Add Cloudera ssl config parameters and functionality (#17649)

* Added ssl config parameters and functionality

* changelog

* Add test_client_ssl

---------

Co-authored-by: Steven Yuen <steven.yuen@datadoghq.com>

Author: jose-manuel-almaza

cloudera/assets/configuration/spec.yaml

@@ -34,11 +34,33 @@ files:
 
       value:
         type: string
+    - name: verify_ssl
+      description: Enable SSL/TLS encryption for the check.
+      value:
+        default: true
+        type: boolean
+        example: true
+    - name: ssl_ca_cert
+      description: Path to the file containing the CA certificates to trust.
+      value:
+        example: <CERT_PATH>
+        type: string
+    - name: cert_file
+      description: Path to the file from which the local certificates can be loaded.
+      value:
+        example: <CERT_FILE_PATH>
+        type: string
+    - name: key_file
+      description: Path to the file from which to load the private key.
+      value:
+        example: <KEY_FILE_PATH>
+        type: string
     - name: max_parallel_requests
       description: |
         The maximum number of requests to Cloudera Manager that are allowed in parallel.
       hidden: true
       value:
+        default: 4
         type: integer
         example: 100
     - name: clusters

cloudera/changelog.d/17649.added

@@ -0,0 +1 @@
+Add Cloudera ssl config parameters and functionality

cloudera/datadog_checks/cloudera/api/factory.py

@@ -19,6 +19,10 @@ def make_api(check) -> Api:
             'workload_username': check.shared_config.workload_username,
             'workload_password': check.shared_config.workload_password,
             'max_parallel_requests': check.config.max_parallel_requests,
+            'verify_ssl': check.config.verify_ssl,
+            'ssl_ca_cert': check.config.ssl_ca_cert,
+            'cert_file': check.config.cert_file,
+            'key_file': check.config.key_file,
         },
     )
     if not client:

cloudera/datadog_checks/cloudera/client/cm_client.py

@@ -25,6 +25,10 @@ def __init__(self, log, **kwargs):
         cm_client.configuration.username = kwargs.get('workload_username')
         cm_client.configuration.password = kwargs.get('workload_password')
         self._client = cm_client.ApiClient(kwargs.get('api_url'))
+        cm_client.configuration.verify_ssl = kwargs.get('verify_ssl')
+        cm_client.configuration.ssl_ca_cert = kwargs.get('ssl_ca_cert')
+        cm_client.configuration.cert_file = kwargs.get('cert_file')
+        cm_client.configuration.key_file = kwargs.get('key_file')
         self._client.rest_client = RESTClientObject(maxsize=kwargs.get('max_parallel_requests'))
 
     def get_version(self) -> Version:

cloudera/datadog_checks/cloudera/config_models/defaults.py

@@ -21,8 +21,12 @@ def instance_empty_default_hostname():
 
 
 def instance_max_parallel_requests():
-    return 100
+    return 4
 
 
 def instance_min_collection_interval():
     return 15
+
+
+def instance_verify_ssl():
+    return True

cloudera/datadog_checks/cloudera/config_models/instance.py

@@ -56,16 +56,20 @@ class InstanceConfig(BaseModel):
         frozen=True,
     )
     api_url: str
+    cert_file: Optional[str] = None
     cloudera_client: Optional[str] = None
     clusters: Optional[Clusters] = None
     custom_queries: Optional[tuple[CustomQuery, ...]] = None
     disable_generic_tags: Optional[bool] = None
     empty_default_hostname: Optional[bool] = None
+    key_file: Optional[str] = None
     max_parallel_requests: Optional[int] = None
     metric_patterns: Optional[MetricPatterns] = None
     min_collection_interval: Optional[float] = None
     service: Optional[str] = None
+    ssl_ca_cert: Optional[str] = None
     tags: Optional[tuple[str, ...]] = None
+    verify_ssl: Optional[bool] = None
 
     @model_validator(mode='before')
     def _initial_validation(cls, values):

cloudera/datadog_checks/cloudera/data/conf.yaml.example

@@ -36,6 +36,26 @@ instances:
     #
   - api_url: <API_URL>
 
+    ## @param verify_ssl - boolean - optional - default: true
+    ## Enable SSL/TLS encryption for the check.
+    #
+    # verify_ssl: true
+
+    ## @param ssl_ca_cert - string - optional
+    ## Path to the file containing the CA certificates to trust.
+    #
+    # ssl_ca_cert: <CERT_PATH>
+
+    ## @param cert_file - string - optional
+    ## Path to the file from which the local certificates can be loaded.
+    #
+    # cert_file: <CERT_FILE_PATH>
+
+    ## @param key_file - string - optional
+    ## Path to the file from which to load the private key.
+    #
+    # key_file: <KEY_FILE_PATH>
+
     ## @param clusters - mapping - optional
     ## Optional configuration to indicate the clusters that we want to be processed. If not configured,
     ## all clusters will be processed.

cloudera/tests/conftest.py

@@ -4,7 +4,9 @@
 
 from copy import deepcopy
 
+import mock
 import pytest
+from packaging.version import Version
 
 from datadog_checks.cloudera import ClouderaCheck
 from datadog_checks.dev import docker_run
@@ -37,3 +39,27 @@ def config():
 @pytest.fixture(scope='session')
 def cloudera_check():
     return lambda instance: deepcopy(ClouderaCheck('cloudera', init_config=common.INIT_CONFIG, instances=[instance]))
+
+
+class MockCmClient:
+    def __init__(self, log, **kwargs):
+        self.log = log
+        self.kwargs = kwargs
+
+    def get_version(self):
+        return Version('7.0.0')
+
+    def read_clusters(self):
+        return []
+
+    def read_events(self, query):
+        return []
+
+
+@pytest.fixture
+def cloudera_cm_client():
+    def cm_client(log, **kwargs):
+        return MockCmClient(log, **kwargs)
+
+    with mock.patch('datadog_checks.cloudera.client.factory.CmClient', side_effect=cm_client) as mock_cm_client:
+        yield mock_cm_client

cloudera/tests/test_unit_client.py

@@ -6,7 +6,6 @@
 
 import mock
 import pytest
-from packaging.version import Version
 
 from datadog_checks.base.types import ServiceCheck
 
@@ -100,6 +99,7 @@
         'cloudera_client cm_client with custom tags',
     ],
 )
+@pytest.mark.usefixtures('cloudera_cm_client')
 def test_client(
     aggregator,
     dd_run_check,
@@ -108,16 +108,7 @@ def test_client(
     expected_exception,
     expected_service_checks,
 ):
-    with expected_exception, mock.patch(
-        'datadog_checks.cloudera.client.cm_client.CmClient.get_version',
-        return_value=Version('7.0.0'),
-    ), mock.patch(
-        'datadog_checks.cloudera.client.cm_client.CmClient.read_clusters',
-        return_value=[],
-    ), mock.patch(
-        'datadog_checks.cloudera.client.cm_client.CmClient.read_events',
-        return_value=[],
-    ):
+    with expected_exception:
         check = cloudera_check(instance)
         dd_run_check(check)
         for expected_service_check in expected_service_checks:
@@ -128,3 +119,27 @@ def test_client(
                 message=expected_service_check.get('message'),
                 tags=expected_service_check.get('tags'),
             )
+
+
+def test_client_ssl(dd_run_check, cloudera_check, cloudera_cm_client):
+    instance = {
+        'api_url': 'http://localhost:8080/api/v48/',
+        'cloudera_client': 'cm_client',
+        'verify_ssl': True,
+        'ssl_ca_cert': 'ssl_ca_cert_path',
+        'cert_file': 'cert_file_path',
+        'key_file': 'key_file_path',
+    }
+    check = cloudera_check(instance)
+    dd_run_check(check)
+    cloudera_cm_client.assert_called_once_with(
+        mock.ANY,
+        api_url='http://localhost:8080/api/v48/',
+        workload_username='~',
+        workload_password='~',
+        max_parallel_requests=4,
+        verify_ssl=True,
+        ssl_ca_cert='ssl_ca_cert_path',
+        cert_file='cert_file_path',
+        key_file='key_file_path',
+    )