[SOLVED] cadvisor: TLS not working when provinding a key and a certificate

cadvisor: TLS not working when provinding a key and a certificate

According to cadvisor documentation ( https://github.com/google/cadvisor/blob/master/docs/runtime_options.md#metrics ) using options collector_cert and collector_key should enable TLS on Prometheus endpoint.

I have launched the cadvisor container using the following command : docker run --rm -d --volume=/:/rootfs:ro --volume=/tmp/cadvisor.crt:/etc/ssl/cadvisor.crt --volume=/tmp/cadvisor.key:/etc/ssl/cadvisor.key --volume=/var/run:/var/run:rw --volume=/sys:/sys:ro --volume=/var/lib/docker/:/var/lib/docker:ro --publish=8080:8080 --name=cadvisor gcr.io/cadvisor/cadvisor:latest --collector_cert=/etc/ssl/cadvisor.crt --collector_key=/etc/ssl/cadvisor.key

but when I try to access the metrics using curl https://127.0.0.1:8080/metrics -v I get the following error:

* Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

On the other hand using curl http://127.0.0.1:8080/metrics -v returns docker host metrics

*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /metrics HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/plain; version=0.0.4; charset=utf-8
< Date: Mon, 01 Feb 2021 11:03:33 GMT
< Transfer-Encoding: chunked
< 
{ [12148 bytes data]
100  300k    0  300k    0     0  4421k      0 --:--:-- --:--:-- --:--:-- 4357k
* Connection #0 to host 127.0.0.1 left intact

Any pointers will be appreciated.

Solution

As far as i know, there is no https support in cAdvisor. Maybe you can use a reverse proxy instead? There is an issue with the same topic on github: https://github.com/google/cadvisor/issues/2539

These flags are used to collect data from another endpoint with TLS authentication enabled.