Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to skip certificate verification when tls is enabled #242

Merged
merged 1 commit into from
Sep 7, 2021
Merged

Allow to skip certificate verification when tls is enabled #242

merged 1 commit into from
Sep 7, 2021

Conversation

mfamador
Copy link
Contributor

@mfamador mfamador commented Jul 24, 2021
edited
Loading

Hi!

The option insecureSkipTlsVerify was not being used in the helm chart, and the secrets and respective volumeMounts were being rendered the same.
In order to connect, for example, to an Azure Event Hub with kafka interface, I need to use TLS but I want to skip the certificate validation.

I've also added a new field metricRelabelings in the serviceMonitor, which allow us, for instance, to use HPA in different namespaces from where we're running the exporter, changing the namespace label,.

Ex. changing the namespace monitoring to core, where the apps are using the HPA:

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: kafka-exporter-core
spec:
  releaseName: kafka-exporter-core
  chart:
    spec:
      chart: kafka-exporter
      sourceRef:
        kind: GitRepository
        name: kafka-exporter
        namespace: flux-system
  interval: 1h0m0s
  values:
    nameOverride: kafka-exporter-core
    prometheus:
      serviceMonitor:
        additionalLabels:
          tier: cluster
        metricRelabelings:
        - sourceLabels: [ namespace ]
          regex: '(.*)'
          replacement: core
          targetLabel: namespace

Thanks!

Signed-off-by: Marco Amador amador.marco@gmail.com

@mfamador
Allow to skip certificate verification when tls is enabled
47859bd 
Signed-off-by: Marco Amador <amador.marco@gmail.com>
@mfamador mfamador force-pushed the allow_skip_tls_verify branch from f4501e2 to 47859bd Compare July 24, 2021 21:23
@danielqsj
Copy link
Owner

LGTM, thanks @mfamador !

@danielqsj danielqsj merged commit 244850c into danielqsj:master Sep 7, 2021
@unitto-convatis
Copy link

Looks like it does not help in the case of Azure Event Hub.
We have a problem now for the connection:

I0915 08:35:18.766144       1 kafka_exporter.go:792] Starting kafka_exporter (version=1.6.0, branch=HEAD, revision=c021e94dfb808e642d41064c6550cbba87fe30c6)
34
[sarama] 2022/09/15 08:35:18 Initializing new client
33
[sarama] 2022/09/15 08:35:18 client/metadata fetching metadata for all topics from broker ***.servicebus.windows.net:9093
32
[sarama] 2022/09/15 08:35:19 Completed pre-auth SASL handshake. Available mechanisms: [PLAIN OAUTHBEARER]
31
[sarama] 2022/09/15 08:35:19 Failed to read response while authenticating with SASL to broker ***.servicebus.windows.net:9093: read tcp ***:43648->***:9093: read: connection reset by peer
30
[sarama] 2022/09/15 08:35:19 Error while closing connection to broker ehn-qa-central.servicebus.windows.net:9093: tls: failed to send closeNotify alert (but connection was closed anyway): write tcp ***:43648->***:9093: write: broken pipe
29
[sarama] 2022/09/15 08:35:19 client/metadata got error from broker -1 while fetching metadata: read tcp ***:43648->***:9093: read: connection reset by peer
28
[sarama] 2022/09/15 08:35:19 client/metadata no available broker to send metadata request to
27
[sarama] 2022/09/15 08:35:19 client/brokers resurrecting 1 dead seed brokers
26
[sarama] 2022/09/15 08:35:19 client/metadata retrying after 250ms... (3 attempts remaining)
25
[sarama] 2022/09/15 08:35:19 client/metadata fetching metadata for all topics from broker ***.servicebus.windows.net:9093
24
[sarama] 2022/09/15 08:35:20 Completed pre-auth SASL handshake. Available mechanisms: [PLAIN OAUTHBEARER]
23
[sarama] 2022/09/15 08:35:20 Failed to read response while authenticating with SASL to broker ***.servicebus.windows.net:9093: read tcp ***:43672->***:9093: read: connection reset by peer
22
[sarama] 2022/09/15 08:35:20 Error while closing connection to broker ***.servicebus.windows.net:9093: tls: failed to send closeNotify alert (but connection was closed anyway): write tcp ***:43672->***:9093: write: broken pipe
21
[sarama] 2022/09/15 08:35:20 client/metadata got error from broker -1 while fetching metadata: read tcp ***:43672->***:9093: read: connection reset by peer
20
[sarama] 2022/09/15 08:35:20 client/metadata no available broker to send metadata request to
19
[sarama] 2022/09/15 08:35:20 client/brokers resurrecting 1 dead seed brokers
18
[sarama] 2022/09/15 08:35:20 client/metadata retrying after 250ms... (2 attempts remaining)
17
[sarama] 2022/09/15 08:35:20 client/metadata fetching metadata for all topics from broker ***.servicebus.windows.net:9093
16
[sarama] 2022/09/15 08:35:20 Completed pre-auth SASL handshake. Available mechanisms: [PLAIN OAUTHBEARER]
15
[sarama] 2022/09/15 08:35:20 Failed to read response while authenticating with SASL to broker ***l.servicebus.windows.net:9093: read tcp ***:43680->***:9093: read: connection reset by peer
14
[sarama] 2022/09/15 08:35:20 Error while closing connection to broker ***.servicebus.windows.net:9093: tls: failed to send closeNotify alert (but connection was closed anyway): write tcp ***:43680->***:9093: write: broken pipe
13
[sarama] 2022/09/15 08:35:20 client/metadata got error from broker -1 while fetching metadata: read tcp ***:43680->***:9093: read: connection reset by peer
12
[sarama] 2022/09/15 08:35:20 client/metadata no available broker to send metadata request to
11
[sarama] 2022/09/15 08:35:20 client/brokers resurrecting 1 dead seed brokers
10
[sarama] 2022/09/15 08:35:20 client/metadata retrying after 250ms... (1 attempts remaining)
9
[sarama] 2022/09/15 08:35:20 client/metadata fetching metadata for all topics from broker ***.servicebus.windows.net:9093
8
[sarama] 2022/09/15 08:35:21 Completed pre-auth SASL handshake. Available mechanisms: [PLAIN OAUTHBEARER]
7
[sarama] 2022/09/15 08:35:21 Failed to read response while authenticating with SASL to broker ***.servicebus.windows.net:9093: read tcp ***0:43696->***:9093: read: connection reset by peer
6
[sarama] 2022/09/15 08:35:21 Error while closing connection to broker ***l.servicebus.windows.net:9093: tls: failed to send closeNotify alert (but connection was closed anyway): write tcp ***:43696->***:9093: write: broken pipe
5
[sarama] 2022/09/15 08:35:21 client/metadata got error from broker -1 while fetching metadata: read tcp ***:43696->***:9093: read: connection reset by peer
4
[sarama] 2022/09/15 08:35:21 client/metadata no available broker to send metadata request to
3
[sarama] 2022/09/15 08:35:21 client/brokers resurrecting 1 dead seed brokers
2
[sarama] 2022/09/15 08:35:21 Closing Client
1
F0915 08:35:21.069113       1 kafka_exporter.go:893] Error Init Kafka Client: kafka: client has run out of available brokers to talk to: read tcp ***:43696->***:9093: read: connection reset by peer

With this params:

      args:
        - --log.enable-sarama
        - --tls.enabled
        - --tls.insecure-skip-tls-verify
        - --sasl.enabled
        - --sasl.mechanism=plain
        - --kafka.server=***.servicebus.windows.net:9093
        - --sasl.username='$ConnectionString'  # should be not the env var, just a value with dollar
        - --sasl.password=$EH_DSN

Does anyone have the same error or ideas how to fix it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mfamador @danielqsj @unitto-convatis