Merge branch 'PureStorage-OpenConnect:main' into update-grafana-dash-and-docs

Author: james-laing

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
-    - uses: wangyoucao577/go-release-action@v1.30
+    - uses: wangyoucao577/go-release-action@v1
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         goos: linux

Makefile

@@ -3,7 +3,7 @@ GOTEST=$(GOCMD) test
 GOVET=$(GOCMD) vet
 BINARY_NAME=pure-fb-om-exporter
 MODULE_NAME=purestorage/fb-openmetrics-exporter
-VERSION?=1.0.6
+VERSION?=1.0.7
 SERVICE_PORT?=9491
 DOCKER_REGISTRY?= quay.io/purestorage/
 EXPORT_RESULT?=false # for CI please set EXPORT_RESULT to true

README.md

@@ -74,21 +74,25 @@ Authentication is used by the exporter as the mechanism to cross authenticate to
 The first option requires specifying the api-token value as the authorization parameter of the specific job in the Prometheus configuration file.
 The second option provides the FlashBlade/api-token key-pair map for a list of arrays in a simple YAML configuration file that is passed as parameter to the exporter. This makes possible to write more concise Prometheus configuration files and also to configure other scrapers that cannot use the HTTP authentication header.
 
+The exporter can be started in TLS mode (HTTPS, mutually exclusive with the HTTP mode) by providing the X.509 certificate and key files in the command parameters. Self-signed certificates are also accepted.
+
 ### Usage
 
 ```shell
 
-usage: pure-fb-om-exporter [-h|--help] [-a|--address "<value>"] [-p|--port <integer>] [-d|--debug] [-t|--tokens <file>]
+usage: pure-fb-om-exporter [-h|--help] [-a|--address "<value>"] [-p|--port <integer>] [-d|--debug] [-t|--tokens <file>] [-k|--key <file>] [-c|--cert <file>]
 
                            Pure Storage FB OpenMetrics exporter
 
 Arguments:
 
   -h  --help     Print help information
   -a  --address  IP address for this exporter to bind to. Default: 0.0.0.0
-  -p  --port     Port for this exporter to listen. Default: 9490
+  -p  --port     Port for this exporter to listen. Default: 9491
   -d  --debug    Enable debug. Default: false
   -t  --tokens   API token(s) map file
+  -c  --cert     SSL/TLS certificate file. Required only for TLS
+  -k  --key      SSL/TLS private key file. Required only for TLS
 ```
 
 The array token configuration file must have to following syntax:

build/docker/Dockerfile

@@ -1,5 +1,5 @@
 FROM golang:alpine as build
-ARG VERSION=1.0.6
+ARG VERSION=1.0.7
 
 WORKDIR /usr/src/app
 
@@ -13,7 +13,13 @@ RUN CGO_ENABLED=1 go build -a -tags 'netgo osusergo static_build' -ldflags="-X m
 
 # alpine is used here as it seems to be the minimal image that passes quay.io vulnerability scan
 FROM alpine
+# update ssl packages for CVEs
+RUN apk update && apk upgrade --no-cache libcrypto3 libssl3
 COPY --from=build  /usr/local/bin/pure-fb-om-exporter /pure-fb-om-exporter
+
+# create an empty tokens file for use with volumes if required. You can use a mounted volume to /etc/pure-fb-om-exporter/ to pass the `tokens.yaml` file. File must be named `tokens.yaml`.
+RUN mkdir /etc/pure-fb-om-exporter && touch /etc/pure-fb-om-exporter/tokens.yaml
+
 EXPOSE 9491
 ENTRYPOINT ["/pure-fb-om-exporter"]
-CMD ["--address", "0.0.0.0", "--port", "9491"]
+CMD ["--address", "0.0.0.0", "--port", "9491", "--tokens", "/etc/pure-fb-om-exporter/tokens.yaml"]

cmd/fb-om-exporter/main.go

@@ -12,57 +12,77 @@ import (
 	client "purestorage/fb-openmetrics-exporter/internal/rest-client"
 	"strings"
 
-        "github.com/akamensky/argparse"
+	"github.com/akamensky/argparse"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-        "gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v3"
 )
 
 var version string = "development"
 var debug bool = false
 var arraytokens config.FlashBladeList
 
-func FileExists(args []string) error {
-        _, err := os.Stat(args[0])
-        return err
+func fileExists(args []string) error {
+	_, err := os.Stat(args[0])
+	return err
+}
+
+func isFile(filename string) bool {
+	info, err := os.Stat(filename)
+	if os.IsNotExist(err) {
+		return false
+	}
+	return !info.IsDir()
 }
 
 func main() {
 
-        parser := argparse.NewParser("pure-fb-om-exporter", "Pure Storage FB OpenMetrics exporter")
-        host := parser.String("a", "address", &argparse.Options{Required: false, Help: "IP address for this exporter to bind to", Default: "0.0.0.0"})
-        port := parser.Int("p", "port", &argparse.Options{Required: false, Help: "Port for this exporter to listen", Default: 9491})
-        d := parser.Flag("d", "debug", &argparse.Options{Required: false, Help: "Enable debug", Default: false})
-        at := parser.File("t", "tokens", os.O_RDONLY, 0600, &argparse.Options{Required: false, Validate: FileExists, Help: "API token(s) map file"})
-        err := parser.Parse(os.Args)
-        if err != nil {
-                log.Fatalf("Error in token file: %v", err)
-        }
-        if !isNilFile(*at) {
-                defer at.Close()
-                buf := make([]byte, 1024)
-                arrlist := ""
-                for {
-                        n, err := at.Read(buf)
-                        if err == io.EOF {
-                                break
-                        }
-                        if err != nil {
-                                log.Fatalf("Reading token file: %v", err)
-                       }
-                        if n > 0 {
-                                arrlist = arrlist + string(buf[:n])
-                        }
-                }
-                buf = []byte(arrlist)
-                err := yaml.Unmarshal(buf, &arraytokens)
-                if err != nil {
-                        log.Fatalf("Unmarshalling token file: %v", err)
-                }
-        }
-        debug = *d
-        addr := fmt.Sprintf("%s:%d", *host, *port)
-        log.Printf("Start Pure FlashBlade exporter %s on %s", version, addr)
+	parser := argparse.NewParser("pure-fb-om-exporter", "Pure Storage FB OpenMetrics exporter")
+	host := parser.String("a", "address", &argparse.Options{Required: false, Help: "IP address for this exporter to bind to", Default: "0.0.0.0"})
+	port := parser.Int("p", "port", &argparse.Options{Required: false, Help: "Port for this exporter to listen", Default: 9491})
+	d := parser.Flag("d", "debug", &argparse.Options{Required: false, Help: "Enable debug", Default: false})
+	at := parser.File("t", "tokens", os.O_RDONLY, 0600, &argparse.Options{Required: false, Validate: fileExists, Help: "API token(s) map file"})
+	cert := parser.String("c", "cert", &argparse.Options{Required: false, Help: "SSL/TLS certificate file. Required only for TLS"})
+	key := parser.String("k", "key", &argparse.Options{Required: false, Help: "SSL/TLS private key file. Required only for TLS"})
+	err := parser.Parse(os.Args)
+	if err != nil {
+		log.Fatalf("Error in token file: %v", err)
+	}
+	if !isNilFile(*at) {
+		defer at.Close()
+		buf := make([]byte, 1024)
+		arrlist := ""
+		for {
+			n, err := at.Read(buf)
+			if err == io.EOF {
+				break
+			}
+			if err != nil {
+				log.Fatalf("Reading token file: %v", err)
+			}
+			if n > 0 {
+				arrlist = arrlist + string(buf[:n])
+			}
+		}
+		buf = []byte(arrlist)
+		err := yaml.Unmarshal(buf, &arraytokens)
+		if err != nil {
+			log.Fatalf("Unmarshalling token file: %v", err)
+		}
+	}
+	if (len(*cert) > 0 && len(*key) == 0) || (len(*cert) == 0 && len(*key) > 0) {
+		log.Fatal("Both certificate and key must be specified to enable TLS")
+	}
+	if len(*cert) > 0 && len(*key) > 0 {
+		if !isFile(*cert) {
+			log.Fatal("TLS cert file not found")
+		} else if !isFile(*key) {
+			log.Fatal("TLS key file not found")
+		}
+	}
+	debug = *d
+	addr := fmt.Sprintf("%s:%d", *host, *port)
+	log.Printf("Start Pure FlashBlade exporter %s on %s", version, addr)
 
 	http.HandleFunc("/", index)
 	http.HandleFunc("/metrics/array", func(w http.ResponseWriter, r *http.Request) {
@@ -80,7 +100,11 @@ func main() {
 	http.HandleFunc("/metrics", func(w http.ResponseWriter, r *http.Request) {
 		metricsHandler(w, r)
 	})
-	log.Fatal(http.ListenAndServe(addr, nil))
+	if isFile(*cert) && isFile(*key) {
+		log.Fatal(http.ListenAndServeTLS(addr, *cert, *key, nil))
+	} else {
+		log.Fatal(http.ListenAndServe(addr, nil))
+	}
 }
 
 func metricsHandler(w http.ResponseWriter, r *http.Request) {
@@ -112,8 +136,8 @@ func metricsHandler(w http.ResponseWriter, r *http.Request) {
 	authHeader := r.Header.Get("Authorization")
 	authFields := strings.Fields(authHeader)
 	address, apitoken := arraytokens.GetArrayParams(endpoint)
-        if len(authFields) == 2 && strings.ToLower(authFields[0]) == "bearer" {
-                apitoken = authFields[1]
+	if len(authFields) == 2 && strings.ToLower(authFields[0]) == "bearer" {
+		apitoken = authFields[1]
 		address = endpoint
 	}
 	if apitoken == "" {
@@ -187,6 +211,6 @@ func index(w http.ResponseWriter, r *http.Request) {
 }
 
 func isNilFile(f os.File) bool {
-        var tf os.File
-        return f == tf
+	var tf os.File
+	return f == tf
 }

examples/config/k8s/pure-fb-exporter-deployment.yaml

@@ -24,7 +24,7 @@ spec:
       - name: pure-fb-om-exporter
         image: quay.io/purestorage/pure-fb-om-exporter
         args:
-          - '--host=0.0.0.0'
+          - '--address=0.0.0.0'
           - '--port=9491'
         ports:
         - name: web

go.mod

@@ -4,22 +4,21 @@ go 1.20
 
 require (
 	github.com/akamensky/argparse v1.4.0
-	github.com/go-resty/resty/v2 v2.7.0
-	github.com/google/go-cmp v0.5.9
-	github.com/prometheus/client_golang v1.16.0
-	github.com/prometheus/client_model v0.4.0
+	github.com/go-resty/resty/v2 v2.10.0
+	github.com/google/go-cmp v0.6.0
+	github.com/prometheus/client_golang v1.17.0
+	github.com/prometheus/client_model v0.5.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.11.1 // indirect
-	golang.org/x/net v0.14.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
+	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
+	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	golang.org/x/net v0.18.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 )