Add NGINX CA config option for NGINX Plus API

Author: dhurley

src/core/config/config.go

@@ -354,6 +354,7 @@ func getNginx() Nginx {
 		NginxClientVersion:           Viper.GetInt(NginxClientVersion),
 		ConfigReloadMonitoringPeriod: Viper.GetDuration(NginxConfigReloadMonitoringPeriod),
 		TreatWarningsAsErrors:        Viper.GetBool(NginxTreatWarningsAsErrors),
+		Ca:                           Viper.GetString(NginxCa),
 	}
 }
 

src/core/config/defaults.go

@@ -66,6 +66,7 @@ var (
 			NginxClientVersion:           7, // NGINX Plus R25+
 			ConfigReloadMonitoringPeriod: 10 * time.Second,
 			TreatWarningsAsErrors:        false,
+			Ca:                           "",
 		},
 		ConfigDirs:            "/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules:/etc/nms",
 		IgnoreDirectives:      []string{},
@@ -175,6 +176,7 @@ const (
 	NginxClientVersion                = NginxKey + agent_config.KeyDelimiter + "client_version"
 	NginxConfigReloadMonitoringPeriod = NginxKey + agent_config.KeyDelimiter + "config_reload_monitoring_period"
 	NginxTreatWarningsAsErrors        = NginxKey + agent_config.KeyDelimiter + "treat_warnings_as_errors"
+	NginxCa                           = NginxKey + agent_config.KeyDelimiter + "ca"
 
 	// viper keys used in config
 	DataplaneKey = "dataplane"
@@ -321,6 +323,11 @@ var (
 			Usage:        "On nginx -t, treat warnings as failures on configuration application.",
 			DefaultValue: Defaults.Nginx.TreatWarningsAsErrors,
 		},
+		&StringFlag{
+			Name:         NginxCa,
+			Usage:        "The NGINX Plus CA certificate file location needed to call the NGINX Plus API if SSL is enabled.",
+			DefaultValue: Defaults.Nginx.Ca,
+		},
 		// Metrics
 		&DurationFlag{
 			Name:         MetricsCollectionInterval,

src/core/config/types.go

@@ -8,6 +8,8 @@
 package config
 
 import (
+	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/nginx/agent/sdk/v2/backoff"
@@ -90,6 +92,20 @@ func (c *Config) GetMetricsBackoffSettings() backoff.BackoffSettings {
 	}
 }
 
+func (c *Config) IsFileAllowed(path string) bool {
+	if !filepath.IsAbs(path) {
+		return false
+	}
+
+	for dir := range c.AllowedDirectoriesMap {
+		if strings.HasPrefix(path, dir) {
+			return true
+		}
+	}
+
+	return false
+}
+
 type Server struct {
 	Host     string `mapstructure:"host" yaml:"-"`
 	GrpcPort int    `mapstructure:"grpcPort" yaml:"-"`
@@ -139,6 +155,7 @@ type Nginx struct {
 	NginxClientVersion           int           `mapstructure:"client_version" yaml:"-"`
 	ConfigReloadMonitoringPeriod time.Duration `mapstructure:"config_reload_monitoring_period" yaml:"-"`
 	TreatWarningsAsErrors        bool          `mapstructure:"treat_warnings_as_errors" yaml:"-"`
+	Ca                           string        `mapstructure:"ca" yaml:"-"`
 }
 
 type Dataplane struct {

src/core/metrics/collectors/nginx.go

@@ -61,7 +61,10 @@ func buildSources(dimensions *metrics.CommonDim, binary core.NginxBinary, collec
 			nginxSources = append(nginxSources, sources.NewNginxAccessLog(dimensions, sources.OSSNamespace, binary, sources.OSSNginxType, collectorConf.CollectionInterval))
 			nginxSources = append(nginxSources, sources.NewNginxErrorLog(dimensions, sources.OSSNamespace, binary, sources.OSSNginxType, collectorConf.CollectionInterval))
 		} else if collectorConf.PlusAPI != "" {
-			nginxSources = append(nginxSources, sources.NewNginxPlus(dimensions, sources.OSSNamespace, sources.PlusNamespace, collectorConf.PlusAPI, collectorConf.ClientVersion))
+			nginxPlusSource := sources.NewNginxPlus(dimensions, sources.OSSNamespace, sources.PlusNamespace, collectorConf.PlusAPI, collectorConf.ClientVersion, conf)
+			if nginxPlusSource != nil {
+				nginxSources = append(nginxSources, nginxPlusSource)
+			}
 			nginxSources = append(nginxSources, sources.NewNginxAccessLog(dimensions, sources.OSSNamespace, binary, sources.PlusNginxType, collectorConf.CollectionInterval))
 			nginxSources = append(nginxSources, sources.NewNginxErrorLog(dimensions, sources.OSSNamespace, binary, sources.PlusNginxType, collectorConf.CollectionInterval))
 		} else {

src/core/metrics/sources/nginx_plus.go

@@ -9,10 +9,16 @@ package sources
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"math"
+	"net/http"
+	"os"
 	"sync"
 
+	"github.com/nginx/agent/v2/src/core/config"
+
 	"github.com/nginx/agent/sdk/v2/proto"
 	"github.com/nginx/agent/v2/src/core/metrics"
 
@@ -67,6 +73,7 @@ type NginxPlus struct {
 	init          sync.Once
 	clientVersion int
 	logger        *MetricSourceLogger
+	client        *http.Client
 }
 
 type ExtendedStats struct {
@@ -75,14 +82,44 @@ type ExtendedStats struct {
 	streamEndpoints []string
 }
 
-func NewNginxPlus(baseDimensions *metrics.CommonDim, nginxNamespace, plusNamespace, plusAPI string, clientVersion int) *NginxPlus {
+func NewNginxPlus(baseDimensions *metrics.CommonDim, nginxNamespace, plusNamespace, plusAPI string, clientVersion int, conf *config.Config) *NginxPlus {
 	log.Debug("Creating NGINX Plus metrics source")
-	return &NginxPlus{baseDimensions: baseDimensions, nginxNamespace: nginxNamespace, plusNamespace: plusNamespace, plusAPI: plusAPI, clientVersion: clientVersion, logger: NewMetricSourceLogger()}
+
+	client := http.DefaultClient
+
+	if conf.Nginx.Ca != "" && conf.IsFileAllowed(conf.Nginx.Ca) {
+		data, err := os.ReadFile(conf.Nginx.Ca)
+		if err != nil {
+			log.Errorf("Unable to collect NGINX Plus metrics. Failed to read NGINX CA certificate file: %v", err)
+			return nil
+		}
+
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(data)
+
+		client = &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs: caCertPool,
+				},
+			},
+		}
+	}
+
+	return &NginxPlus{
+		baseDimensions: baseDimensions,
+		nginxNamespace: nginxNamespace,
+		plusNamespace:  plusNamespace,
+		plusAPI:        plusAPI,
+		clientVersion:  clientVersion,
+		logger:         NewMetricSourceLogger(),
+		client:         client,
+	}
 }
 
 func (c *NginxPlus) Collect(ctx context.Context, m chan<- *metrics.StatsEntityWrapper) {
 	c.init.Do(func() {
-		cl, err := plusclient.NewNginxClient(c.plusAPI, plusclient.WithMaxAPIVersion())
+		cl, err := plusclient.NewNginxClient(c.plusAPI, plusclient.WithMaxAPIVersion(), plusclient.WithHTTPClient(c.client))
 		if err != nil {
 			c.logger.Log(fmt.Sprintf("Failed to create plus metrics client: %v", err))
 			SendNginxDownStatus(ctx, c.baseDimensions.ToDimensions(), m)

src/core/metrics/sources/nginx_plus_test.go

@@ -570,7 +570,7 @@ func (f *FakeNginxPlus) Collect(ctx context.Context, m chan<- *metrics.StatsEnti
 }
 
 func TestNginxPlusUpdate(t *testing.T) {
-	nginxPlus := NewNginxPlus(&metrics.CommonDim{}, "test", PlusNamespace, "http://localhost:8080/api", 6)
+	nginxPlus := NewNginxPlus(&metrics.CommonDim{}, "test", PlusNamespace, "http://localhost:8080/api", 6, &config.Config{})
 
 	assert.Equal(t, "", nginxPlus.baseDimensions.InstanceTags)
 	assert.Equal(t, "http://localhost:8080/api", nginxPlus.plusAPI)
@@ -867,7 +867,7 @@ func TestNginxPlus_Collect(t *testing.T) {
 	for _, test := range tests {
 		ctx := context.TODO()
 
-		f := &FakeNginxPlus{NewNginxPlus(test.baseDimensions, "nginx", "plus", "", 6)}
+		f := &FakeNginxPlus{NewNginxPlus(test.baseDimensions, "nginx", "plus", "", 6, &config.Config{})}
 		go f.Collect(ctx, test.m)
 
 		instanceMetrics := <-test.m