Please add support for custom CA certificates
AngryMandragora opened this issue · 7 comments
I have a cluster that web server certificates signed by a custom CA and the method you describe in the documentation doesn't work for Docker without creating my own image (which I want to avoid, since that kind of nullifies the advantage of using a provided Docker image).
I don't want to disable TLS_VERIFY since we are using a proper infrastructure.
Could you add an option to use a specific CA certificate chain for a server (like ca_certificate_file or something)?
It should be possible to add custom CA certs to the system hosting your exporter ... the README states:
When operating PVE with self-signed certificates, then it is necessary to either import the certificate into the local trust store (see this SE answer for Debian/Ubuntu) or add verify_ssl: false to the config dict as a sibling to the credentials. Note that PVE supports Let's Encrypt out ouf the box. In many cases setting up trusted certificates is the better option than operating with self-signed certs.
This looks about right:
https://askubuntu.com/questions/1007233/importing-root-ca-certificate-in-linux/1007236#1007236
In case of Docker the host OS' certificate doesn't matter, and I don't want to add it to the Docker image as stated above.
There is little reason to muck around with the certificate trust store on an application level. I recommend to solve this issue using either a volume or a bind mount in order modify or replace /etc/ssl/certs
inside the container. Please use stackoverflow or your favorite container runtime community (podman, k8s, docker) to get help with that.
It's not about the certificate trust store, that's exactly what I want to avoid.
It's about using a specific CA certificate to connect to a specific server.
Just like the case with SSL exporter for Prometheus (https://github.com/ribbybibby/ssl_exporter):
<tls_config>
# The CA cert to use for the targets.
[ ca_file: <filename> ]
Here's an example from SSL exporter (the config we're using, names changed of course):
default_module: https
modules:
https:
prober: https
https_domain_one:
prober: https
tls_config:
ca_file: /etc/ssl_exporter/domain_one.crt
https_domain_two:
prober: https
tls_config:
ca_file: /etc/ssl_exporter/domain_two.crt
https_sectigo:
prober: https
tls_config:
ca_file: /etc/ssl_exporter/sectigo.crt
tcp_insecure:
prober: tcp
tls_config:
insecure_skip_verify: true
This way you don't have to change anything inside a Docker container (Debian needs to have links to the certificates in the same directory, pointing to them with their checksum as extension), you can just bind mount files (or a directory containing all of them) and tell the exporter where they are in the config file.
Managing this is way easier with automation tools (Ansible in our case).
In the end, the YAML file for PVE Exporter could look like this:
default:
user: "prometheus@pve"
token_name: "prometheus"
token_value: "TOKEN"
verify_ssl: true
ca_file: <filename>