[Hawkular-dev] OpenShift agent - multiple identity for certs
Gareth Healy
garethahealy at gmail.com
Sun Dec 25 04:56:17 EST 2016
One of the first services i am trying to monitor is etcd. etcd in OCP is
configured as per the below:
/var/lib/origin/openshift.local.config/master/master-config.yaml
etcdClientInfo:
ca: ca.crt
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
- https://10.2.2.2:4001
Which responds with the below cURL:
curl https://10.2.2.2:4001/metrics --cacert ./ca.crt --cert
./master.etcd-client.crt --key ./master.etcd-client.key
So without the "Identity" configuration section set on the agent config,
i'd get a TLS error. As etcd is a core part of OCP, I don't have much
control over the client certs and expect there might be other services
which require the same setup using different certs that i might want to
monitor.
Hope that makes things clear, and Merry Christmas.
Cheers.
On Sat, Dec 24, 2016 at 3:30 PM, John Mazzitelli <mazz at redhat.com> wrote:
> > Currently it seems you can only provide the agent configmap with the
> identity
> > field. But what i want to actually do, is provide this based on the pods
> > config map>
> > [chomp]
> > Is that possible? or planned for the future?
>
> I was hoping this wasn't going to be needed :) But we did talk about it.
>
> It is not possible today because there is one major problem with what you
> suggest that would need to be solved somehow:
>
> > cert_file: /var/run/secrets/client-crt/client.crt
> > private_key_file: /var/run/secrets/client-key/client.key
>
> That is inside your configmap on your OpenShift project (which may or may
> not be the same project where the agent is deployed).
>
> So - what file system is that actually referring to? And how does the
> agent get access to those files?
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/hawkular-dev/attachments/20161225/ac25cf17/attachment.html
More information about the hawkular-dev
mailing list