[Hawkular-dev] OpenShift agent - multiple identity for certs

John Mazzitelli mazz at redhat.com
Sat Dec 24 14:32:32 EST 2016 

BTW: I would like to know more about why you want this.

The "Identity" configuration identifies the agent (so having one key-pair makes sense - it identifies your agent. Having multiple key-pairs per agent will actually mean your agent has different identities depending on what endpoint it is talking to - not sure this is what we want).

If you have multiple Prometheus endpoints (each with their own server key/cert) I don't see why you would need different agent identities defined in your endpoints. The "identity" is the client's identification, nothing to do with the server, and a client should have one identity, not multiple.

Now, if the concern is that your different Prometheus endpoint server certs are signed by different CAs (or are all self-signed) that is a different issue I think. It is assumed the host's default root CA set would be good enough to verify server endpoints, but if not, we would need to provide to the agent with all the CA certificates necessary for endpoints to be verified. Note: for the record, the agent doesn't do any server verification today - see https://github.com/hawkular/hawkular-openshift-agent/blob/master/http/http_client.go#L33 - so the agent should be able to collect metrics from any endpoint today.

In the future we would need to be able to provide the agent with a trust store that contains all the CA certs required to talk to all the endpoints, assuming the host's default root CA set is not good enough. This is what we haven't implemented yet. Probably something like "ca_cert_file" defined in the "Identity" section, which would mean the Identity section would not only tell the agent what its own key-pair is, but will also say what its trusted CAs are.

----- Original Message -----
> Currently it seems you can only provide the agent configmap with the identity
> field. But what i want to actually do, is provide this based on the pods
> config map, i.e.:
> 
> data:
> hawkular-openshift-agent: |
> endpoints:
> - type: prometheus
> protocol: "https"
> port: 9779
> path: /metrics
> collection_interval_secs: 5
> metrics:
> - name: my-first-metric
> type: counter
> identity:
> cert_file: /var/run/secrets/client-crt/client.crt
> private_key_file: /var/run/secrets/client-key/client.key
> The reason being, i might have multiple prometheus endpoints that have
> different certs.
> 
> Is that possible? or planned for the future?
> 
> Cheers.

More information about the hawkular-dev mailing list