Compose/ibmcloud redis exporter with ssl rediss:// does not work

[wennnds]

when setting up exporter for ibmcloud, compose redis doesn't produce any metrics from prometheus

[wennnds]

does the part to add SSL cert as part of argument exist? @oliver006

[oliver006]

Sorry, not familiar with how IBM Cloud works or how it sets up Prometheus and/or exporters.

[wennnds]

are there plans on SSL cert as an arg to connect to rediss database?

[oliver006]

No plans right now, sorry.

[desourav]

@oliver006 Here are the relevant logs ::

time="2019-04-30T16:20:54Z" level=debug msg="aborting for addr: rediss://xxxx:15242 - redis err: dial rediss: unknown network rediss"
time="2019-04-30T16:21:09Z" level=debug msg="Trying DialURL(): rediss://xxxx:15242"
time="2019-04-30T16:21:09Z" level=debug msg="DialURL() failed, err: x509: certificate signed by unknown authority"

We want to ignore the SSL verification. Is there a flag we can pass to do the same?

[oliver006]

There is no flag available right now but definitely something that can be added in the future. Is the cert self-signed?

[desourav]

@oliver006 yes its a self signed cert.

[oliver006]

Ok.
Implementing a flag to disable cert validation shouldn't be that hard, I think it might just be a matter of setting a flag when calling redis.DialURL().
If I have a chance to add it in the future then I'll let you now but in the meantime PRs are welcome.

[oliver006]

Version 1.0.0 now has a flag to skip TLS verification, closing this.

[drpalaric]

The flag to skip TLS certs is not what is needed since we're making rediss connections. In fact, an environment variable that allows you to add the self-signed certificate is what's needed. Skipping TLS verification will not work. Maybe I will submit a PR for this one.

[oliver006]

Did you look at the --tls-client-key-file and --tls-client-cert-file params and tried using them to make the exporter use your cert?

[drpalaric]

Yeah, but there needs to be a CA cert flag because the self-signed certificate doesn't require a key, just a CA cert. At the moment, if you just use the cert param, it will yell at you for the key. So, I am thinking that another flag just for a CA cert is needed.

[tobiangerstein]

Are there any updates on this issue? In our project context, it is mandatory to use an encrypted connection including the verification of a self-signed certificate. Is it planned to enable the explicit definition of CA cert analogously to the --tls-client-cert-file option?

[oliver006]

Did you try using the --skip-tls-verification command line parameter?

[tobiangerstein]

@oliver006 Of course, on a functional level this works without any problems, but this violates the required security standards. We would like to assure, that we can verify the cert of the redis database.

[oliver006]

Ah, I see what you mean, makes sense now.
There's a way to set CA certs in the tls.Config that's used when connecting to the Redis instance. I think an additional command line parameter is needed to be able to supply the CA cert.

I don't have an immediate need for this nor do I have time to add this right now but I'd be happy to review and merge a PR.

[tobiangerstein]

Ok thank you for the feedback. We'll have a look whether we can provide a pull request here ...