Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Om 193 #122

Merged
merged 10 commits into from
Jun 18, 2024
Merged

Om 193 #122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
92f4d66
OM-193 - initial check
mphanias May 25, 2024
88578d0
OM-193 - added call references
mphanias May 25, 2024
2c878d3
OM-193 - test feedback
mphanias May 25, 2024
007fcbb
OM-193 - review feedback
mphanias May 28, 2024
07851c5
OM-193 - updated README
mphanias May 28, 2024
5a1972f
OM-193 - fixed grammer mistakes
mphanias May 28, 2024
d85e667
OM-193 - review feedback
mphanias May 29, 2024
4dd50bf
OM-193 - review feedback
mphanias May 29, 2024
076e958
OM-193 - review feedback
mphanias Jun 13, 2024
17f1798
OM-193 - review feedback
mphanias Jun 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,11 @@ make release-docker-multi-arch
# Root CA to validate client certificates (for mutual TLS)
root_ca = ""

# Golang - refer documentation https://pkg.go.dev/crypto/tls#pkg-constants of golang CipherSuites for TLS >=1.2 (both supported and Insecure)
# a comma separated TLS Cipher suites to use, example: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
# NOTE: Cipher configuration is support only till TLS1.2 verison and not possible in TLS1.3
tls_cipher_suites = ""

# Passphrase for encrypted key_file. Supports below formats,
# 1. Passphrase directly - "<passphrase>"
# 2. Passphrase via file - "file:<file-that-contains-passphrase>"
Expand All @@ -374,7 +379,8 @@ make release-docker-multi-arch
basic_auth_username=""
basic_auth_password=""
```

- NOTE: Minimum TLS version is 1.2, tls_cipher_suites can be configured only upto TLS1.2

- Use users' allowlist and blocklist configuration to filter out the users for which the statistics are to be fetched. The user statistics are available in Aerospike 5.6+. To fetch user statistics, the authenticated user must have `user-admin` privilege.
```toml
[Aerospike]
Expand Down
5 changes: 5 additions & 0 deletions configs/ape.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@
# Root CA to validate client certificates (for mutual TLS)
root_ca = ""

# a comma separated TLS Cipher suites to use, example: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
# Golang - refer documentation https://pkg.go.dev/crypto/tls#pkg-constants of golang CipherSuites for TLS >=1.2 (both supported and Insecure)
# NOTE: Cipher configuration is support only till TLS1.2 verison and not possible in TLS1.3
tls_cipher_suites = ""

# Passphrase for encrypted key_file. Supports below formats,
# 1. Passphrase directly - "<passphrase>"
# 2. Passphrase via file - "file:<file-that-contains-passphrase>"
Expand Down
46 changes: 46 additions & 0 deletions internal/pkg/commons/utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,3 +327,49 @@ func HandleSignals() {
}
}()
}

// Utility method fetch the support Cipher in the Golang/OS combination
//
// from configures ciphers in ape.toml, filters the matched and valid-ciphers
// Ciphers are configurable only upto TLS 1.2 version
func GetConfiguredCipherSuiteIds() []uint16 {
supportedCipherSuites := loadCipherSuitesList()
log.Trace("Supported CipherSuites ", supportedCipherSuites)

cipherSuiteIds := []uint16{}

if len(strings.Trim(config.Cfg.Agent.TlsCipherSuites, " ")) > 0 {
return cipherSuiteIds
}

log.Trace("Configured Cipher Suite Names : ", config.Cfg.Agent.TlsCipherSuites)
configuredCipherSuites := strings.Split(config.Cfg.Agent.TlsCipherSuites, ",")

for _, cipherName := range configuredCipherSuites {
cipherName = strings.Trim(cipherName, " ")

if len(cipherName) == 0 {
continue
}

id, ok := supportedCipherSuites[strings.ToUpper(cipherName)]
if !ok {
log.Error("Unrecognized TLS Cipher Name, ignoring : ", cipherName)
} else {
cipherSuiteIds = append(cipherSuiteIds, id)
}

}

return cipherSuiteIds
}

func loadCipherSuitesList() map[string]uint16 {
supportedCipherSuites := make(map[string]uint16)
// supported secure cipher suites
for _, suite := range tls.CipherSuites() {
supportedCipherSuites[suite.Name] = suite.ID
}

return supportedCipherSuites
}
1 change: 1 addition & 0 deletions internal/pkg/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ type Config struct {
KeyFile string `toml:"key_file"`
RootCA string `toml:"root_ca"`
KeyFilePassphrase string `toml:"key_file_passphrase"`
TlsCipherSuites string `toml:"tls_cipher_suites"`

BasicAuthUsername string `toml:"basic_auth_username"`
BasicAuthPassword string `toml:"basic_auth_password"`
Expand Down
2 changes: 2 additions & 0 deletions internal/pkg/executors/prometheus_httplistener.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,10 +112,12 @@ func initExporterTLS() *tls.Config {
log.Fatal(err)
}

// Golang docs -- https://pkg.go.dev/crypto/tls#section-documentation
tlsConfig := &tls.Config{
Certificates: serverPool,
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
CipherSuites: commons.GetConfiguredCipherSuiteIds(),
PreferServerCipherSuites: true,
InsecureSkipVerify: false,
}
Expand Down
Loading