false \ No newline at end of file diff --git a/redis_enterprise/datadog_checks/redis_enterprise/__about__.py b/redis_enterprise/datadog_checks/redis_enterprise/__about__.py index b3ddbc41f3..7b344eca4a 100644 --- a/redis_enterprise/datadog_checks/redis_enterprise/__about__.py +++ b/redis_enterprise/datadog_checks/redis_enterprise/__about__.py @@ -1 +1 @@ -__version__ = '1.1.1' +__version__ = '1.1.2' diff --git a/redis_enterprise/datadog_checks/redis_enterprise/check.py b/redis_enterprise/datadog_checks/redis_enterprise/check.py index 2afc2aa986..f468970203 100644 --- a/redis_enterprise/datadog_checks/redis_enterprise/check.py +++ b/redis_enterprise/datadog_checks/redis_enterprise/check.py @@ -18,6 +18,7 @@ def __init__(self, name, init_config, instances): def _parse_config(self): self.scraper_configs = [] metrics_endpoint = self.instance.get('openmetrics_endpoint') + self.instance.setdefault("tls_verify", True) metrics = self.get_default_config() additional = [] diff --git a/redis_enterprise/datadog_checks/redis_enterprise/config_models/defaults.py b/redis_enterprise/datadog_checks/redis_enterprise/config_models/defaults.py index 41f34e7140..0013907872 100644 --- a/redis_enterprise/datadog_checks/redis_enterprise/config_models/defaults.py +++ b/redis_enterprise/datadog_checks/redis_enterprise/config_models/defaults.py @@ -105,7 +105,7 @@ def instance_tls_use_host_header(): def instance_tls_verify(): - return False + return True def instance_use_latest_spec(): diff --git a/redis_enterprise/datadog_checks/redis_enterprise/config_models/instance.py b/redis_enterprise/datadog_checks/redis_enterprise/config_models/instance.py index 1e1cb123cd..07646f388b 100644 --- a/redis_enterprise/datadog_checks/redis_enterprise/config_models/instance.py +++ b/redis_enterprise/datadog_checks/redis_enterprise/config_models/instance.py @@ -137,6 +137,7 @@ class InstanceConfig(BaseModel): timeout: Optional[float] = None tls_ca_cert: Optional[str] = None tls_cert: Optional[str] = None + tls_ciphers: Optional[tuple[str, ...]] = None tls_ignore_warning: Optional[bool] = None tls_private_key: Optional[str] = None tls_protocols_allowed: Optional[tuple[str, ...]] = None diff --git a/redis_enterprise/datadog_checks/redis_enterprise/data/conf.yaml.example b/redis_enterprise/datadog_checks/redis_enterprise/data/conf.yaml.example index ae477b02ee..6ea88cf4bc 100644 --- a/redis_enterprise/datadog_checks/redis_enterprise/data/conf.yaml.example +++ b/redis_enterprise/datadog_checks/redis_enterprise/data/conf.yaml.example @@ -18,7 +18,7 @@ instances: # - openmetrics_endpoint: https://:8070/metrics - ## @param tls_verify - boolean - optional - default: false + ## @param tls_verify - boolean - optional - default: true ## Instructs the check to validate the TLS certificate of services. # tls_verify: false @@ -501,6 +501,16 @@ instances: # - TLSv1.2 # - TLSv1.3 + ## @param tls_ciphers - list of strings - optional + ## The list of ciphers suites to use when connecting to an endpoint. If not specified, + ## `ALL` ciphers are used. For list of ciphers see: + ## https://www.openssl.org/docs/man1.0.2/man1/ciphers.html + # + # tls_ciphers: + # - TLS_AES_256_GCM_SHA384 + # - TLS_CHACHA20_POLY1305_SHA256 + # - TLS_AES_128_GCM_SHA256 + ## @param headers - mapping - optional ## The headers parameter allows you to send specific headers with every request. ## You can use it for explicitly specifying the host header or adding headers for diff --git a/redis_enterprise/tests/support.py b/redis_enterprise/tests/support.py index 67eef25164..274e8656c3 100644 --- a/redis_enterprise/tests/support.py +++ b/redis_enterprise/tests/support.py @@ -16,6 +16,8 @@ ERSATZ_INSTANCE = {'openmetrics_endpoint': "https://localhost:8071/metrics", 'tags': ['instance']} +SSL_INSTANCE = {"openmetrics_endpoint": "https://localhost:8071/metrics", "tls_verify": True} + EPHEMERAL = [ "rdse.bdb_avg_latency", "rdse.bdb_avg_latency_max", diff --git a/redis_enterprise/tests/test_redis_enterprise.py b/redis_enterprise/tests/test_redis_enterprise.py index 7239018225..1d5963fb16 100644 --- a/redis_enterprise/tests/test_redis_enterprise.py +++ b/redis_enterprise/tests/test_redis_enterprise.py @@ -9,7 +9,7 @@ # from datadog_checks.dev.utils import get_metadata_metrics from datadog_checks.redis_enterprise.check import RedisEnterpriseCheck -from .support import CHECK, DEFAULT_METRICS, EPHEMERAL, ERSATZ_INSTANCE, INSTANCE, METRICS_MAP +from .support import CHECK, DEFAULT_METRICS, EPHEMERAL, ERSATZ_INSTANCE, INSTANCE, METRICS_MAP, SSL_INSTANCE ssl._create_default_https_context = ssl._create_unverified_context @@ -116,3 +116,16 @@ def test_invalid_instance(aggregator, dd_run_check, mock_http_response): assert True aggregator.assert_service_check(f'{RedisEnterpriseCheck.__NAMESPACE__}.node_imaginary', count=0) + + +@pytest.mark.unit +def test_invalid_ssl_instance(aggregator, dd_run_check, mock_http_response): + # Create instance with tls_verify: True + instance = deepcopy(SSL_INSTANCE) + instance.pop('tls_verify') # Simulating missing tls_verify in config + + check = RedisEnterpriseCheck(CHECK, {}, [instance]) + dd_run_check(check) + + # Ensure tls_verify defaults to True + assert check.scraper_configs[0]["tls_verify"] is True, "tls_verify should default to True"