prometheus-community
diff --git a/‎README.md
Lines changed: 13 additions & 5 deletions b/‎README.md
Lines changed: 13 additions & 5 deletions
diff --git a/‎config/config.go
Lines changed: 39 additions & 7 deletions b/‎config/config.go
Lines changed: 39 additions & 7 deletions
diff --git a/‎config/config_test.go
Lines changed: 119 additions & 71 deletions b/‎config/config_test.go
Lines changed: 119 additions & 71 deletions
diff --git a/‎examples/auth_modules.yml
Lines changed: 17 additions & 23 deletions b/‎examples/auth_modules.yml
Lines changed: 17 additions & 23 deletions
@@ -55,7 +55,7 @@ elasticsearch_exporter --help
 | Argument                | Introduced in Version | Description                                                                                                                                                                                                                                                                                                                                                                           | Default     |
 | ----------------------- | --------------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ----------- |
 | collector.clustersettings| 1.6.0                | If true, query stats for cluster settings (As of v1.6.0, this flag has replaced "es.cluster_settings").                                                                                                                                                                                                                                                                                | false |
-| es.uri                  | 1.0.2                 | Address (host and port) of the Elasticsearch node we should connect to **when running in single-target mode**. Leave empty (the default) when you want to run the exporter only as a multi-target `/probe` endpoint. When basic auth is needed, specify as: `<proto>://<user>:<password>@<host>:<port>`. E.G., `http://admin:pass@localhost:9200`. Special characters in the user credentials need to be URL-encoded. | ״״ |
+| es.uri                  | 1.0.2                 | Address (host and port) of the Elasticsearch node we should connect to **when running in single-target mode**. Leave empty (the default) when you want to run the exporter only as a multi-target `/probe` endpoint. When basic auth is needed, specify as: `<proto>://<user>:<password>@<host>:<port>`. E.G., `http://admin:pass@localhost:9200`. Special characters in the user credentials need to be URL-encoded. | "" |
 | es.all                  | 1.0.2                 | If true, query stats for all nodes in the cluster, rather than just the node we connect to.                                                                                                                                                                                                                                                                                           | false |
 | es.indices              | 1.0.2                 | If true, query stats for all indices in the cluster.                                                                                                                                                                                                                                                                                                                                  | false |
 | es.indices_settings     | 1.0.4rc1              | If true, query settings stats for all indices in the cluster.                                                                                                                                                                                                                                                                                                                         | false |
@@ -120,10 +120,12 @@ From v2.X the exporter exposes `/probe` allowing one running instance to scrape
 
 Supported `auth_module` types:
 
-| type       | YAML fields                                                       | Injected into request                                              |
-| ---------- | ----------------------------------------------------------------- | ------------------------------------------------------------------ |
-| `userpass` | `userpass.username`, `userpass.password`, optional `options:` map | Sets HTTP basic-auth header, appends `options` as query parameters |
-| `apikey`   | `apikey:` Base64 API-Key string, optional `options:` map          | Adds `Authorization: ApiKey …` header, appends `options`           |
+| type       | YAML fields                                                       | Injected into request                                                                 |
+| ---------- | ----------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
+| `userpass` | `userpass.username`, `userpass.password`, optional `options:` map | Sets HTTP basic-auth header, appends `options` as query parameters                    |
+| `apikey`   | `apikey:` Base64 API-Key string, optional `options:` map          | Adds `Authorization: ApiKey …` header, appends `options`                              |
+| `aws`      | `aws.region`, optional `aws.role_arn`, optional `options:` map    | Uses AWS SigV4 signing transport for HTTP(S) requests, appends `options`              |
+| `tls`      | `tls.ca_file`, `tls.cert_file`, `tls.key_file`                    | Uses client certificate authentication via TLS; cannot be mixed with other auth types |
 
 Example config:
 
@@ -167,6 +169,12 @@ Prometheus scrape_config:
       replacement: exporter:9114
 ```
 
+Notes:
+- `/metrics` serves a single, process-wide registry and is intended for single-target mode.
+- `/probe` creates a fresh registry per scrape for the given `target` allowing multi-target scraping.
+- Any `options:` under an auth module will be appended as URL query parameters to the target URL.
+- The `tls` auth module (client certificate authentication) is intended for self‑managed Elasticsearch/OpenSearch deployments. Amazon OpenSearch Service typically authenticates at the domain edge with IAM/SigV4 and does not support client certificate authentication; use the `aws` auth module instead when scraping Amazon OpenSearch Service domains.
+
 ### Metrics
 
 | Name                                                                 | Type       | Cardinality | Help                                                                                                |
 
@@ -57,6 +57,7 @@ type UserPassConfig struct {
 // validate ensures every auth module has the required fields according to its type.
 func (c *Config) validate() error {
 	for name, am := range c.AuthModules {
+		// Validate fields based on auth type
 		switch strings.ToLower(am.Type) {
 		case "userpass":
 			if am.UserPass == nil || am.UserPass.Username == "" || am.UserPass.Password == "" {
@@ -70,21 +71,52 @@ func (c *Config) validate() error {
 			if am.AWS == nil || am.AWS.Region == "" {
 				return fmt.Errorf("auth_module %s type aws requires region", name)
 			}
+		case "tls":
+			// TLS auth type means client certificate authentication only (no other auth)
+			if am.TLS == nil {
+				return fmt.Errorf("auth_module %s type tls requires tls configuration section", name)
+			}
+			if am.TLS.CertFile == "" || am.TLS.KeyFile == "" {
+				return fmt.Errorf("auth_module %s type tls requires cert_file and key_file for client certificate authentication", name)
+			}
+			// Validate that other auth fields are not set when using TLS auth type
+			if am.UserPass != nil {
+				return fmt.Errorf("auth_module %s type tls cannot have userpass configuration", name)
+			}
+			if am.APIKey != "" {
+				return fmt.Errorf("auth_module %s type tls cannot have apikey", name)
+			}
+			if am.AWS != nil {
+				return fmt.Errorf("auth_module %s type tls cannot have aws configuration", name)
+			}
 		default:
 			return fmt.Errorf("auth_module %s has unsupported type %s", name, am.Type)
 		}
 
-		// TLS validation (optional but if specified must be coherent)
+		// Validate TLS configuration (optional for all auth types, provides transport security)
 		if am.TLS != nil {
-			if (am.TLS.CertFile == "") != (am.TLS.KeyFile == "") {
-				return fmt.Errorf("auth_module %s tls requires both cert_file and key_file or neither", name)
+			// For cert-based auth (type: tls), cert and key are required
+			// For other auth types, TLS config is optional and used for transport security
+			if strings.ToLower(am.Type) == "tls" {
+				// Already validated above that cert and key are present
+			} else {
+				// For non-TLS auth types, if cert/key are provided, both must be present
+				if (am.TLS.CertFile != "") != (am.TLS.KeyFile != "") {
+					return fmt.Errorf("auth_module %s: if providing client certificate, both cert_file and key_file must be specified", name)
+				}
 			}
-			for _, p := range []string{am.TLS.CAFile, am.TLS.CertFile, am.TLS.KeyFile} {
-				if p == "" {
+
+			// Validate file accessibility
+			for fileType, path := range map[string]string{
+				"ca_file":   am.TLS.CAFile,
+				"cert_file": am.TLS.CertFile,
+				"key_file":  am.TLS.KeyFile,
+			} {
+				if path == "" {
 					continue
 				}
-				if _, err := os.Stat(p); err != nil {
-					return fmt.Errorf("auth_module %s tls file %s not accessible: %w", name, p, err)
+				if _, err := os.Stat(path); err != nil {
+					return fmt.Errorf("auth_module %s: %s '%s' not accessible: %w", name, fileType, path, err)
 				}
 			}
 		}
 
@@ -1,16 +1,3 @@
-// Copyright The Prometheus Authors
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
 package config
 
 import (
@@ -27,91 +14,152 @@ func mustTempFile(t *testing.T) string {
 	return f.Name()
 }
 
-func TestLoadConfigTLSValid(t *testing.T) {
+// ---------------------------- Positive cases ----------------------------
+func TestLoadConfigPositiveVariants(t *testing.T) {
 	ca := mustTempFile(t)
 	cert := mustTempFile(t)
 	key := mustTempFile(t)
-	yaml := `auth_modules:
-  secure:
+
+	positive := []struct {
+		name string
+		yaml string
+	}{{
+		"userpass",
+		`auth_modules:
+  basic:
     type: userpass
     userpass:
-      username: foo
-      password: bar
+      username: u
+      password: p`,
+	}, {
+		"userpass-with-tls",
+		`auth_modules:
+  basic:
+    type: userpass
+    userpass:
+      username: u
+      password: p
+    tls:
+      ca_file: ` + ca + `
+      insecure_skip_verify: true`,
+	}, {
+		"apikey",
+		`auth_modules:
+  key:
+    type: apikey
+    apikey: ZXhhbXBsZQ==`,
+	}, {
+		"apikey-with-tls",
+		`auth_modules:
+  key:
+    type: apikey
+    apikey: ZXhhbXBsZQ==
     tls:
       ca_file: ` + ca + `
       cert_file: ` + cert + `
-      key_file: ` + key + `
-`
-	tmp, _ := os.CreateTemp(t.TempDir(), "cfg-*.yml")
-	tmp.WriteString(yaml)
-	tmp.Close()
-	if _, err := LoadConfig(tmp.Name()); err != nil {
-		t.Fatalf("expected config to load, got %v", err)
-	}
-}
-
-func TestLoadConfigTLSMissingKey(t *testing.T) {
-	cert := mustTempFile(t)
-	yaml := `auth_modules:
-  badtls:
-    type: userpass
-    userpass:
-      username: foo
-      password: bar
+      key_file: ` + key + ``,
+	}, {
+		"aws-with-tls",
+		`auth_modules:
+  awsmod:
+    type: aws
+    aws:
+      region: us-east-1
     tls:
+      insecure_skip_verify: true`,
+	}, {
+		"tls-only",
+		`auth_modules:
+  pki:
+    type: tls
+    tls:
+      ca_file: ` + ca + `
       cert_file: ` + cert + `
-`
-	tmp, _ := os.CreateTemp(t.TempDir(), "cfg-*.yml")
-	tmp.WriteString(yaml)
-	tmp.Close()
-	if _, err := LoadConfig(tmp.Name()); err == nil {
-		t.Fatalf("expected validation error for missing key_file")
+      key_file: ` + key + ``,
+	}}
+
+	for _, c := range positive {
+		tmp, _ := os.CreateTemp(t.TempDir(), "cfg-*.yml")
+		tmp.WriteString(c.yaml)
+		tmp.Close()
+		if _, err := LoadConfig(tmp.Name()); err != nil {
+			t.Fatalf("%s: expected success, got %v", c.name, err)
+		}
 	}
 }
 
-func TestLoadConfigValidationErrors(t *testing.T) {
-	badPath := "/path/does/not/exist"
+// ---------------------------- Negative cases ----------------------------
+func TestLoadConfigNegativeVariants(t *testing.T) {
+	cert := mustTempFile(t)
 	key := mustTempFile(t)
-	cases := []struct {
+
+	negative := []struct {
 		name string
 		yaml string
-	}{
-		{
-			"tlsMissingCert",
-			`auth_modules:
+	}{{
+		"userpassMissingPassword",
+		`auth_modules:
   bad:
     type: userpass
-    userpass: {username: u, password: p}
+    userpass: {username: u}`,
+	}, {
+		"tlsMissingCert",
+		`auth_modules:
+  bad:
+    type: tls
     tls: {key_file: ` + key + `}`,
-		},
-		{
-			"tlsBadCAPath",
-			`auth_modules:
+	}, {
+		"tlsMissingKey",
+		`auth_modules:
   bad:
-    type: userpass
-    userpass: {username: u, password: p}
-    tls: {ca_file: ` + badPath + `}`,
-		},
-		{
-			"awsNoRegion",
-			`auth_modules:
+    type: tls
+    tls: {cert_file: ` + cert + `}`,
+	}, {
+		"tlsMissingConfig",
+		`auth_modules:
   bad:
-    type: aws
-    aws: {}`,
-		},
-		{
-			"unsupportedType",
-			`auth_modules:
+    type: tls`,
+	}, {
+		"tlsWithUserpass",
+		`auth_modules:
+  bad:
+    type: tls
+    tls: {cert_file: ` + cert + `, key_file: ` + key + `}
+    userpass: {username: u, password: p}`,
+	}, {
+		"tlsWithAPIKey",
+		`auth_modules:
+  bad:
+    type: tls
+    tls: {cert_file: ` + cert + `, key_file: ` + key + `}
+    apikey: ZXhhbXBsZQ==`,
+	}, {
+		"tlsWithAWS",
+		`auth_modules:
+  bad:
+    type: tls
+    tls: {cert_file: ` + cert + `, key_file: ` + key + `}
+    aws: {region: us-east-1}`,
+	}, {
+		"tlsIncompleteCert",
+		`auth_modules:
+  bad:
+    type: apikey
+    apikey: ZXhhbXBsZQ==
+    tls: {cert_file: ` + cert + `}`,
+	}, {
+		"unsupportedType",
+		`auth_modules:
   bad:
     type: foobar`,
-		},
-	}
-	for _, c := range cases {
+	}}
+
+	for _, c := range negative {
 		tmp, _ := os.CreateTemp(t.TempDir(), "cfg-*.yml")
 		tmp.WriteString(c.yaml)
 		tmp.Close()
 		if _, err := LoadConfig(tmp.Name()); err == nil {
-			t.Fatalf("%s: expected validation error, got nil", c.name)
+			t.Fatalf("%s: expected validation error, got none", c.name)
 		}
 	}
 }
@@ -24,38 +24,32 @@ auth_modules:
       password: changeme
 
   ###########################################################################
-  # 3. Userpass + mTLS (per-cluster client certs)                          #
-  ###########################################################################
-  prod_tls:
-    type: userpass
-    userpass:
-      username: metrics
-      password: certsecret
-    tls:
-      ca_file: /etc/ssl/prod/ca.pem
-      cert_file: /etc/ssl/prod/client.pem
-      key_file: /etc/ssl/prod/client-key.pem
-      insecure_skip_verify: false
-
-  ###########################################################################
-  # 4. API-Key authentication                                             #
+  # 3. API-Key authentication                                             #
   ###########################################################################
   prod_key:
     type: apikey
     apikey: BASE64-ENCODED-KEY==
-    # per-cluster TLS settings can still be supplied if needed
-    # tls:
-    #   ca_file: /etc/ssl/prod/ca.pem
 
   ###########################################################################
-  # 5. AWS SigV4 signing                                                  #
+  # 5. AWS SigV4 signing with optional TLS settings                       #
   ###########################################################################
   aws_sigv4:
     type: aws
     aws:
       region: us-east-1
-      # role_arn is optional; uncomment to assume a role
-      # role_arn: arn:aws:iam::123456789012:role/metrics-reader
-    # optional custom TLS
+      # role_arn is optional
+    # Optional TLS configuration for transport security
+    tls:
+      ca_file: /etc/ssl/ca.pem
+      insecure_skip_verify: false
+
+  ###########################################################################
+  # 6. Client certificate authentication only (no username/password)       #
+  ###########################################################################
+  pki_mtls:
+    type: tls # This auth type uses ONLY client certificates for authentication
     tls:
-      insecure_skip_verify: true # e.g. self-signed certs on ALB
+      ca_file: /etc/ssl/pki/ca.pem # Optional: CA for server verification
+      cert_file: /etc/ssl/pki/client.pem # Required: Client certificate for auth
+      key_file: /etc/ssl/pki/client-key.pem # Required: Client private key for auth
+      insecure_skip_verify: false # Optional: Skip server cert validation