Add support for new SSL configuration to mongodb (#2522)

danielnelson · web-flow · commit 7a5d8578467a · 2017-03-10T11:27:55.000-08:00
closes #2519
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -57,6 +57,7 @@ be deprecated eventually.
 - [#2071](https://github.com/influxdata/telegraf/issues/2071): Use official docker SDK.
 - [#1678](https://github.com/influxdata/telegraf/pull/1678): Add AMQP consumer input plugin
 - [#2501](https://github.com/influxdata/telegraf/pull/2501): Support DEAD(X) state in system input plugin.
+- [#2522](https://github.com/influxdata/telegraf/pull/2522): Add support for mongodb client certificates.
 
 ### Bugfixes
 
diff --git a/plugins/inputs/mongodb/README.md b/plugins/inputs/mongodb/README.md
@@ -11,9 +11,16 @@
   ##   10.0.0.1:10000, etc.
   servers = ["127.0.0.1:27017"]
   gather_perdb_stats = false
+
+  ## Optional SSL Config
+  # ssl_ca = "/etc/telegraf/ca.pem"
+  # ssl_cert = "/etc/telegraf/cert.pem"
+  # ssl_key = "/etc/telegraf/key.pem"
+  ## Use SSL but skip chain & host verification
+  # insecure_skip_verify = false
 ```
 
-For authenticated mongodb istances use connection mongdb connection URI
+For authenticated mongodb instances use `mongodb://` connection URI
 
 ```toml
 [[inputs.mongodb]]
diff --git a/plugins/inputs/mongodb/mongodb.go b/plugins/inputs/mongodb/mongodb.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/influxdata/telegraf"
+	"github.com/influxdata/telegraf/internal"
 	"github.com/influxdata/telegraf/internal/errchan"
 	"github.com/influxdata/telegraf/plugins/inputs"
 	"gopkg.in/mgo.v2"
@@ -20,6 +21,15 @@ type MongoDB struct {
 	Ssl              Ssl
 	mongos           map[string]*Server
 	GatherPerdbStats bool
+
+	// Path to CA file
+	SSLCA string `toml:"ssl_ca"`
+	// Path to host cert file
+	SSLCert string `toml:"ssl_cert"`
+	// Path to cert key file
+	SSLKey string `toml:"ssl_key"`
+	// Use SSL but skip chain & host verification
+	InsecureSkipVerify bool
 }
 
 type Ssl struct {
@@ -35,6 +45,13 @@ var sampleConfig = `
   ##   10.0.0.1:10000, etc.
   servers = ["127.0.0.1:27017"]
   gather_perdb_stats = false
+
+  ## Optional SSL Config
+  # ssl_ca = "/etc/telegraf/ca.pem"
+  # ssl_cert = "/etc/telegraf/cert.pem"
+  # ssl_key = "/etc/telegraf/key.pem"
+  ## Use SSL but skip chain & host verification
+  # insecure_skip_verify = false
 `
 
 func (m *MongoDB) SampleConfig() string {
@@ -105,8 +122,11 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error {
 		dialInfo.Direct = true
 		dialInfo.Timeout = 5 * time.Second
 
+		var tlsConfig *tls.Config
+
 		if m.Ssl.Enabled {
-			tlsConfig := &tls.Config{}
+			// Deprecated SSL config
+			tlsConfig = &tls.Config{}
 			if len(m.Ssl.CaCerts) > 0 {
 				roots := x509.NewCertPool()
 				for _, caCert := range m.Ssl.CaCerts {
@@ -119,6 +139,13 @@ func (m *MongoDB) gatherServer(server *Server, acc telegraf.Accumulator) error {
 			} else {
 				tlsConfig.InsecureSkipVerify = true
 			}
+		} else {
+			tlsConfig, err = internal.GetTLSConfig(
+				m.SSLCert, m.SSLKey, m.SSLCA, m.InsecureSkipVerify)
+		}
+
+		// If configured to use TLS, add a dial function
+		if tlsConfig != nil {
 			dialInfo.DialServer = func(addr *mgo.ServerAddr) (net.Conn, error) {
 				conn, err := tls.Dial("tcp", addr.String(), tlsConfig)
 				if err != nil {
