Skip to content
This repository has been archived by the owner on Sep 20, 2022. It is now read-only.

Add option to add custom CA file #25

Open
dol opened this issue Jun 10, 2017 · 6 comments
Open

Add option to add custom CA file #25

dol opened this issue Jun 10, 2017 · 6 comments
Assignees

Comments

@dol
Copy link

dol commented Jun 10, 2017

When using the self signed certificate for the rancher server the rancher-exporter fails with the following message:

10/06/2017 19:15:13ERRO[0013] Error Collecting JSON from API: Get https://cm-rancher01.mydomain.lan/v1/environments/: x509: certificate signed by unknown authority
10/06/2017 19:15:13panic: Get https://cm-rancher01.mydomain.lan/v1/environments/: x509: certificate signed by unknown authority

The rancher team fixes this by updating the CA list on the startup. https://github.com/rancher/rancher/blob/master/server/bin/update-rancher-ssl#L10

This requires that the container has access to the file /var/lib/rancher/etc/ssl/ca.crt. The rancher Cattle containers mount /var/lib/rancher into the container.

@Rucknar Rucknar self-assigned this Jun 16, 2017
@Rucknar
Copy link
Contributor

Rucknar commented Jun 16, 2017

Thanks for the issue ticket @dol

Just having a think about this, i'm not sure i'm keen on mounting in file systems directly from the rancher server, that would restrict where this could be run. I've been discussing with Rancher and we are considering obtaining this information from the rancher-metadata service instead.

That would resolve this issue, though i've not had chance to think it through.

@dol
Copy link
Author

dol commented Jun 16, 2017

@Rucknar This idea is also in my favor. This makes the exporter less dependent on the context.

@kchoate
Copy link

kchoate commented Jun 28, 2017

Would be excellent if this followed existing patterns and allow me to map a ca.crt into the container in my docker-compose etc, doesn't matter where it's from, it's a container.

@rgruyters
Copy link

Is there a workaround to use this?

@Rucknar
Copy link
Contributor

Rucknar commented Sep 19, 2017

Update: Usage of the metadata service is somewhat at a stand-still. There is an updated branch with working code, but some of the key metrics are missing and require changes in rancher its-self to proceed.

Given that, i'd think it's worth forking off master to add in support. I'm not going to have time to look at this right now, open to a PR though for anyone wishing to give it the time.

@colemanjackson
Copy link

Has anyone attempted to resolve this issue since then? Looks like any third party service I try to use in my rancher env can't use self-signed certs, still.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants