[v1] Add HTTP TLS (#425)

* feat: add SSL/TLS support for secure connections

- Add environment variables for SSL configuration
- Implement conditional SSL server startup based on configuration

* Add additional SSL/TLS config options

- Added a way to configure cipher suites
- Added a way to configure TLS min version

* Change SSL config variables to use file paths and improve test coverage

* Remove t.Pararell() from config test

* Add detailed SSL/TLS configuration documentation to README

---------

Co-authored-by: chanyongkit <[email protected]>

Author: kuskoman

README.md

@@ -97,6 +97,28 @@ The application can be configured using the following environment variables, whi
 | `LOG_LEVEL`   | [Log level](https://pkg.go.dev/golang.org/x/exp/slog#Level) (defaults to "info" if not set)   | `""` (empty string)     |
 | `HTTP_TIMEOUT`| Timeout for HTTP requests to Logstash API in [Go duration format](https://golang.org/pkg/time/#ParseDuration) | `2s` |
 
+#### SSL/TLS Configuration
+
+The exporter supports serving metrics over HTTPS with the following configuration options:
+
+| Variable Name | Description                                                                                   | Default Value           |
+|---------------|-----------------------------------------------------------------------------------------------|-------------------------|
+| `ENABLE_SSL`  | Enable SSL/TLS for the HTTP server (TRUE or FALSE)                                            | `FALSE`                 |
+| `SSL_CERT_FILE_PATH` | File path to the SSL certificate file (required when ENABLE_SSL=TRUE)                  | `""`                    |
+| `SSL_KEY_FILE_PATH`  | File path to the SSL private key file (required when ENABLE_SSL=TRUE)                  | `""`                    |
+| `SSL_CIPHER_LIST`    | Comma-separated list of SSL cipher suites to use                                       | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA |
+| `SSL_MIN_VERSION`    | Minimum TLS version (1.0, 1.1, 1.2, 1.3)                                               | `1.2`                   |
+
+When `ENABLE_SSL` is set to `TRUE`, you must provide valid paths to both certificate and key files. Example:
+
+```sh
+ENABLE_SSL=TRUE
+SSL_CERT_FILE_PATH=/path/to/certificate.crt
+SSL_KEY_FILE_PATH=/path/to/private.key
+```
+
+For security reasons, TLS 1.2 is configured as the minimum supported version by default. You can modify the TLS version and cipher suites based on your security requirements.
+
 All configuration variables can be checked in the [config directory](./config/).
 
 ## Building

cmd/exporter/main.go

@@ -36,6 +36,13 @@ func main() {
 
 	port, host := config.Port, config.Host
 	logstashUrl := config.LogstashUrl
+	enableSSL := config.EnableSSL == "TRUE"
+	sslCertFilePath := config.SSLCertFilePath
+	sslKeyFilePath := config.SSLKeyFilePath
+	tlsConfig, err := config.SetupTLS()
+	if err != nil {
+		log.Fatalf("failed to setup tls: %s",err)
+	}
 
 	slog.Debug("application starting... ")
 	versionInfo := config.GetVersionInfo()
@@ -56,8 +63,15 @@ func main() {
 	prometheus.MustRegister(collectorManager)
 
 	slog.Info("starting server on", "host", host, "port", port)
-	if err := appServer.ListenAndServe(); err != nil {
+	if enableSSL {
+		appServer.TLSConfig = tlsConfig
+		err = appServer.ListenAndServeTLS(sslCertFilePath, sslKeyFilePath)
+	} else {
+		err = appServer.ListenAndServe()
+	}
+	
+	if err != nil {
 		slog.Error("failed to listen and serve", "err", err)
-		os.Exit(1)
+	    os.Exit(1)
 	}
 }

config/http_config_test.go

@@ -8,7 +8,6 @@ import (
 
 func TestGetHttpTimeout(t *testing.T) {
 	t.Run("DefaultTimeout", func(t *testing.T) {
-		t.Parallel()
 		os.Unsetenv(httpTimeoutEnvVar)
 		timeout, err := GetHttpTimeout()
 		if err != nil {
@@ -20,7 +19,6 @@ func TestGetHttpTimeout(t *testing.T) {
 	})
 
 	t.Run("CustomTimeout", func(t *testing.T) {
-		t.Parallel()
 		expectedTimeout := "5s"
 		os.Setenv(httpTimeoutEnvVar, expectedTimeout)
 		defer os.Unsetenv(httpTimeoutEnvVar)
@@ -35,7 +33,6 @@ func TestGetHttpTimeout(t *testing.T) {
 	})
 
 	t.Run("InvalidTimeout", func(t *testing.T) {
-		t.Parallel()
 		os.Setenv(httpTimeoutEnvVar, "invalid")
 		defer os.Unsetenv(httpTimeoutEnvVar)
 		_, err := GetHttpTimeout()
@@ -47,7 +44,6 @@ func TestGetHttpTimeout(t *testing.T) {
 
 func TestGetHttpInsecure(t *testing.T) {
 	t.Run("DefaultInsecure", func(t *testing.T) {
-		t.Parallel()
 		os.Unsetenv(httpInsecureEnvVar)
 		insecure := GetHttpInsecure()
 		if insecure != false {
@@ -56,7 +52,6 @@ func TestGetHttpInsecure(t *testing.T) {
 	})
 
 	t.Run("CustomInsecure", func(t *testing.T) {
-		t.Parallel()
 		expectedInsecure := true
 		os.Setenv(httpInsecureEnvVar, "true")
 		defer os.Unsetenv(httpInsecureEnvVar)
@@ -67,7 +62,6 @@ func TestGetHttpInsecure(t *testing.T) {
 	})
 
 	t.Run("InvalidInsecure", func(t *testing.T) {
-		t.Parallel()
 		expectedInsecure := false
 		os.Setenv(httpInsecureEnvVar, "invalid")
 		defer os.Unsetenv(httpInsecureEnvVar)

config/server_config.go

@@ -1,6 +1,21 @@
 package config
 
 var (
+	// SSL determines if the exporter should use HTTPS instead of HTTP
+	// Defaults to "FALSE"
+	// Can be overridden by setting the SSL environment variable
+	EnableSSL = getEnvWithDefault("ENABLE_SSL", "FALSE")
+
+	// SSL_CERT_FILE_PATH specifies the file path to the SSL certificate file
+	// Must be set if SSL is "TRUE"
+	// Can be overridden by setting the SSL_CERT_FILE_PATH environment variable
+	SSLCertFilePath = getEnvWithDefault("SSL_CERT_FILE_PATH","")
+
+	// SSL_KEY_FILE_PATH specifies the file path to the SSL private key file
+	// Must be set if SSL is "TRUE"
+	// Can be overridden by setting the SSL_KEY_FILE_PATH environment variable
+	SSLKeyFilePath = getEnvWithDefault("SSL_KEY_FILE_PATH","")
+
 	// Port is the port the exporter will listen on.
 	// Defaults to 9198
 	// Can be overridden by setting the PORT environment variable

config/tls_config.go

@@ -0,0 +1,55 @@
+package config
+
+import (
+    "fmt"
+    "crypto/tls"
+	"strings"
+)
+
+var(
+	SSLCipherList = getEnvWithDefault("SSL_CIPHER_LIST","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA")
+	SSLMinVersion = getEnvWithDefault("SSL_MIN_VERSION","1.2")
+)
+
+func SetupTLS() (*tls.Config, error) {
+	var cipherSuites []uint16
+	if SSLCipherList != "" {
+		cipherMap := make(map[string]uint16)
+		for _, suite := range tls.CipherSuites() {
+			cipherMap[suite.Name] = suite.ID
+		}
+		for _, suite := range tls.InsecureCipherSuites() {
+			cipherMap[suite.Name] = suite.ID
+		}
+
+		for _, cipher := range strings.Split(SSLCipherList, ",") {
+			cipher = strings.TrimSpace(cipher)
+			if id, exists := cipherMap[cipher]; exists {
+				cipherSuites = append(cipherSuites, id)
+			} else {
+				return nil, fmt.Errorf("unsupported cipher suite: %s", cipher)
+			}
+		}
+	}
+
+	var minVersion uint16
+	switch SSLMinVersion {
+	case "1.0":
+		minVersion = tls.VersionTLS10
+	case "1.1":
+		minVersion = tls.VersionTLS11
+	case "1.2":
+		minVersion = tls.VersionTLS12
+	case "1.3", "":
+		minVersion = tls.VersionTLS13 
+	default:
+		return nil, fmt.Errorf("invalid TLS version: %s", SSLMinVersion)
+	}
+
+	tlsConfig := &tls.Config{
+		MinVersion:   minVersion,
+		CipherSuites: cipherSuites,
+	}
+
+	return tlsConfig, nil
+}

config/tls_config_test.go

@@ -0,0 +1,115 @@
+package config
+
+import (
+	"crypto/tls"
+	"testing"
+)
+
+func TestSetupTLS(t *testing.T) {
+	t.Run("default configuration", func(t *testing.T) {
+		tlsConfig, err := SetupTLS()
+
+		if err != nil {
+			t.Fatalf("Unexpected error setting up TLS: %v", err)
+		}
+
+		if tlsConfig == nil {
+			t.Fatal("Expected TLS config, got nil")
+		}
+
+		if tlsConfig.MinVersion != tls.VersionTLS12 {
+			t.Errorf("Expected MinVersion TLS 1.2, got %d", tlsConfig.MinVersion)
+		}
+
+		expectedCipherSuites := []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		}
+		
+		if len(tlsConfig.CipherSuites) != len(expectedCipherSuites) {
+			t.Errorf("Expected %d cipher suites, got %d", len(expectedCipherSuites), len(tlsConfig.CipherSuites))
+		}
+	})
+
+	t.Run("custom TLS version", func(t *testing.T) {
+		// Save original values
+		originalMinVersion := SSLMinVersion
+		defer func() {
+			SSLMinVersion = originalMinVersion
+		}()
+
+		// Test TLS 1.1
+		SSLMinVersion = "1.1"
+		tlsConfig, err := SetupTLS()
+		if err != nil {
+			t.Fatalf("Unexpected error setting up TLS with version 1.1: %v", err)
+		}
+		if tlsConfig.MinVersion != tls.VersionTLS11 {
+			t.Errorf("Expected MinVersion TLS 1.1, got %d", tlsConfig.MinVersion)
+		}
+
+		// Test TLS 1.0
+		SSLMinVersion = "1.0"
+		tlsConfig, err = SetupTLS()
+		if err != nil {
+			t.Fatalf("Unexpected error setting up TLS with version 1.0: %v", err)
+		}
+		if tlsConfig.MinVersion != tls.VersionTLS10 {
+			t.Errorf("Expected MinVersion TLS 1.0, got %d", tlsConfig.MinVersion)
+		}
+
+		// Test TLS 1.3
+		SSLMinVersion = "1.3"
+		tlsConfig, err = SetupTLS()
+		if err != nil {
+			t.Fatalf("Unexpected error setting up TLS with version 1.3: %v", err)
+		}
+		if tlsConfig.MinVersion != tls.VersionTLS13 {
+			t.Errorf("Expected MinVersion TLS 1.3, got %d", tlsConfig.MinVersion)
+		}
+
+		// Test invalid version
+		SSLMinVersion = "invalid"
+		_, err = SetupTLS()
+		if err == nil {
+			t.Errorf("Expected error for invalid TLS version, got nil")
+		}
+	})
+
+	t.Run("custom cipher suite", func(t *testing.T) {
+		// Save original values
+		originalCipherList := SSLCipherList
+		defer func() {
+			SSLCipherList = originalCipherList
+		}()
+
+		// Test empty cipher list (should default to Go's defaults)
+		SSLCipherList = ""
+		tlsConfig, err := SetupTLS()
+		if err != nil {
+			t.Fatalf("Unexpected error setting up TLS with empty cipher list: %v", err)
+		}
+		if tlsConfig.CipherSuites != nil {
+			t.Errorf("Expected nil CipherSuites for empty list, got %v", tlsConfig.CipherSuites)
+		}
+
+		// Test single cipher
+		SSLCipherList = "TLS_RSA_WITH_AES_256_CBC_SHA"
+		tlsConfig, err = SetupTLS()
+		if err != nil {
+			t.Fatalf("Unexpected error setting up TLS with single cipher: %v", err)
+		}
+		if len(tlsConfig.CipherSuites) != 1 {
+			t.Errorf("Expected 1 cipher suite, got %d", len(tlsConfig.CipherSuites))
+		}
+
+		// Test invalid cipher
+		SSLCipherList = "INVALID_CIPHER"
+		_, err = SetupTLS()
+		if err == nil {
+			t.Errorf("Expected error for invalid cipher suite, got nil")
+		}
+	})
+}

server/versioninfo_test.go

@@ -69,7 +69,7 @@ func TestHandleVersionInfo(t *testing.T) {
 	})
 
 	t.Run("invalid JSON", func(t *testing.T) {
-		t.Parallel()
+		// Don't use t.Parallel() for this test to avoid race conditions
 		versionInfo := &config.VersionInfo{
 			Version:   "version",
 			GitCommit: "git commit",
@@ -88,14 +88,26 @@ func TestHandleVersionInfo(t *testing.T) {
 			t.Errorf("expected 2 writes, but got: %d", len(w.writes))
 		}
 
-		firstWrite := string(w.writes[0])
+		// Create a copy of the data to avoid race conditions
+		var firstWrite, secondWrite string
+		if len(w.writes) > 0 {
+			firstWriteData := make([]byte, len(w.writes[0]))
+			copy(firstWriteData, w.writes[0])
+			firstWrite = string(firstWriteData)
+		}
+		
+		if len(w.writes) > 1 {
+			secondWriteData := make([]byte, len(w.writes[1]))
+			copy(secondWriteData, w.writes[1])
+			secondWrite = string(secondWriteData)
+		}
+
 		expectedFirstWrite := `{"Version":"version","SemanticVersion":"","GitCommit":"git commit","GoVersion":"go version","BuildArch":"build arch","BuildOS":"build os","BuildDate":"build date"}`
 		expectedFirstWrite = expectedFirstWrite + "\n"
 		if firstWrite != expectedFirstWrite {
 			t.Errorf("expected first write to be %s, but got: %s", expectedFirstWrite, firstWrite)
 		}
 
-		secondWrite := string(w.writes[1])
 		expectedSecondWrite := "EOF\n"
 		if secondWrite != expectedSecondWrite {
 			t.Errorf("expected second write to be %s, but got: %s", expectedSecondWrite, secondWrite)