BTW: I would like to know more about why you want this.
The "Identity" configuration identifies the agent (so having one key-pair makes
sense - it identifies your agent. Having multiple key-pairs per agent will actually mean
your agent has different identities depending on what endpoint it is talking to - not sure
this is what we want).
If you have multiple Prometheus endpoints (each with their own server key/cert) I
don't see why you would need different agent identities defined in your endpoints. The
"identity" is the client's identification, nothing to do with the server,
and a client should have one identity, not multiple.
Now, if the concern is that your different Prometheus endpoint server certs are signed by
different CAs (or are all self-signed) that is a different issue I think. It is assumed
the host's default root CA set would be good enough to verify server endpoints, but if
not, we would need to provide to the agent with all the CA certificates necessary for
endpoints to be verified. Note: for the record, the agent doesn't do any server
verification today - see
https://github.com/hawkular/hawkular-openshift-agent/blob/master/http/htt... -
so the agent should be able to collect metrics from any endpoint today.
In the future we would need to be able to provide the agent with a trust store that
contains all the CA certs required to talk to all the endpoints, assuming the host's
default root CA set is not good enough. This is what we haven't implemented yet.
Probably something like "ca_cert_file" defined in the "Identity"
section, which would mean the Identity section would not only tell the agent what its own
key-pair is, but will also say what its trusted CAs are.
----- Original Message -----
Currently it seems you can only provide the agent configmap with the
identity
field. But what i want to actually do, is provide this based on the pods
config map, i.e.:
data:
hawkular-openshift-agent: |
endpoints:
- type: prometheus
protocol: "https"
port: 9779
path: /metrics
collection_interval_secs: 5
metrics:
- name: my-first-metric
type: counter
identity:
cert_file: /var/run/secrets/client-crt/client.crt
private_key_file: /var/run/secrets/client-key/client.key
The reason being, i might have multiple prometheus endpoints that have
different certs.
Is that possible? or planned for the future?
Cheers.