diff --git a/manifests/integrations/redis.pp b/manifests/integrations/redis.pp index b3c27760..47eab4cb 100644 --- a/manifests/integrations/redis.pp +++ b/manifests/integrations/redis.pp @@ -11,6 +11,20 @@ # The main redis port. # $ports # Array of redis ports: overrides port (optional) +# $ssl +# Enable SSL/TLS encryption for the check (optional) +# $ssl_keyfile +# The path to the client-side private keyfile (optional) +# $ssl_certfile +# The path to the client-side certificate file (optional) +# $ssl_ca_certs +# The path to the ca_certs file (optional) +# $ssl_cert_reqs +# Specifies whether a certificate is required from the +# other side of the connection, and whether it's validated if provided (optional) +# * 0 for ssl.CERT_NONE (certificates ignored) +# * 1 for ssl.CERT_OPTIONAL (not required, but validated if provided) +# * 2 for ssl.CERT_REQUIRED (required and validated) # $slowlog_max_len # The max length of the slow-query log (optional) # $tags @@ -45,6 +59,11 @@ String $password = '', Variant[String, Integer] $port = '6379', Optional[Array] $ports = undef, + Boolean $ssl = false, + String $ssl_keyfile = '', + String $ssl_certfile = '', + String $ssl_ca_certs = '', + Optional[Integer] $ssl_cert_reqs = undef, Variant[String, Integer] $slowlog_max_len = '', Array $tags = [], Array $keys = [], @@ -66,6 +85,11 @@ 'host' => $host, 'password' => $password, 'port' => $instance_port, + 'ssl' => $ssl, + 'ssl_keyfile' => $ssl_keyfile, + 'ssl_certfile' => $ssl_certfile, + 'ssl_ca_certs' => $ssl_ca_certs, + 'ssl_cert_reqs' => $ssl_cert_reqs, 'slowlog_max_len' => $slowlog_max_len, 'tags' => $tags, 'keys' => $keys, diff --git a/spec/classes/datadog_agent_integrations_redis_spec.rb b/spec/classes/datadog_agent_integrations_redis_spec.rb index 5aee1af4..8f710846 100644 --- a/spec/classes/datadog_agent_integrations_redis_spec.rb +++ b/spec/classes/datadog_agent_integrations_redis_spec.rb @@ -117,6 +117,11 @@ 'port' => 2379, 'tags' => ['foo', 'bar'], 'keys' => ['baz', 'bat'], + 'ssl' => true, + 'ssl_keyfile' => '/etc/pki/tls/certs/localhost.crt', + 'ssl_certfile' => '/path/to/cert.pem', + 'ssl_ca_certs' => '/path/to/ca_certs', + 'ssl_cert_reqs' => 0, }, { 'host' => 'redis1', @@ -124,6 +129,11 @@ 'port' => 2380, 'tags' => ['foo', 'bar'], 'keys' => ['baz', 'bat'], + 'ssl' => true, + 'ssl_keyfile' => '/etc/pki/tls/certs/localhost.crt', + 'ssl_certfile' => '/path/to/other/cert.pem', + 'ssl_ca_certs' => '/path/to/other/ca_certs', + 'ssl_cert_reqs' => 1, }, ], } @@ -138,6 +148,14 @@ it { is_expected.to contain_file(conf_file).without_content(%r{^[^#]*slowlog-max-len: 5309}) } it { is_expected.to contain_file(conf_file).without_content(%r{warn_on_missing_keys: false}) } it { is_expected.to contain_file(conf_file).without_content(%r{command_stats: true}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl: true}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_keyfile: /etc/pki/tls/certs/localhost.crt}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_certfile: /path/to/cert.pem}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_certfile: /path/to/other/cert.pem}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_ca_certs: /path/to/ca_certs}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_ca_certs: /path/to/other/ca_certs}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_cert_reqs: 0}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_cert_reqs: 1}) } end context 'with only keys' do @@ -181,6 +199,35 @@ it { is_expected.to contain_file(conf_file).with_content(%r{port: 2379}) } it { is_expected.to contain_file(conf_file).with_content(%r{tags:.*\s+- baz\s+- bat}) } end + + context 'with ssl configs' do + let(:params) do + { + instances: [ + { + 'host' => 'redis1', + 'password' => 'hunter2', + 'port' => 2379, + 'ssl' => true, + 'ssl_keyfile' => '/etc/pki/tls/certs/localhost.crt', + 'ssl_certfile' => '/path/to/cert.pem', + 'ssl_ca_certs' => '/path/to/ca_certs', + 'ssl_cert_reqs' => 0, + }, + ], + } + end + + it { is_expected.to contain_file(conf_file).with_content(%r{host: redis1}) } + it { is_expected.to contain_file(conf_file).with_content(%r{^[^#]*password: hunter2}) } + it { is_expected.to contain_file(conf_file).with_content(%r{port: 2379}) } + + it { is_expected.to contain_file(conf_file).with_content(%r{ssl: true}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_keyfile: /etc/pki/tls/certs/localhost.crt}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_certfile: /path/to/cert.pem}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_ca_certs: /path/to/ca_certs}) } + it { is_expected.to contain_file(conf_file).with_content(%r{ssl_cert_reqs: 0}) } + end end end end diff --git a/templates/agent-conf.d/redisdb.yaml.erb b/templates/agent-conf.d/redisdb.yaml.erb index 64d4d0c7..78628298 100644 --- a/templates/agent-conf.d/redisdb.yaml.erb +++ b/templates/agent-conf.d/redisdb.yaml.erb @@ -9,6 +9,21 @@ instances: <% if instance['password'] and ! instance['password'].empty? -%> password: <%= instance['password'] %> <% end -%> +<% if instance['ssl'] and ! instance['ssl'].nil? -%> + ssl: <%= instance['ssl'] %> +<% end -%> +<% if instance['ssl_keyfile'] and ! instance['ssl_keyfile'].empty? -%> + ssl_keyfile: <%= instance['ssl_keyfile'] %> +<% end -%> +<% if instance['ssl_certfile'] and ! instance['ssl_certfile'].empty? -%> + ssl_certfile: <%= instance['ssl_certfile'] %> +<% end -%> +<% if instance['ssl_ca_certs'] and ! instance['ssl_ca_certs'].empty? -%> + ssl_ca_certs: <%= instance['ssl_ca_certs'] %> +<% end -%> +<% if instance['ssl_cert_reqs'] and ! instance['ssl_cert_reqs'].nil? -%> + ssl_cert_reqs: <%= instance['ssl_cert_reqs'] %> +<% end -%> <% if instance['slowlog_max_len'] and ! instance['slowlog_max_len'].to_s.empty? -%> # unix_socket_path: /var/run/redis/redis.sock # optional, can be used in lieu of host/port slowlog-max-len: <%= instance['slowlog_max_len'] %>