search

function61 / promswarmconnect

Bridges Docker Swarm services to Prometheus without any changes to Prometheus
https://function61.com/
Apache License 2.0
24 stars 6 forks source link

Pass in TLS certs by secrets #10

Closed kinghuang closed 5 years ago

kinghuang commented 5 years ago

Is it possible to pass in the Docker TLS certs using secrets instead of environment variables?

joonas-fi commented 5 years ago

It was not, but it's a good idea and I added support just now by specifying ENV var value as @/path/to/file.

If ENV var value begins with @, it is treated as a path reference now.

If your Docker secret names are dockerclientcert and dockerclientcertkey, you should now be able to do something like:

$ docker service create ...
    --secret dockerclientcert
    --secret dockerclientcertkey
    --env "DOCKER_CLIENTCERT=@/run/secrets/dockerclientcert"
    --env "DOCKER_CLIENTCERT_KEY=@/run/secrets/dockerclientcertkey"

Let me know if it works. You need to use the latest image 20191009_0935_56500b0b

kinghuang commented 5 years ago

Thanks. That seems to work, though it's expecting base64 encoded data. Can there be an option to just take a certificate and key via files without base64-encoding them?

joonas-fi commented 5 years ago

When using the new @/path/to/file reference syntax, it shouldn't really require it to be in base64.

It should really support now reading certs and key files in the same format they're usually stored in files. To be exact, certs in PEM format are stored in base64 between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines (same goes for private keys) - but you shouldn't need additional base64 like was needed before.

Did you receive any error messages? Did you use the Docker image version 20191009_0935_56500b0b?

I can investigate further tomorrow around the same time I posted my previous message..

kinghuang commented 5 years ago

Yes, using 20191009_0935_56500b0b, I got an error about invalid base64 bytes or something like that. If I get some time this afternoon, I'll try it again and capture the message!

kinghuang commented 5 years ago

Here's the error I'm getting with the certs passed in as secrets. The secrets are already in use by other services like Traefik, so I'm very confident that they're valid.

2019/10/09 23:25:22 runHttpServer [ERROR] illegal base64 data at input byte 19

I'm using the fn61/promswarmconnect:20191009_0935_56500b0b image.

kinghuang commented 5 years ago

Oh, wait. User error! I missed the part about adding @ as the first character of the values for DOCKER_CLIENTCERT and DOCKER_CLIENTCERT_KEY. I just had the paths in there.

It's working now with the @ in place!

joonas-fi commented 5 years ago

Whoops! 😂

Glad you got it working.

I'll close this issue, since it seems to be working.