Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
aos
GitHub Repository: aos/grafana-agent
 Path: blob/main/pkg/metrics/cluster/validation.go
4094 views
1
package cluster

2


3
import (

4
	"fmt"

5


6
	"github.com/grafana/agent/pkg/metrics/instance"

7
	"github.com/grafana/loki/clients/pkg/promtail/discovery/consulagent"

8
	"github.com/prometheus/common/config"

9
	"github.com/prometheus/prometheus/discovery"

10
	"github.com/prometheus/prometheus/discovery/aws"

11
	"github.com/prometheus/prometheus/discovery/azure"

12
	"github.com/prometheus/prometheus/discovery/consul"

13
	"github.com/prometheus/prometheus/discovery/digitalocean"

14
	"github.com/prometheus/prometheus/discovery/dns"

15
	"github.com/prometheus/prometheus/discovery/eureka"

16
	"github.com/prometheus/prometheus/discovery/file"

17
	"github.com/prometheus/prometheus/discovery/gce"

18
	"github.com/prometheus/prometheus/discovery/hetzner"

19
	"github.com/prometheus/prometheus/discovery/http"

20
	"github.com/prometheus/prometheus/discovery/kubernetes"

21
	"github.com/prometheus/prometheus/discovery/linode"

22
	"github.com/prometheus/prometheus/discovery/marathon"

23
	"github.com/prometheus/prometheus/discovery/moby"

24
	"github.com/prometheus/prometheus/discovery/openstack"

25
	"github.com/prometheus/prometheus/discovery/scaleway"

26
	"github.com/prometheus/prometheus/discovery/triton"

27
	"github.com/prometheus/prometheus/discovery/zookeeper"

28
)

29


30
func validateNofiles(c *instance.Config) error {

31
	for i, rw := range c.RemoteWrite {

32
		if err := validateHTTPNoFiles(&rw.HTTPClientConfig); err != nil {

33
			return fmt.Errorf("failed to validate remote_write at index %d: %w", i, err)

34
		}

35
	}

36


37
	for i, sc := range c.ScrapeConfigs {

38
		if err := validateHTTPNoFiles(&sc.HTTPClientConfig); err != nil {

39
			return fmt.Errorf("failed to validate scrape_config at index %d: %w", i, err)

40
		}

41


42
		for j, disc := range sc.ServiceDiscoveryConfigs {

43
			if err := validateDiscoveryNoFiles(disc); err != nil {

44
				return fmt.Errorf("failed to validate service discovery at index %d within scrape_config at index %d: %w", j, i, err)

45
			}

46
		}

47
	}

48


49
	return nil

50
}

51


52
func validateHTTPNoFiles(cfg *config.HTTPClientConfig) error {

53
	checks := []struct {

54
		name  string

55
		check func() bool

56
	}{

57
		{"bearer_token_file", func() bool { return cfg.BearerTokenFile != "" }},

58
		{"password_file", func() bool { return cfg.BasicAuth != nil && cfg.BasicAuth.PasswordFile != "" }},

59
		{"credentials_file", func() bool { return cfg.Authorization != nil && cfg.Authorization.CredentialsFile != "" }},

60
		{"ca_file", func() bool { return cfg.TLSConfig.CAFile != "" }},

61
		{"cert_file", func() bool { return cfg.TLSConfig.CertFile != "" }},

62
		{"key_file", func() bool { return cfg.TLSConfig.KeyFile != "" }},

63
	}

64
	for _, check := range checks {

65
		if check.check() {

66
			return fmt.Errorf("%s must be empty unless dangerous_allow_reading_files is set", check.name)

67
		}

68
	}

69
	return nil

70
}

71


72
func validateDiscoveryNoFiles(disc discovery.Config) error {

73
	switch d := disc.(type) {

74
	case discovery.StaticConfig:

75
		// no-op

76
	case *azure.SDConfig:

77
		// no-op

78
	case *consul.SDConfig:

79
		if err := validateHTTPNoFiles(&config.HTTPClientConfig{TLSConfig: d.HTTPClientConfig.TLSConfig}); err != nil {

80
			return err

81
		}

82
	case *consulagent.SDConfig:

83
		if err := validateHTTPNoFiles(&config.HTTPClientConfig{TLSConfig: d.TLSConfig}); err != nil {

84
			return err

85
		}

86
	case *digitalocean.SDConfig:

87
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

88
			return err

89
		}

90
	case *dns.SDConfig:

91
		// no-op

92
	case *moby.DockerSwarmSDConfig:

93
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

94
			return err

95
		}

96
	case *aws.EC2SDConfig:

97
		// no-op

98
	case *eureka.SDConfig:

99
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

100
			return err

101
		}

102
	case *file.SDConfig:

103
		// no-op

104
	case *gce.SDConfig:

105
		// no-op

106
	case *hetzner.SDConfig:

107
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

108
			return err

109
		}

110
	case *kubernetes.SDConfig:

111
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

112
			return err

113
		}

114
	case *marathon.SDConfig:

115
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

116
			return err

117
		}

118
		if d.AuthTokenFile != "" {

119
			return fmt.Errorf("auth_token_file must be empty unless dangerous_allow_reading_files is set")

120
		}

121
	case *openstack.SDConfig:

122
		if err := validateHTTPNoFiles(&config.HTTPClientConfig{TLSConfig: d.TLSConfig}); err != nil {

123
			return err

124
		}

125
	case *scaleway.SDConfig:

126
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

127
			return err

128
		}

129
	case *triton.SDConfig:

130
		if err := validateHTTPNoFiles(&config.HTTPClientConfig{TLSConfig: d.TLSConfig}); err != nil {

131
			return err

132
		}

133
	case *http.SDConfig:

134
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

135
			return err

136
		}

137
	case *linode.SDConfig:

138
		if err := validateHTTPNoFiles(&d.HTTPClientConfig); err != nil {

139
			return err

140
		}

141
	case *zookeeper.NerveSDConfig:

142
		// no-op

143
	case *zookeeper.ServersetSDConfig:

144
		// no-op

145
	default:

146
		return fmt.Errorf("unknown service discovery %s; rejecting config for safety. set dangerous_allow_reading_files to ignore", d.Name())

147
	}

148


149
	return nil

150
}

151


152