Add SSL config options to redis integration (DataDog#835)

* Add SSL config options to redis integration

* fix trailing comma lint error

* fix ssl_cert_reqs to use only int

* fix ssl_cert_reqs template

* revert fixtures change

Author: fanny-jiang

manifests/integrations/redis.pp

@@ -11,6 +11,20 @@
 #       The main redis port.
 #   $ports
 #       Array of redis ports: overrides port (optional)
+#   $ssl
+#       Enable SSL/TLS encryption for the check (optional)
+#   $ssl_keyfile
+#       The path to the client-side private keyfile (optional)
+#   $ssl_certfile
+#       The path to the client-side certificate file (optional)
+#   $ssl_ca_certs
+#       The path to the ca_certs file (optional)
+#   $ssl_cert_reqs
+#       Specifies whether a certificate is required from the
+#       other side of the connection, and whether it's validated if provided (optional)
+#         * 0 for ssl.CERT_NONE (certificates ignored)
+#         * 1 for ssl.CERT_OPTIONAL (not required, but validated if provided)
+#         * 2 for ssl.CERT_REQUIRED (required and validated)
 #   $slowlog_max_len
 #       The max length of the slow-query log (optional)
 #   $tags
@@ -45,6 +59,11 @@
   String $password                          = '',
   Variant[String, Integer] $port            = '6379',
   Optional[Array] $ports                    = undef,
+  Boolean $ssl                              = false,
+  String $ssl_keyfile                       = '',
+  String $ssl_certfile                      = '',
+  String $ssl_ca_certs                      = '',
+  Optional[Integer] $ssl_cert_reqs          = undef,
   Variant[String, Integer] $slowlog_max_len = '',
   Array $tags                               = [],
   Array $keys                               = [],
@@ -66,6 +85,11 @@
       'host'                 => $host,
       'password'             => $password,
       'port'                 => $instance_port,
+      'ssl'                  => $ssl,
+      'ssl_keyfile'          => $ssl_keyfile,
+      'ssl_certfile'         => $ssl_certfile,
+      'ssl_ca_certs'         => $ssl_ca_certs,
+      'ssl_cert_reqs'        => $ssl_cert_reqs,
       'slowlog_max_len'      => $slowlog_max_len,
       'tags'                 => $tags,
       'keys'                 => $keys,

spec/classes/datadog_agent_integrations_redis_spec.rb

@@ -117,13 +117,23 @@
                 'port'     => 2379,
                 'tags'     => ['foo', 'bar'],
                 'keys'     => ['baz', 'bat'],
+                'ssl' => true,
+                'ssl_keyfile' => '/etc/pki/tls/certs/localhost.crt',
+                'ssl_certfile' => '/path/to/cert.pem',
+                'ssl_ca_certs' => '/path/to/ca_certs',
+                'ssl_cert_reqs' => 0,
               },
               {
                 'host'     => 'redis1',
                 'password' => 'hunter2',
                 'port'     => 2380,
                 'tags'     => ['foo', 'bar'],
                 'keys'     => ['baz', 'bat'],
+                'ssl' => true,
+                'ssl_keyfile' => '/etc/pki/tls/certs/localhost.crt',
+                'ssl_certfile' => '/path/to/other/cert.pem',
+                'ssl_ca_certs' => '/path/to/other/ca_certs',
+                'ssl_cert_reqs' => 1,
               },
             ],
           }
@@ -138,6 +148,14 @@
         it { is_expected.to contain_file(conf_file).without_content(%r{^[^#]*slowlog-max-len: 5309}) }
         it { is_expected.to contain_file(conf_file).without_content(%r{warn_on_missing_keys: false}) }
         it { is_expected.to contain_file(conf_file).without_content(%r{command_stats: true}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl: true}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_keyfile: /etc/pki/tls/certs/localhost.crt}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_certfile: /path/to/cert.pem}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_certfile: /path/to/other/cert.pem}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_ca_certs: /path/to/ca_certs}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_ca_certs: /path/to/other/ca_certs}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_cert_reqs: 0}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_cert_reqs: 1}) }
       end
 
       context 'with only keys' do
@@ -181,6 +199,35 @@
         it { is_expected.to contain_file(conf_file).with_content(%r{port: 2379}) }
         it { is_expected.to contain_file(conf_file).with_content(%r{tags:.*\s+- baz\s+- bat}) }
       end
+
+      context 'with ssl configs' do
+        let(:params) do
+          {
+            instances: [
+              {
+                'host' => 'redis1',
+                'password' => 'hunter2',
+                'port' => 2379,
+                'ssl' => true,
+                'ssl_keyfile' => '/etc/pki/tls/certs/localhost.crt',
+                'ssl_certfile' => '/path/to/cert.pem',
+                'ssl_ca_certs' => '/path/to/ca_certs',
+                'ssl_cert_reqs' => 0,
+              },
+            ],
+          }
+        end
+
+        it { is_expected.to contain_file(conf_file).with_content(%r{host: redis1}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{^[^#]*password: hunter2}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{port: 2379}) }
+
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl: true}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_keyfile: /etc/pki/tls/certs/localhost.crt}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_certfile: /path/to/cert.pem}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_ca_certs: /path/to/ca_certs}) }
+        it { is_expected.to contain_file(conf_file).with_content(%r{ssl_cert_reqs: 0}) }
+      end
     end
   end
 end

templates/agent-conf.d/redisdb.yaml.erb

@@ -9,6 +9,21 @@ instances:
 <% if instance['password']  and ! instance['password'].empty? -%>
     password: <%= instance['password'] %>
 <% end -%>
+<% if instance['ssl']  and ! instance['ssl'].nil? -%>
+    ssl: <%= instance['ssl'] %>
+<% end -%>
+<% if instance['ssl_keyfile']  and ! instance['ssl_keyfile'].empty? -%>
+    ssl_keyfile: <%= instance['ssl_keyfile'] %>
+<% end -%>
+<% if instance['ssl_certfile']  and ! instance['ssl_certfile'].empty? -%>
+    ssl_certfile: <%= instance['ssl_certfile'] %>
+<% end -%>
+<% if instance['ssl_ca_certs']  and ! instance['ssl_ca_certs'].empty? -%>
+    ssl_ca_certs: <%= instance['ssl_ca_certs'] %>
+<% end -%>
+<% if instance['ssl_cert_reqs']  and ! instance['ssl_cert_reqs'].nil? -%>
+    ssl_cert_reqs: <%= instance['ssl_cert_reqs'] %>
+<% end -%>
 <% if instance['slowlog_max_len'] and ! instance['slowlog_max_len'].to_s.empty? -%>
     # unix_socket_path: /var/run/redis/redis.sock # optional, can be used in lieu of host/port
     slowlog-max-len: <%= instance['slowlog_max_len'] %>