search

ooni / backend

Everything related to OONI backend infrastructure: ooni/api, ooni/pipeline, ooni/sysadmin, collector, bouncers and test-helpers
BSD 3-Clause "New" or "Revised" License
48 stars 29 forks source link

Upgrade pattern for handling blackbox exporter CA in older hosts #747

Open hellais opened 9 months ago

hellais commented 9 months ago

Older hosts are using ooca_ca to generate the certificates used by the prometheus scraper to collect blackbox exported metrics.

Newer hosts are handling this "on the fly", like this: https://github.com/ooni/sysadmin/blob/master/ansible/roles/base-bullseye/tasks/main.yml#L219.

https://github.com/ooni/sysadmin/blob/master/ansible/roles/base-bullseye/tasks/main.yml#L229 <--- this deploys the updated cert to all hosts sending data to vector without running a full host bootstrap

We should update the old hosts to make use of this new pattern.

hellais commented 9 months ago

This was leading to the following error when running the node exporter scrape: Screenshot 2023-10-16 at 17 33 22

As a hotfix we just put in the tls_config section the following:

    tls_config:
      # XXX this is a hotfix to https://github.com/ooni/backend/issues/747
      insecure_skip_verify: true