wire up server for static converter

Signed-off-by: erikbaranowski <[email protected]>

converter/internal/prometheusconvert/prometheusconvert_test.go

@@ -9,5 +9,5 @@ import (
 )
 
 func TestConvert(t *testing.T) {
-	test_common.TestDirectory(t, "testdata", ".yaml", prometheusconvert.Convert)
+	test_common.TestDirectory(t, "testdata", ".yaml", true, prometheusconvert.Convert)
 }

converter/internal/promtailconvert/promtailconvert_test.go

@@ -9,5 +9,5 @@ import (
 )
 
 func TestConvert(t *testing.T) {
-	test_common.TestDirectory(t, "testdata", ".yaml", promtailconvert.Convert)
+	test_common.TestDirectory(t, "testdata", ".yaml", true, promtailconvert.Convert)
 }

converter/internal/staticconvert/internal/build/builder.go

@@ -54,8 +54,9 @@ func NewIntegrationsV1ConfigBuilder(f *builder.File, diags *diag.Diagnostics, cf
 }
 
 func (b *IntegrationsV1ConfigBuilder) Build() {
-	b.appendIntegrations()
 	b.appendLogging(b.cfg.Server)
+	b.appendServer(b.cfg.Server)
+	b.appendIntegrations()
 }
 
 func (b *IntegrationsV1ConfigBuilder) appendIntegrations() {

converter/internal/staticconvert/internal/build/server.go

@@ -0,0 +1,61 @@
+package build
+
+import (
+	"reflect"
+
+	"github.com/grafana/agent/converter/internal/common"
+	"github.com/grafana/agent/pkg/server"
+	"github.com/grafana/agent/service/http"
+)
+
+func (b *IntegrationsV1ConfigBuilder) appendServer(config *server.Config) {
+	args := toServer(config)
+	if !reflect.DeepEqual(*args.TLS, http.TLSArguments{}) {
+		b.f.Body().AppendBlock(common.NewBlockWithOverride(
+			[]string{"http"},
+			"",
+			args,
+		))
+	}
+}
+
+func toServer(config *server.Config) *http.Arguments {
+	authType, err := server.GetClientAuthFromString(config.HTTP.TLSConfig.ClientAuth)
+	if err != nil {
+		panic(err)
+	}
+
+	return &http.Arguments{
+		TLS: &http.TLSArguments{
+			Cert:             "",
+			CertFile:         config.HTTP.TLSConfig.TLSCertPath,
+			Key:              "",
+			KeyFile:          config.HTTP.TLSConfig.TLSKeyPath,
+			ClientCA:         "",
+			ClientCAFile:     config.HTTP.TLSConfig.ClientCAs,
+			ClientAuth:       http.ClientAuth(authType),
+			CipherSuites:     toHTTPTLSCipher(config.HTTP.TLSConfig.CipherSuites),
+			CurvePreferences: toHTTPTLSCurve(config.HTTP.TLSConfig.CurvePreferences),
+			MinVersion:       http.TLSVersion(config.HTTP.TLSConfig.MinVersion),
+			MaxVersion:       http.TLSVersion(config.HTTP.TLSConfig.MaxVersion),
+		},
+	}
+}
+
+func toHTTPTLSCipher(cipherSuites []server.TLSCipher) []http.TLSCipher {
+	var result []http.TLSCipher
+	for _, cipcipherSuite := range cipherSuites {
+		result = append(result, http.TLSCipher(cipcipherSuite))
+	}
+
+	return result
+}
+
+func toHTTPTLSCurve(curvePreferences []server.TLSCurve) []http.TLSCurve {
+	var result []http.TLSCurve
+	for _, curvePreference := range curvePreferences {
+		result = append(result, http.TLSCurve(curvePreference))
+	}
+
+	return result
+}

converter/internal/staticconvert/staticconvert_test.go

@@ -10,9 +10,12 @@ import (
 )
 
 func TestConvert(t *testing.T) {
-	test_common.TestDirectory(t, "testdata", ".yaml", staticconvert.Convert)
+	test_common.TestDirectory(t, "testdata", ".yaml", true, staticconvert.Convert)
+
+	// This test has a race condition due to downstream code so skip loading the config
+	test_common.TestDirectory(t, "testdata-race", ".yaml", false, staticconvert.Convert)
 
 	if runtime.GOOS == "windows" {
-		test_common.TestDirectory(t, "testdata_windows", ".yaml", staticconvert.Convert)
+		test_common.TestDirectory(t, "testdata_windows", ".yaml", true, staticconvert.Convert)
 	}
 }

converter/internal/staticconvert/testdata-race/example-cert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6jCCAdICCQCOLEZvJLYQlDANBgkqhkiG9w0BAQsFADA3MQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCRkwxDDAKBgNVBAoMA09yZzENMAsGA1UEAwwEcm9vdDAeFw0y
+MjAzMDkxNjM1NTRaFw0zMjAzMDYxNjM1NTRaMDcxCzAJBgNVBAYTAlVTMQswCQYD
+VQQIDAJGTDEMMAoGA1UECgwDT3JnMQ0wCwYDVQQDDARyb290MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx63pDVP4z4psrU6i5qOCUSjUGFkGRUekdrJ9
+FtkOEyoQSl2hpkF+QAGvM2L3+bqH8Y1CZ7yakkCncSmzpXShVg2D2nxHkwYVGhmz
+rzwHttmewokrWtw72ta6v9gxljxNLjz+HsYovKFGbudnOcK3BxseluikrOM08fEi
+SF7Y1FJkyr103K7yjtRyNH2tKHGiK73wjkLBkd6WWFIrtMbNP0McXqkipOSg9dwY
+OKfuVDzD/fCkW24j2pgHAI+4TQWC6PSIGMVZ76I5hhYd0WLi/8KaBu/gfqmDjnBn
+qqJONoAxT5kEmXWwE5jO0ZOWx88S2D9wmBNIx8HtMLh+7pVQ7QIDAQABMA0GCSqG
+SIb3DQEBCwUAA4IBAQBM85fNb+7b+3q0+uDw/fgrUkYfAVjJX+uN3ONy50qnKWe7
+SAqLC76HVHLa9hdT7OENQurCCrEtnV1Fzg0KNqtE8gW5rPrV44FZrC5YnpqrHoKp
+VZeff+Mficioif5KkaELZILgduwYXe/H9r6qg87mHU4zpFlDUnUFCfLDtrO4fc79
+BEpoUXLf5tCwRLUv/d0eeksMqUf5ES4tWfzUVLCjSEEcuX0GIgWdcyG3thCauPWC
+9a/QEXqqDC46AgsvkHCNWRoC8TSob5usTJDflodHoree6eaWx6j8ZGA/Uc0ohalJ
+XYGN7R9ge9KeqmwvYI6hr/n+WM92Jeqnz9BVWaiQ
+-----END CERTIFICATE-----

converter/internal/staticconvert/testdata-race/example-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAx63pDVP4z4psrU6i5qOCUSjUGFkGRUekdrJ9FtkOEyoQSl2h
+pkF+QAGvM2L3+bqH8Y1CZ7yakkCncSmzpXShVg2D2nxHkwYVGhmzrzwHttmewokr
+Wtw72ta6v9gxljxNLjz+HsYovKFGbudnOcK3BxseluikrOM08fEiSF7Y1FJkyr10
+3K7yjtRyNH2tKHGiK73wjkLBkd6WWFIrtMbNP0McXqkipOSg9dwYOKfuVDzD/fCk
+W24j2pgHAI+4TQWC6PSIGMVZ76I5hhYd0WLi/8KaBu/gfqmDjnBnqqJONoAxT5kE
+mXWwE5jO0ZOWx88S2D9wmBNIx8HtMLh+7pVQ7QIDAQABAoIBADh7XxLgD99U/oy/
+U6D921ztuaDxfa6XJ1RUBMIzv6F4IoeGmLUYjYe5cj+M3SwMsWuIU6JYXTjFhRej
+fidtKD3ZMNTalrxl2g45+vO0fVIhmKDagCMBbQTn/IdLtisS/5n2ssMttlQ1ImE4
+n6BdDby61RpG0F3/HvjZBqOGALt92qaE8xmUKa8K7SVNnS7BSE+m9tn0pxJsvxCu
+3WALdAELECLLKB2bpW5u+v5niBT7Min2Oi1uJbd5SWyWqGmiX8MQ+yXPjAmQxd5D
+6L9okqOB6vkfgkuVCAc2d73NI3BE7HJqcE5PboY+ZVTcFdBGYMhvjLeXnUlMZREZ
+B7TcT4ECgYEA9QNIoozXsRwpCQGDLm0a6ZGc1NjNUtd0udOqexTSPkdhvR0sNJep
+3mjaWCBwipLTmBKs5gv+0i9V6S28r6Pq93EoJVToDPPLq+7UYMi/7vmshNWrMTBD
+N/mWF92d7gSC8cgXSnZwAz40QwIZYU6OXJL5s1YN6r/1vLRoPsbkgVECgYEA0KI0
+Ms4f9XqrrzzT9byaUUtXrSMyFVag995q5lvV5pipwkWOyWscD5tHt5GfOu15F4Ut
++k2pqXmO1FveUO9wMxFEP8LOKuoKUZ2jzJ7IUiz3TwMcQjlV7C6n5NtIsBrlElqW
+C2/HYgSw+T87T63WK8467KLgQ09yEFEIg1p7Tt0CgYEAgEqz4cl1t1tTcU/FbK3c
+hailQh4zhMkkaZkXj1Mbs1iVKPz5hKBVZgvpKHPz+dtfyCUfO2XUjCIVDf/Q6Pcf
+tWke6E1JJF8Tqndn5TW4ql05pGRtO1hWGh0qJlz4sQTTu95Vs7vIcypDG0MiHv2P
+NZIQBYNtzhmthp3AZ/6k78ECgYEAty6T8j+1I84PTA92c36jZ9llI+mRIdcsAjZR
+We0sRAmqk56LHiJjQvit4WmEizLSbWpL0ke6PckzNRVsf1ecBdqVN/6NEnTnln14
+wkJv1GcSxVcPyr2YyYS1eWVnzufuVU0gDO6Z+1/vGwj/xJf3QgMTDY58pdztY5Ii
+jWI2fikCgYEAmGEmcPOu8IjYNN+YdQ1CeF909oSH++Nqr34IB5/e2Wr9WVknfHzZ
+wIfzlUJUQO0so0LDaB7UQKk0Xk3+OP6Udw8xFfr/P5s++bvnKr3j5iHn6taqPs+v
+PFxn+7KqdYVQ4RYRYLsy6NF+MhXt2sDAhiScxVnkh09t6sT1UG9xKW4=
+-----END RSA PRIVATE KEY-----

converter/internal/staticconvert/testdata/unsupported.diags → converter/internal/staticconvert/testdata-race/unsupported.diags

@@ -4,7 +4,8 @@
 (Error) mapping_config is not supported in statsd_exporter integrations config
 (Warning) Please review your agent command line flags and ensure they are set in your Flow mode config file where necessary.
 (Error) unsupported grpc_tls_config server config was provided. flow mode does not have a gRPC server to config.
-(Error) unsupported http_tls_config server config was provided.
+(Error) unsupported prefer_server_cipher_suites server config was provided.
+(Error) unsupported windows_certificate_filter server config was provided.
 (Error) unsupported wal_directory metrics config was provided. use the run command flag --storage.path for Flow mode instead.
 (Error) unsupported integration agent was provided.
 (Error) unsupported integration azure_exporter was provided.

converter/internal/staticconvert/testdata/unsupported.river → converter/internal/staticconvert/testdata-race/unsupported.river

@@ -17,6 +17,20 @@ prometheus.remote_write "metrics_agent" {
 	}
 }
 
+logging {
+	level  = "debug"
+	format = "json"
+}
+
+http {
+	tls {
+		cert_file        = "./testdata/example-cert.pem"
+		key_file         = "./testdata/example-key.pem"
+		client_ca_file   = "./testdata/example-cert.pem"
+		client_auth_type = "VerifyClientCertIfGiven"
+	}
+}
+
 prometheus.exporter.statsd "integrations_statsd_exporter" { }
 
 prometheus.scrape "integrations_statsd_exporter" {
@@ -25,9 +39,9 @@ prometheus.scrape "integrations_statsd_exporter" {
 	job_name   = "integrations/statsd_exporter"
 
 	tls_config {
-		ca_file   = "/something.cert"
-		cert_file = "/something.cert"
-		key_file  = "/something.cert"
+		ca_file   = "/something7.cert"
+		cert_file = "/something8.cert"
+		key_file  = "/something9.cert"
 	}
 }
 
@@ -41,8 +55,3 @@ prometheus.remote_write "integrations" {
 		metadata_config { }
 	}
 }
-
-logging {
-	level  = "debug"
-	format = "json"
-}

converter/internal/staticconvert/testdata/unsupported.yaml → converter/internal/staticconvert/testdata-race/unsupported.yaml

@@ -2,9 +2,18 @@ server:
   log_level: debug
   log_format: json
   http_tls_config:
-    cert_file: "/something.cert"
+    client_ca_file: "./testdata/example-cert.pem"
+    cert_file: "./testdata/example-cert.pem"
+    key_file: "./testdata/example-key.pem"
+    client_auth_type: "VerifyClientCertIfGiven"
+    prefer_server_cipher_suites: true
+    windows_certificate_filter:
+      server:
+        store: "something"
   grpc_tls_config:
-    cert_file: "/something2.cert"
+    client_ca_file: "/something4.cert"
+    cert_file: "/something5.cert"
+    key_file: "/something6.cert"
 
 metrics:
   wal_directory: /tmp/agent
@@ -20,9 +29,9 @@ metrics:
 
 integrations:
   http_tls_config:
-    ca_file: "/something.cert"
-    cert_file: "/something.cert"
-    key_file: "/something.cert"
+    ca_file: "/something7.cert"
+    cert_file: "/something8.cert"
+    key_file: "/something9.cert"
   agent:
     enabled: true
   azure_exporter:

converter/internal/staticconvert/validate.go

@@ -66,9 +66,8 @@ func validateServer(serverConfig *server.Config) diag.Diagnostics {
 
 	defaultServerConfig := server.DefaultConfig()
 	diags.AddAll(common.UnsupportedNotDeepEqualsMessage(serverConfig.GRPC, defaultServerConfig.GRPC, "grpc_tls_config server", "flow mode does not have a gRPC server to config."))
-
-	// TODO this is in the new HTTP service in flow
-	diags.AddAll(common.UnsupportedNotDeepEquals(serverConfig.HTTP, defaultServerConfig.HTTP, "http_tls_config server"))
+	diags.AddAll(common.UnsupportedNotEquals(serverConfig.HTTP.TLSConfig.PreferServerCipherSuites, defaultServerConfig.HTTP.TLSConfig.PreferServerCipherSuites, "prefer_server_cipher_suites server"))
+	diags.AddAll(common.UnsupportedNotDeepEquals(serverConfig.HTTP.TLSConfig.WindowsCertificateFilter, defaultServerConfig.HTTP.TLSConfig.WindowsCertificateFilter, "windows_certificate_filter server"))
 
 	return diags
 }

converter/internal/test_common/testing.go

@@ -38,7 +38,7 @@ const (
 //  4. If the current filename.sourceSuffix has a matching filename.river, read
 //     the contents of filename.river and validate that they match the river
 //     configuration generated by calling convert in step 1.
-func TestDirectory(t *testing.T, folderPath string, sourceSuffix string, convert func(in []byte) ([]byte, diag.Diagnostics)) {
+func TestDirectory(t *testing.T, folderPath string, sourceSuffix string, loadFlowConfig bool, convert func(in []byte) ([]byte, diag.Diagnostics)) {
 	require.NoError(t, filepath.WalkDir(folderPath, func(path string, d fs.DirEntry, _ error) error {
 		if d.IsDir() {
 			return nil
@@ -63,7 +63,7 @@ func TestDirectory(t *testing.T, folderPath string, sourceSuffix string, convert
 				validateDiags(t, expectedDiags, actualDiags)
 
 				expectedRiver := getExpectedRiver(t, riverFile)
-				validateRiver(t, expectedRiver, actualRiver)
+				validateRiver(t, expectedRiver, actualRiver, loadFlowConfig)
 			})
 		}
 
@@ -152,7 +152,7 @@ func fileExists(path string) bool {
 }
 
 // validateRiver makes sure the expected river and actual river are a match
-func validateRiver(t *testing.T, expectedRiver []byte, actualRiver []byte) {
+func validateRiver(t *testing.T, expectedRiver []byte, actualRiver []byte, loadFlowConfig bool) {
 	if len(expectedRiver) > 0 {
 		if !reflect.DeepEqual(expectedRiver, actualRiver) {
 			fmt.Println("============== ACTUAL =============")
@@ -162,7 +162,9 @@ func validateRiver(t *testing.T, expectedRiver []byte, actualRiver []byte) {
 
 		require.Equal(t, string(expectedRiver), string(normalizeLineEndings(actualRiver)))
 
-		attemptLoadingFlowConfig(t, actualRiver)
+		if loadFlowConfig {
+			attemptLoadingFlowConfig(t, actualRiver)
+		}
 	}
 }
 

pkg/server/tls.go

@@ -265,7 +265,7 @@ func (l *tlsListener) applyNormalTLS(c TLSConfig) error {
 		newConfig.ClientCAs = clientCAPool
 	}
 
-	clientAuth, err := getClientAuthFromString(c.ClientAuth)
+	clientAuth, err := GetClientAuthFromString(c.ClientAuth)
 	if err != nil {
 		return err
 	}
@@ -290,7 +290,7 @@ func (l *tlsListener) getCertificate(*tls.ClientHelloInfo) (*tls.Certificate, er
 	return &cert, nil
 }
 
-func getClientAuthFromString(clientAuth string) (tls.ClientAuthType, error) {
+func GetClientAuthFromString(clientAuth string) (tls.ClientAuthType, error) {
 	switch clientAuth {
 	case "RequestClientCert":
 		return tls.RequestClientCert, nil

pkg/server/tls_certstore_windows.go

@@ -7,13 +7,14 @@ import (
 	"crypto/x509"
 	"encoding/asn1"
 	"fmt"
-	"github.com/github/smimesign/certstore"
-	"github.com/go-kit/log"
-	"github.com/go-kit/log/level"
 	"regexp"
 	"sort"
 	"sync"
 	"time"
+
+	"github.com/github/smimesign/certstore"
+	"github.com/go-kit/log"
+	"github.com/go-kit/log/level"
 )
 
 // winCertStoreHandler handles the finding of certificates, validating them and injecting into the default TLS pipeline
@@ -97,7 +98,7 @@ func (l *tlsListener) applyWindowsCertificateStore(c TLSConfig) error {
 		MaxVersion: tls.VersionTLS12,
 	}
 
-	ca, err := getClientAuthFromString(c.ClientAuth)
+	ca, err := GetClientAuthFromString(c.ClientAuth)
 	if err != nil {
 		return err
 	}