Merge branch 'dev'

README.md

@@ -356,6 +356,11 @@ make release-docker-multi-arch
     # Root CA to validate client certificates (for mutual TLS)
     root_ca = ""
 
+    # Golang - refer documentation https://pkg.go.dev/crypto/tls#pkg-constants of golang CipherSuites for TLS >=1.2 (both supported and Insecure)
+    # a comma separated TLS Cipher suites to use, example: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
+    # NOTE: Cipher configuration is support only till TLS1.2 verison and not possible in TLS1.3
+    tls_cipher_suites = ""
+
     # Passphrase for encrypted key_file. Supports below formats,
     # 1. Passphrase directly                                                      - "<passphrase>"
     # 2. Passphrase via file                                                      - "file:<file-that-contains-passphrase>"
@@ -374,7 +379,8 @@ make release-docker-multi-arch
     basic_auth_username=""
     basic_auth_password=""
     ```
-
+- NOTE: Minimum TLS version is 1.2, tls_cipher_suites can be configured only upto TLS1.2
+
 - Use users' allowlist and blocklist configuration to filter out the users for which the statistics are to be fetched. The user statistics are available in Aerospike 5.6+. To fetch user statistics, the authenticated user must have `user-admin` privilege.
     ```toml
     [Aerospike]

configs/ape.toml

@@ -40,6 +40,11 @@
       # Root CA to validate client certificates (for mutual TLS)
       root_ca = ""
 
+      # a comma separated TLS Cipher suites to use, example: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
+      # Golang - refer documentation https://pkg.go.dev/crypto/tls#pkg-constants of golang CipherSuites for TLS >=1.2 (both supported and Insecure)
+      # NOTE: Cipher configuration is support only till TLS1.2 verison and not possible in TLS1.3
+      tls_cipher_suites = ""
+
       # Passphrase for encrypted key_file. Supports below formats,
       # 1. Passphrase directly                                                      - "<passphrase>"
       # 2. Passphrase via file                                                      - "file:<file-that-contains-passphrase>"

configs/gauge_stats_list.toml

@@ -244,6 +244,7 @@ namespace_gauge_stats =[
 	"data_used_pct",
 	"index_mounts_used_pct",
 	"index_used_bytes",
+	"indexes_memory_used_pct",
 	"set_index_used_bytes",
 	"sindex_mounts_used_pct",
 	"sindex_used_bytes",

internal/pkg/commons/utils.go

@@ -327,3 +327,49 @@ func HandleSignals() {
 		}
 	}()
 }
+
+// Utility method fetch the support Cipher in the Golang/OS combination
+//
+//	from configures ciphers in ape.toml, filters the matched and valid-ciphers
+//	Ciphers are configurable only upto TLS 1.2 version
+func GetConfiguredCipherSuiteIds() []uint16 {
+	supportedCipherSuites := loadCipherSuitesList()
+	log.Trace("Supported CipherSuites ", supportedCipherSuites)
+
+	cipherSuiteIds := []uint16{}
+
+	if len(strings.Trim(config.Cfg.Agent.TlsCipherSuites, " ")) > 0 {
+		return cipherSuiteIds
+	}
+
+	log.Trace("Configured Cipher Suite Names : ", config.Cfg.Agent.TlsCipherSuites)
+	configuredCipherSuites := strings.Split(config.Cfg.Agent.TlsCipherSuites, ",")
+
+	for _, cipherName := range configuredCipherSuites {
+		cipherName = strings.Trim(cipherName, " ")
+
+		if len(cipherName) == 0 {
+			continue
+		}
+
+		id, ok := supportedCipherSuites[strings.ToUpper(cipherName)]
+		if !ok {
+			log.Error("Unrecognized TLS Cipher Name, ignoring : ", cipherName)
+		} else {
+			cipherSuiteIds = append(cipherSuiteIds, id)
+		}
+
+	}
+
+	return cipherSuiteIds
+}
+
+func loadCipherSuitesList() map[string]uint16 {
+	supportedCipherSuites := make(map[string]uint16)
+	// supported secure cipher suites
+	for _, suite := range tls.CipherSuites() {
+		supportedCipherSuites[suite.Name] = suite.ID
+	}
+
+	return supportedCipherSuites
+}

internal/pkg/config/config.go

@@ -34,6 +34,7 @@ type Config struct {
 		KeyFile           string `toml:"key_file"`
 		RootCA            string `toml:"root_ca"`
 		KeyFilePassphrase string `toml:"key_file_passphrase"`
+		TlsCipherSuites   string `toml:"tls_cipher_suites"`
 
 		BasicAuthUsername string `toml:"basic_auth_username"`
 		BasicAuthPassword string `toml:"basic_auth_password"`

internal/pkg/executors/prometheus_httplistener.go

@@ -112,10 +112,12 @@ func initExporterTLS() *tls.Config {
 		log.Fatal(err)
 	}
 
+	// Golang docs -- https://pkg.go.dev/crypto/tls#section-documentation
 	tlsConfig := &tls.Config{
 		Certificates:             serverPool,
 		MinVersion:               tls.VersionTLS12,
 		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+		CipherSuites:             commons.GetConfiguredCipherSuiteIds(),
 		PreferServerCipherSuites: true,
 		InsecureSkipVerify:       false,
 	}