Add option to add custom CA file
dol opened this issue · 6 comments
When using the self signed certificate for the rancher server the rancher-exporter fails with the following message:
10/06/2017 19:15:13ERRO[0013] Error Collecting JSON from API: Get https://cm-rancher01.mydomain.lan/v1/environments/: x509: certificate signed by unknown authority
10/06/2017 19:15:13panic: Get https://cm-rancher01.mydomain.lan/v1/environments/: x509: certificate signed by unknown authority
The rancher team fixes this by updating the CA list on the startup. https://github.com/rancher/rancher/blob/master/server/bin/update-rancher-ssl#L10
This requires that the container has access to the file /var/lib/rancher/etc/ssl/ca.crt. The rancher Cattle containers mount /var/lib/rancher into the container.
Thanks for the issue ticket @dol
Just having a think about this, i'm not sure i'm keen on mounting in file systems directly from the rancher server, that would restrict where this could be run. I've been discussing with Rancher and we are considering obtaining this information from the rancher-metadata service instead.
That would resolve this issue, though i've not had chance to think it through.
@Rucknar This idea is also in my favor. This makes the exporter less dependent on the context.
Would be excellent if this followed existing patterns and allow me to map a ca.crt into the container in my docker-compose etc, doesn't matter where it's from, it's a container.
Is there a workaround to use this?
Update: Usage of the metadata service is somewhat at a stand-still. There is an updated branch with working code, but some of the key metrics are missing and require changes in rancher its-self to proceed.
Given that, i'd think it's worth forking off master to add in support. I'm not going to have time to look at this right now, open to a PR though for anyone wishing to give it the time.
Has anyone attempted to resolve this issue since then? Looks like any third party service I try to use in my rancher env can't use self-signed certs, still.