Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request - consul_sd_configs to support its own tls_config #2365

Closed
dragonsmith opened this Issue Jan 24, 2017 · 2 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@dragonsmith @juliusv
@dragonsmith
Copy link

dragonsmith commented Jan 24, 2017

Hello!

I have Prometheus 1.4.1 instance running inside Kubernetes.

I also run consul cluster secured by TLS encryption:

{
  "bind_addr": "0.0.0.0",
  "bootstrap_expect": 3,
  "ca_file": "/etc/consul/ssl/CA/ca.crt",
  "cert_file": "/etc/consul/ssl/certs/consul.crt",
  "key_file": "/etc/consul/ssl/private/consul.key",
  "client_addr": "127.0.0.1",
  "datacenter": "main-dc",
  "disable_remote_exec": true,
  "enable_syslog": true,
  "encrypt": "<key>",
  "node_name": "web01",
  "addresses": {
    "https": "0.0.0.0"
  },
  "ports": {
    "dns": 8600,
    "http": 8500,
    "https": 8443,
    "rpc": 8400,
    "serf_lan": 8301,
    "serf_wan": 8302,
    "server": 8300
  },
  "server": true,
  "server_name": "web01.example.com",
  "start_join": [
    "web01.example.com",
    "web02.example.com",
    "web03.example.com"
  ],
  "ui": true,
  "verify_incoming": true,
  "verify_outgoing": true
}

The goal is: to scrape consul for node-exporters and monitor them with my Prometheus.

      consul_sd_configs:
      - server: web01.example.com:8443
        datacenter: main-dc
        services: [node_exporter_main]
        scheme: https

That configuration fails with an error:

time="2017-01-24T11:04:38Z" level=error msg="Error refreshing service list: Get https://web01.example.com:8443/v1/catalog/services?dc=main-dc&wait=30000ms: x509: certificate signed by unknown authority" source="consul.go:157"

I've gone further and added my CA.crt to ca-certificates.crt and got a new error:

time="2017-01-24T12:32:51Z" level=error msg="Error refreshing service list: Get https://web01.example.com:8443/v1/catalog/services?dc=main-dc&wait=30000ms: remote error: tls: bad certificate" source="consul.go:157"

Which is obvious. Prometheus does know nothing about client cert/key pair which is used for authentication.

I can try and curl the same request by my hands like that:

curl -v  --cacert /etc/consul/ssl/CA/ca.crt --cert /etc/consul/ssl/certs/consul.crt --key /etc/consul/ssl/private/consul.key 'https://web01.example.com:8443/v1/catalog/services?dc=main-dc&wait=30000ms'

And that works as it was intended to.

Is it possible to add custom tls_config to consul_sd_configs as we have in kubernetes_sd_configs?

Thanks in advance!

@gouthamve gouthamve referenced this issue Mar 19, 2017

Merged

Adding consul capability to connect via tls #2479

@juliusv

This comment has been minimized.

Sign in to view
Copy link
Member

juliusv commented Mar 20, 2017

This has been fixed in #2479 - closing.

@juliusv juliusv closed this Mar 20, 2017

@lock

This comment has been minimized.

Sign in to view
Copy link

lock bot commented Mar 23, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Mar 23, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.