Prometheus push gateway: opt-out of the default tls provider

This is a follow up to metrics-rs#516,
metrics-rs#516 (comment).

This change makes it possible for downstream projects to opt-out of
the default rustls provider (aws-lc-rs).

Hopefully closes metrics-rs#515

Author: akhramov

Cargo.lock

@@ -34,7 +34,7 @@ hashbrown = { version = "0.15", default-features = false, features = ["default-h
 hdrhistogram = { version = "7.2", default-features = false }
 http-body-util = { version = "0.1", default-features = false }
 hyper = { version = "1.1", default-features = false, features = ["server", "client"] }
-hyper-rustls = { version = "0.27", default-features = false, features = ["aws-lc-rs", "http1", "rustls-native-certs"] }
+hyper-rustls = { version = "0.27", default-features = false, features = ["http1", "rustls-native-certs"] }
 hyper-util = { version = "0.1", default-features = false, features = ["tokio", "service", "client", "client-legacy", "http1"] }
 indexmap = { version = "2.6", default-features = false, features = ["std"] }
 ipnet = { version = "2", default-features = false, features = ["std"] }
@@ -66,6 +66,7 @@ radix_trie = { version = "0.2", default-features = false }
 rand = { version = "0.9", default-features = false, features = [ "thread_rng" ] }
 rand_xoshiro = { version = "0.7", default-features = false }
 ratatui = { version = "0.28", default-features = false }
+rustls = { version = "0.23", default-features = false }
 sketches-ddsketch = { version = "0.3", default-features = false }
 thiserror = { version = "2", default-features = false }
 tokio = { version = "1", default-features = false, features = ["rt", "net", "time", "rt-multi-thread"] }

Cargo.toml

@@ -20,9 +20,16 @@ default = ["http-listener", "push-gateway"]
 async-runtime = ["tokio", "hyper-util/tokio"]
 http-listener = ["async-runtime", "ipnet", "tracing", "_hyper-server"]
 uds-listener = ["http-listener"]
-push-gateway = ["async-runtime", "tracing", "_hyper-client"]
+push-gateway = ["_push-gateway-common", "hyper-rustls/aws-lc-rs"]
+push-gateway-no-tls-provider = ["_push-gateway-common"]
 protobuf = ["mime", "prost", "prost-types", "prost-build"]
 _hyper-server = ["http-body-util", "hyper/server", "hyper-util/server-auto"]
+_push-gateway-common = [
+     "async-runtime",
+     "rustls",
+     "tracing",
+     "_hyper-client",
+]
 _hyper-client = [
     "http-body-util",
     "hyper/client",
@@ -34,10 +41,12 @@ _hyper-client = [
 
 [dependencies]
 base64 = { workspace = true }
-http-body-util = { workspace = true, optional = true }
+quanta = { workspace = true }
+thiserror = { workspace = true }
 
 # Optional
 hyper = { workspace = true, optional = true }
+http-body-util = { workspace = true, optional = true }
 hyper-rustls = { workspace = true, optional = true }
 hyper-util = { workspace = true, optional = true }
 indexmap = { workspace = true }
@@ -48,8 +57,7 @@ metrics-util = { version = "^0.20", path = "../metrics-util", default-features =
     "registry",
     "storage",
 ] }
-quanta = { workspace = true }
-thiserror = { workspace = true }
+rustls = { workspace = true, optional = true }
 tokio = { workspace = true, optional = true }
 tracing = { workspace = true, optional = true }
 

metrics-exporter-prometheus/Cargo.toml

@@ -1,15 +1,15 @@
 use std::collections::HashMap;
-#[cfg(feature = "push-gateway")]
+#[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 use std::convert::TryFrom;
 #[cfg(feature = "http-listener")]
 use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 use std::num::NonZeroU32;
 use std::sync::RwLock;
-#[cfg(any(feature = "http-listener", feature = "push-gateway"))]
+#[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 use std::thread;
 use std::time::Duration;
 
-#[cfg(feature = "push-gateway")]
+#[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 use hyper::Uri;
 use indexmap::IndexMap;
 #[cfg(feature = "http-listener")]
@@ -29,13 +29,13 @@ use crate::registry::AtomicStorage;
 use crate::{common::BuildError, PrometheusHandle};
 
 use super::ExporterConfig;
-#[cfg(any(feature = "http-listener", feature = "push-gateway"))]
+#[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 use super::ExporterFuture;
 
 /// Builder for creating and installing a Prometheus recorder/exporter.
 #[derive(Debug)]
 pub struct PrometheusBuilder {
-    #[cfg_attr(not(any(feature = "http-listener", feature = "push-gateway")), allow(dead_code))]
+    #[cfg_attr(not(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider")), allow(dead_code))]
     exporter_config: ExporterConfig,
     #[cfg(feature = "http-listener")]
     allowed_addresses: Option<Vec<IpNet>>,
@@ -120,8 +120,8 @@ impl PrometheusBuilder {
     /// If the given endpoint cannot be parsed into a valid URI, an error variant will be returned describing the error.
     ///
     /// [push gateway]: https://prometheus.io/docs/instrumenting/pushing/
-    #[cfg(feature = "push-gateway")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "push-gateway")))]
+    #[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
+    #[cfg_attr(docsrs, doc(cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))))]
     pub fn with_push_gateway<T>(
         mut self,
         endpoint: T,
@@ -399,8 +399,8 @@ impl PrometheusBuilder {
     ///
     /// If there is an error while either building the recorder and exporter, or installing the recorder and exporter,
     /// an error variant will be returned describing the error.
-    #[cfg(any(feature = "http-listener", feature = "push-gateway"))]
-    #[cfg_attr(docsrs, doc(cfg(any(feature = "http-listener", feature = "push-gateway"))))]
+    #[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
+    #[cfg_attr(docsrs, doc(cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))))]
     pub fn install(self) -> Result<(), BuildError> {
         use tokio::runtime;
 
@@ -476,8 +476,8 @@ impl PrometheusBuilder {
     /// If there is an error while building the recorder and exporter, an error variant will be returned describing the
     /// error.
     #[warn(clippy::too_many_lines)]
-    #[cfg(any(feature = "http-listener", feature = "push-gateway"))]
-    #[cfg_attr(docsrs, doc(cfg(any(feature = "http-listener", feature = "push-gateway"))))]
+    #[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
+    #[cfg_attr(docsrs, doc(cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))))]
     #[cfg_attr(not(feature = "http-listener"), allow(unused_mut))]
     pub fn build(mut self) -> Result<(PrometheusRecorder, ExporterFuture), BuildError> {
         #[cfg(feature = "http-listener")]
@@ -516,7 +516,7 @@ impl PrometheusBuilder {
                     }
                 },
 
-                #[cfg(feature = "push-gateway")]
+                #[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
                 ExporterConfig::PushGateway {
                     endpoint,
                     interval,

metrics-exporter-prometheus/src/exporter/builder.rs

@@ -1,27 +1,27 @@
 #[cfg(feature = "http-listener")]
 use http_listener::HttpListeningError;
-#[cfg(any(feature = "http-listener", feature = "push-gateway"))]
+#[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 use std::future::Future;
 #[cfg(feature = "http-listener")]
 use std::net::SocketAddr;
-#[cfg(any(feature = "http-listener", feature = "push-gateway"))]
+#[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 use std::pin::Pin;
-#[cfg(feature = "push-gateway")]
+#[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 use std::time::Duration;
 
-#[cfg(feature = "push-gateway")]
+#[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 use hyper::Uri;
 
 /// Error types possible from an exporter
-#[cfg(any(feature = "http-listener", feature = "push-gateway"))]
+#[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 #[derive(Debug)]
 pub enum ExporterError {
     #[cfg(feature = "http-listener")]
     HttpListener(HttpListeningError),
     PushGateway(()),
 }
 /// Convenience type for Future implementing an exporter.
-#[cfg(any(feature = "http-listener", feature = "push-gateway"))]
+#[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 pub type ExporterFuture = Pin<Box<dyn Future<Output = Result<(), ExporterError>> + Send + 'static>>;
 
 #[cfg(feature = "http-listener")]
@@ -40,7 +40,7 @@ enum ExporterConfig {
 
     // Run a push gateway task sending to the given `endpoint` after `interval` time has elapsed,
     // infinitely.
-    #[cfg(feature = "push-gateway")]
+    #[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
     PushGateway {
         endpoint: Uri,
         interval: Duration,
@@ -54,12 +54,12 @@ enum ExporterConfig {
 }
 
 impl ExporterConfig {
-    #[cfg_attr(not(any(feature = "http-listener", feature = "push-gateway")), allow(dead_code))]
+    #[cfg_attr(not(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider")), allow(dead_code))]
     fn as_type_str(&self) -> &'static str {
         match self {
             #[cfg(feature = "http-listener")]
             Self::HttpListener { .. } => "http-listener",
-            #[cfg(feature = "push-gateway")]
+            #[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
             Self::PushGateway { .. } => "push-gateway",
             Self::Unconfigured => "unconfigured,",
         }
@@ -69,7 +69,7 @@ impl ExporterConfig {
 #[cfg(feature = "http-listener")]
 mod http_listener;
 
-#[cfg(feature = "push-gateway")]
+#[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 mod push_gateway;
 
 pub(crate) mod builder;

metrics-exporter-prometheus/src/exporter/mod.rs

@@ -4,6 +4,7 @@ use http_body_util::{BodyExt, Collected, Full};
 use hyper::body::Bytes;
 use hyper::{header::HeaderValue, Method, Request, Uri};
 use hyper_util::{client::legacy::Client, rt::TokioExecutor};
+use rustls::crypto::CryptoProvider;
 use tracing::error;
 
 use super::ExporterFuture;
@@ -20,8 +21,10 @@ pub(super) fn new_push_gateway(
 ) -> ExporterFuture {
     let http_method = if use_http_post_method { Method::POST } else { Method::PUT };
     Box::pin(async move {
+        let provider = CryptoProvider::get_default()
+            .expect("no process-level CryptoProvider available -- call rustls' CryptoProvider::install_default() before this point");
         let https = hyper_rustls::HttpsConnectorBuilder::new()
-            .with_native_roots()
+            .with_provider_and_native_roots(provider.clone())
             .expect("no native root CA certificates found")
             .https_or_http()
             .enable_http1()
@@ -79,7 +82,7 @@ pub(super) fn new_push_gateway(
     })
 }
 
-#[cfg(feature = "push-gateway")]
+#[cfg(any(feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
 fn basic_auth(username: &str, password: Option<&str>) -> HeaderValue {
     use base64::prelude::BASE64_STANDARD;
     use base64::write::EncoderWriter;

metrics-exporter-prometheus/src/exporter/push_gateway.rs

@@ -126,8 +126,8 @@ pub use distribution::{Distribution, DistributionBuilder};
 
 mod exporter;
 pub use self::exporter::builder::PrometheusBuilder;
-#[cfg(any(feature = "http-listener", feature = "push-gateway"))]
-#[cfg_attr(docsrs, doc(cfg(any(feature = "http-listener", feature = "push-gateway"))))]
+#[cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))]
+#[cfg_attr(docsrs, doc(cfg(any(feature = "http-listener", feature = "push-gateway", feature = "push-gateway-no-tls-provider"))))]
 pub use self::exporter::ExporterFuture;
 
 pub mod formatting;