add config options for tls ca and client auth (#137)

will require doc changes

Author: jrcamp

config/config.go

@@ -53,10 +53,15 @@ type userConfig struct {
 		Skip  string
 	}
 	Kubernetes *struct {
-		IgnoreTLSVerify bool `yaml:"ignoreTLSVerify,omitempty"`
-		Role            string
-		Cluster         string
-		CAdvisorURL     string `yaml:"cadvisorURL,omitempty"`
+		TLS struct {
+			SkipVerify bool   `yaml:"skipVerify"`
+			ClientCert string `yaml:"clientCert"`
+			ClientKey  string `yaml:"clientKey"`
+			CACert     string `yaml:"caCert"`
+		} `yaml:"tls"`
+		Role        string
+		Cluster     string
+		CAdvisorURL string `yaml:"cadvisorURL,omitempty"`
 	}
 	Mesosphere *struct {
 		Cluster      string
@@ -125,7 +130,15 @@ func loadUserConfig(pair *store.KVPair) error {
 				plugins["cadvisor"] = cadvisor
 			}
 			kubernetes := map[string]interface{}{}
-			kubernetes["ignoretlsverify"] = kube.IgnoreTLSVerify
+
+			tls := kube.TLS
+			tlsConfig := map[string]interface{}{
+				"caCert":     tls.CACert,
+				"skipVerify": tls.SkipVerify,
+				"clientCert": tls.ClientCert,
+				"clientKey":  tls.ClientKey,
+			}
+			kubernetes["tls"] = tlsConfig
 			plugins["kubernetes"] = kubernetes
 		}
 	}

etc/kubernetes-defaults.yaml

@@ -3,9 +3,10 @@ pipeline: kubernetes
 plugins:
   kubernetes:
       plugin: observers/kubernetes
-      hostUrl: https://localhost:10250
-      # Whether to ignore SSL certification validation errors.
-      # ignoreTLSVerify: false
+      # hostUrl: https://<hostname>:10250
+      # tls:
+      #   # Whether to ignore SSL certification validation errors.
+      #   skipVerify: false
 
   integrations:
     overrides: /mnt/integrations

plugins/observers/kubernetes/kubernetes.go

@@ -15,6 +15,7 @@ import (
 	"encoding/json"
 
 	"crypto/tls"
+	"crypto/x509"
 
 	"github.com/signalfx/neo-agent/plugins"
 	"github.com/signalfx/neo-agent/services"
@@ -94,20 +95,61 @@ func (k *Kubernetes) Configure(config *viper.Viper) error {
 }
 
 func (k *Kubernetes) load() error {
-	if hostname, err := os.Hostname(); err == nil {
-		k.Config.SetDefault("hosturl", fmt.Sprintf("https://%s:%d", hostname, DefaultPort))
+	hostname, err := os.Hostname()
+	if err != nil {
+		hostname = "localhost"
 	}
+	k.Config.SetDefault("hosturl", fmt.Sprintf("https://%s:%d", hostname, DefaultPort))
 
 	hostURL := k.Config.GetString("hosturl")
 	if len(hostURL) == 0 {
 		return errors.New("hostURL config value missing")
 	}
 	k.hostURL = hostURL
 
+	skipVerify := k.Config.GetBool("tls.skipverify")
+	caCert := k.Config.GetString("tls.cacert")
+	clientCert := k.Config.GetString("tls.clientcert")
+	clientKey := k.Config.GetString("tls.clientkey")
+
+	certs, err := x509.SystemCertPool()
+	if err != nil {
+		return err
+	}
+
+	if caCert != "" {
+		bytes, err := ioutil.ReadFile(caCert)
+		if err != nil {
+			return fmt.Errorf("unable to read CA certificate: %s", err)
+		}
+		if !certs.AppendCertsFromPEM(bytes) {
+			return fmt.Errorf("unable to add %s to certs", caCert)
+		}
+		log.Printf("configured TLS cert from %s", caCert)
+	}
+
+	var clientCerts []tls.Certificate
+
+	if clientCert != "" && clientKey != "" {
+		cert, err := tls.LoadX509KeyPair(clientCert, clientKey)
+		if err != nil {
+			return err
+		}
+		clientCerts = append(clientCerts, cert)
+		log.Printf("configured TLS client cert %s with key %s", clientCert, clientKey)
+	}
+
+	tlsConfig := &tls.Config{
+		Certificates:       clientCerts,
+		InsecureSkipVerify: skipVerify,
+		RootCAs:            certs,
+	}
+	tlsConfig.BuildNameToCertificate()
+
+	log.Printf("configured InsecureSkipVerify=%t", skipVerify)
+
 	transport := &http.Transport{
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: k.Config.GetBool("ignoretlsverify"),
-		},
+		TLSClientConfig: tlsConfig,
 	}
 	k.client = http.Client{
 		Timeout:   10 * time.Second,