blackbox_exporter icon indicating copy to clipboard operation
blackbox_exporter copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Allow for the inclusion of inline certificates

Open mem opened this issue 4 years ago • 3 comments

This is a feature request.

In this context I use the word "certificates" to mean three different things: a CA certificate, a client certificate and its corresponding client key file.

Currently in order to specify certificates and keys as part of the TLS config, the user needs to specify a path to the certificate file. The mechanism is provided by prometheus/common. For BBE in particular, the files must be absolute paths or paths relative to the current working directory of blackbox_exporter.

This has a couple of drawbacks:

  • it's hard to manage the configuration in a version control system
  • users might want to maintain certificates specifically created for black box monitoring, so they might be stored in a different location that other certificates in the system
  • users might not want to keep these certificates in the file system (they might be stored encrypted in a database)

It would be nice if we could allow the specification of certificates inline, for example, instead of this:

    ...
    tlsConfig:
        ca_cert_file: /path/to/ca_cert
        cert_file: /path/to/cert
        key_file: /path/to/key

use this:

    ...
    tlsConfig:
        ca_cert: <base64 encoded data>
        cert: <base64 encoded data>
        key: <base64 encoded data>

For the particular case of cert_file and key_file this would mean loosing the functionality the reloads the certificates whenever they change (because they are reloaded every time they are needed).

I'm aware that this requires a change in prometheus/common, but since my request is specific to BBE, I'd like to start the discussion here.

Edit 2021-02-18: fixing copy-paste errors

mem avatar Feb 17 '21 22:02 mem

By coincidence, this is related to the same subject: https://groups.google.com/g/prometheus-developers/c/10duXKRNOuc/m/0PeDqJWhBAAJ

Also, while I wrote "instead" I did to mean "replace" but "provide an alternative".

mem avatar Feb 18 '21 18:02 mem

https://github.com/prometheus/prometheus/issues/1377

roidelapluie avatar Feb 18 '21 19:02 roidelapluie

For reference, I'd like to implement this in the spirit of prometheus/prometheus#8551

I understand it might be necessary to modify a prometheus library so that this is transparent. I'll investigate.

mem avatar Mar 01 '21 22:03 mem