prometheus-nats-exporter
prometheus-nats-exporter copied to clipboard
nats-io
Unable to disable ssl validation
EDITED: I'm running the exporter in an isolated environment running version 0.6.0. I connect to my nats server through a reverse proxy that only exposes an https endpoint, but the nats server has a cert signed by a private CA. I don't see an option to disable cert validation, and looking through the code, I see the following comment at collector/colector.go line 272, which I take to refer to the feature I'm looking for:
// TODO: Potentially add TLS config in the transport.
It would be nice to have this, but even the ability to disable cert validation would be a help. I'm not a golang dev, but with a little googling I came up with this change. It works for me, but I don't know if this is the proper way to do it.
This is a diff on the master branch
diff --git a/collector/collector.go b/collector/collector.go
index fb00ad2..9c2e7f9 100644
--- a/collector/collector.go
+++ b/collector/collector.go
@@ -18,6 +18,7 @@ import (
"encoding/json"
"io/ioutil"
"net/http"
+ "crypto/tls"
"strings"
"sync"
"time"
@@ -270,6 +271,7 @@ func (nc *NATSCollector) initMetricsFromServers(namespace string) {
func newNatsCollector(system, endpoint string, servers []*CollectedServer) prometheus.Collector {
// TODO: Potentially add TLS config in the transport.
tr := &http.Transport{}
+ //Obtained from https://stackoverflow.com/a/12122718/2036650
+ tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
hc := &http.Client{Transport: tr}
nc := &NATSCollector{
httpClient: hc,
I did find a workaround that enables me to verify the server cert against my private CA. I just volume-map /etc/pki from the host to the docker container, and the collector apparently uses the trust chains defined in that directory tree. Peviously, I didn't realize it would do this, since there is a way to specify a path to the CA for client connections to the exporter but not for server connections made by the collector.