Exposed loki CA certificate path configuration (#181)

OlivierCazade · web-flow · commit e6253c62faf8 · 2022-07-06T12:11:49.000Z
diff --git a/cmd/plugin-backend.go b/cmd/plugin-backend.go
@@ -30,6 +30,7 @@ var (
 	lokiLabels     = flag.String("loki-labels", "SrcK8S_Namespace,SrcK8S_OwnerName,DstK8S_Namespace,DstK8S_OwnerName,FlowDirection", "Loki labels, comma separated")
 	lokiTimeout    = flag.Duration("loki-timeout", 10*time.Second, "Timeout of the Loki query to retrieve logs")
 	lokiTenantID   = flag.String("loki-tenant-id", "", "Tenant organization ID for multi-tenant-loki (submitted as the X-Scope-OrgID HTTP header)")
+	lokiCAPath     = flag.String("loki-ca-path", "", "Path to loki CA certificate")
 	lokiSkipTLS    = flag.Bool("loki-skip-tls", false, "Skip TLS checks for loki HTTPS connection")
 	lokiMock       = flag.Bool("loki-mock", false, "Fake loki results using saved mocks")
 	logLevel       = flag.String("loglevel", "info", "log level (default: info)")
@@ -74,7 +75,7 @@ func main() {
 		CORSAllowMethods: *corsMethods,
 		CORSAllowHeaders: *corsHeaders,
 		CORSMaxAge:       *corsMaxAge,
-		Loki:             loki.NewConfig(lURL, *lokiTimeout, *lokiTenantID, *lokiSkipTLS, *lokiMock, strings.Split(lLabels, ",")),
+		Loki:             loki.NewConfig(lURL, *lokiTimeout, *lokiTenantID, *lokiSkipTLS, *lokiCAPath, *lokiMock, strings.Split(lLabels, ",")),
 		FrontendConfig:   *frontendConfig,
 	})
 }
diff --git a/pkg/handler/loki.go b/pkg/handler/loki.go
@@ -44,7 +44,7 @@ func newLokiClient(cfg *loki.Config) httpclient.Caller {
 	}
 
 	// TODO: loki with auth
-	return httpclient.NewHTTPClient(cfg.Timeout, headers, cfg.SkipTLS)
+	return httpclient.NewHTTPClient(cfg.Timeout, headers, cfg.SkipTLS, cfg.CAPath)
 }
 
 /* loki query will fail if spaces or quotes are not encoded
diff --git a/pkg/httpclient/http_client.go b/pkg/httpclient/http_client.go
@@ -2,6 +2,7 @@ package httpclient
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"io/ioutil"
 	"net"
 	"net/http"
@@ -22,16 +23,24 @@ type httpClient struct {
 
 var slog = logrus.WithField("module", "server")
 
-func NewHTTPClient(timeout time.Duration, overrideHeaders map[string][]string, skipTLS bool) Caller {
+func NewHTTPClient(timeout time.Duration, overrideHeaders map[string][]string, skipTLS bool, capath string) Caller {
 	transport := &http.Transport{
 		DialContext:     (&net.Dialer{Timeout: timeout}).DialContext,
 		IdleConnTimeout: timeout,
 	}
 
-	//TODO: add loki tls config https://issues.redhat.com/browse/NETOBSERV-309
 	if skipTLS {
 		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 		slog.Warn("skipping TLS checks. SSL certificate verification is now disabled !")
+	} else if capath != "" {
+		caCert, err := ioutil.ReadFile(capath)
+		if err != nil {
+			slog.Errorf("Cannot load loki ca certificate: %v", err)
+		} else {
+			pool := x509.NewCertPool()
+			pool.AppendCertsFromPEM(caCert)
+			transport.TLSClientConfig = &tls.Config{RootCAs: pool}
+		}
 	}
 
 	return &httpClient{
diff --git a/pkg/loki/config.go b/pkg/loki/config.go
@@ -12,16 +12,18 @@ type Config struct {
 	Timeout  time.Duration
 	TenantID string
 	SkipTLS  bool
+	CAPath   string
 	UseMocks bool
 	Labels   map[string]struct{}
 }
 
-func NewConfig(url *url.URL, timeout time.Duration, tenantID string, skipTLS bool, useMocks bool, labels []string) Config {
+func NewConfig(url *url.URL, timeout time.Duration, tenantID string, skipTLS bool, capath string, useMocks bool, labels []string) Config {
 	return Config{
 		URL:      url,
 		Timeout:  timeout,
 		TenantID: tenantID,
 		SkipTLS:  skipTLS,
+		CAPath:   capath,
 		UseMocks: useMocks,
 		Labels:   utils.GetMapInterface(labels),
 	}
diff --git a/pkg/loki/query_test.go b/pkg/loki/query_test.go
@@ -12,7 +12,7 @@ import (
 func TestFlowQuery_AddLabelFilters(t *testing.T) {
 	lokiURL, err := url.Parse("/")
 	require.NoError(t, err)
-	cfg := NewConfig(lokiURL, time.Second, "", false, false, []string{"foo", "flis"})
+	cfg := NewConfig(lokiURL, time.Second, "", false, "", false, []string{"foo", "flis"})
 	query := NewFlowQueryBuilderWithDefaults(&cfg)
 	err = query.AddFilter("foo", `"bar"`)
 	require.NoError(t, err)
@@ -25,7 +25,7 @@ func TestFlowQuery_AddLabelFilters(t *testing.T) {
 func TestQuery_BackQuote_Error(t *testing.T) {
 	lokiURL, err := url.Parse("/")
 	require.NoError(t, err)
-	cfg := NewConfig(lokiURL, time.Second, "", false, false, []string{"lab1", "lab2"})
+	cfg := NewConfig(lokiURL, time.Second, "", false, "", false, []string{"lab1", "lab2"})
 	query := NewFlowQueryBuilderWithDefaults(&cfg)
 	assert.Error(t, query.AddFilter("key", "backquoted`val"))
 }
diff --git a/pkg/server/server_flows_test.go b/pkg/server/server_flows_test.go
@@ -231,6 +231,7 @@ func TestLokiFiltering(t *testing.T) {
 			time.Second,
 			"",
 			false,
+			"",
 			false,
 			[]string{"SrcK8S_Namespace", "SrcK8S_OwnerName", "DstK8S_Namespace", "DstK8S_OwnerName", "FlowDirection"},
 		),

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ func newLokiClient(cfg *loki.Config) httpclient.Caller {`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`// TODO: loki with auth`
`47`		`- return httpclient.NewHTTPClient(cfg.Timeout, headers, cfg.SkipTLS)`
	`47`	`+ return httpclient.NewHTTPClient(cfg.Timeout, headers, cfg.SkipTLS, cfg.CAPath)`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`/* loki query will fail if spaces or quotes are not encoded`