From 38526151ac64244880ed921e2c4926f41ff0bf4f Mon Sep 17 00:00:00 2001
From: Ed Robinson <edward-robinson@cookpad.com>
Date: Fri, 15 Mar 2019 11:47:52 +0000
Subject: [PATCH] Set RootCAs to nil in default case.

Currently we create an empty CA store, which is not a very useful
default.

The documentation for [cryto/tls#Config](https://godoc.org/crypto/tls#Config) says:

> If RootCAs is nil, TLS uses the host's root CA set.

I want to use this with confluent cloud, that is using certificates
signed by a proper root CA. So loading the system CAs makes everything
work properly just by enabling tls `--tls.enabled`
---
 kafka_exporter.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kafka_exporter.go b/kafka_exporter.go
index 3fabfdd8..36a51956 100644
--- a/kafka_exporter.go
+++ b/kafka_exporter.go
@@ -210,12 +210,12 @@ func NewExporter(opts kafkaOpts, topicFilter string, groupFilter string) (*Expor
 
 		config.Net.TLS.Config = &tls.Config{
 			ServerName:         opts.tlsServerName,
-			RootCAs:            x509.NewCertPool(),
 			InsecureSkipVerify: opts.tlsInsecureSkipTLSVerify,
 		}
 
 		if opts.tlsCAFile != "" {
 			if ca, err := ioutil.ReadFile(opts.tlsCAFile); err == nil {
+				config.Net.TLS.Config.RootCAs = x509.NewCertPool()
 				config.Net.TLS.Config.RootCAs.AppendCertsFromPEM(ca)
 			} else {
 				return nil, err