Aws es signing

.promu.yml

@@ -5,12 +5,11 @@ repository:
 build:
     flags: -a -tags netgo
     ldflags: |
-        -s
-        -X {{repoPath}}/vendor/github.com/prometheus/common/version.Version={{.Version}}
-        -X {{repoPath}}/vendor/github.com/prometheus/common/version.Revision={{.Revision}}
-        -X {{repoPath}}/vendor/github.com/prometheus/common/version.Branch={{.Branch}}
-        -X {{repoPath}}/vendor/github.com/prometheus/common/version.BuildUser={{user}}@{{host}}
-        -X {{repoPath}}/vendor/github.com/prometheus/common/version.BuildDate={{date "20060102-15:04:05"}}
+        -X github.com/prometheus/common/version.Version={{.Version}}
+        -X github.com/prometheus/common/version.Revision={{.Revision}}
+        -X github.com/prometheus/common/version.Branch={{.Branch}}
+        -X github.com/prometheus/common/version.BuildUser={{user}}@{{host}}
+        -X github.com/prometheus/common/version.BuildDate={{date "20060102-15:04:05"}}
 tarball:
     files:
         - LICENSE

Makefile

@@ -11,10 +11,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-GO    := GO15VENDOREXPERIMENT=1 go
-PROMU := $(GOPATH)/bin/promu
-GOLINTER                ?= $(GOPATH)/bin/gometalinter
-pkgs   = $(shell $(GO) list ./... | grep -v /vendor/)
+GO    := GO111MODULE=on go
+PROMU := $(shell $(GO) env GOPATH)/bin/promu
+GOLINTER                ?= $(shell $(GO) env GOPATH)/bin/gometalinter
+pkgs   = $(shell $(GO) list ./...)
 
 PREFIX                  ?= $(shell pwd)
 BIN_DIR                 ?= $(shell pwd)
@@ -26,7 +26,7 @@ all: format build test
 
 style:
 	@echo ">> checking code style"
-	@! gofmt -d $(shell find . -path ./vendor -prune -o -name '*.go' -print) | grep '^'
+	@! gofmt -d $(shell find . -name '*.go' -print) | grep '^'
 
 test:
 	@echo ">> running tests"

go.mod

@@ -0,0 +1,18 @@
+module github.com/justwatchcom/elasticsearch_exporter
+
+go 1.13
+
+require (
+	github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d // indirect
+	github.com/aws/aws-sdk-go v1.31.3
+	github.com/blang/semver v3.5.2-0.20180723201105-3c1074078d32+incompatible
+	github.com/go-kit/kit v0.10.0
+	github.com/golang/protobuf v1.4.2 // indirect
+	github.com/imdario/mergo v0.3.9
+	github.com/prometheus/client_golang v1.6.0
+	github.com/prometheus/common v0.10.0
+	golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2 // indirect
+	golang.org/x/sys v0.0.0-20200523222454-059865788121 // indirect
+	gopkg.in/alecthomas/kingpin.v2 v2.2.6
+	gopkg.in/yaml.v2 v2.3.0 // indirect
+)

main.go

@@ -7,12 +7,17 @@ import (
 	"os/signal"
 	"time"
 
+	"github.com/aws/aws-sdk-go/aws/credentials"
+
+	"github.com/justwatchcom/elasticsearch_exporter/pkg/roundtripper"
+
 	"context"
 
 	"github.com/go-kit/kit/log/level"
 	"github.com/justwatchcom/elasticsearch_exporter/collector"
 	"github.com/justwatchcom/elasticsearch_exporter/pkg/clusterinfo"
 	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/prometheus/common/version"
 	"gopkg.in/alecthomas/kingpin.v2"
 )
@@ -68,6 +73,10 @@ func main() {
 		esInsecureSkipVerify = kingpin.Flag("es.ssl-skip-verify",
 			"Skip SSL verification when connecting to Elasticsearch.").
 			Default("false").Envar("ES_SSL_SKIP_VERIFY").Bool()
+		esAWS = kingpin.Flag("es.aws", "AWS cloud provider being used").
+			Default("false").Envar("ES_AWS").Bool()
+		esAWSRegion = kingpin.Flag("es.aws-region", "Sets the AWS region").
+				Default("").Envar("ES_AWS_REGION").String()
 		logLevel = kingpin.Flag("log.level",
 			"Sets the loglevel. Valid levels are debug, info, warn, error").
 			Default("info").Envar("LOG_LEVEL").String()
@@ -97,12 +106,22 @@ func main() {
 	// returns nil if not provided and falls back to simple TCP.
 	tlsConfig := createTLSConfig(*esCA, *esClientCert, *esClientPrivateKey, *esInsecureSkipVerify)
 
+	defaultTransport := &http.Transport{
+		TLSClientConfig: tlsConfig,
+		Proxy:           http.ProxyFromEnvironment,
+	}
+
 	httpClient := &http.Client{
-		Timeout: *esTimeout,
-		Transport: &http.Transport{
-			TLSClientConfig: tlsConfig,
-			Proxy:           http.ProxyFromEnvironment,
-		},
+		Timeout:   *esTimeout,
+		Transport: defaultTransport,
+	}
+
+	if esAWS != nil {
+		httpClient.Transport = &roundtripper.AWSSigningTransport{
+			DefaultTransport: defaultTransport,
+			Credentials:      credentials.NewChainCredentials([]credentials.Provider{&credentials.EnvProvider{}, &credentials.SharedCredentialsProvider{}}),
+			Region:           *esAWSRegion,
+		}
 	}
 
 	// version metric
@@ -160,7 +179,7 @@ func main() {
 	prometheus.MustRegister(clusterInfoRetriever)
 
 	mux := http.DefaultServeMux
-	mux.Handle(*metricsPath, prometheus.Handler())
+	mux.Handle(*metricsPath, promhttp.Handler())
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		_, err = w.Write([]byte(`<html>
 			<head><title>Elasticsearch Exporter</title></head>

pkg/roundtripper/aws.go

@@ -0,0 +1,31 @@
+package roundtripper
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
+)
+
+const (
+	service = "es"
+)
+
+type AWSSigningTransport struct {
+	DefaultTransport *http.Transport
+	Credentials      *credentials.Credentials
+	Region           string
+}
+
+// RoundTrip implementation
+func (a AWSSigningTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	signer := v4.NewSigner(a.Credentials)
+
+	// body is nil as we never send data to Elastic, just get
+	if _, err := signer.Sign(req, nil, service, a.Region, time.Now()); err != nil {
+		return nil, err
+	}
+
+	return a.DefaultTransport.RoundTrip(req)
+}