-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AsURL always uses HTTP URLs #994
Comments
its possible only at best effort. https certificates must be valid. #994 Signed-off-by: f41gh7 <[email protected]>
its possible only at best effort. https certificates must be valid. #994 Signed-off-by: f41gh7 <[email protected]>
Protocol check is included in v0.46.0, close as completed. |
It seems like there is one point that is missed. To configure TLS for VMAlertManager, we don't specify |
I dont seem to have an option to reopen the issue. Please reopen this issue. Let me know if I should create a new issue. |
Yes, currently it's tricky to check should it use https scheme or not. Since it only allows to configure it via configuration file. Maybe it's safe to assume, that if |
I'm not sure if checking the |
Yes, I share the same concern. Proper solution would be add |
Adds a new type for generic webserver TLS configuration. * First of all, it allows to properly configure alertmanager and detect tls related params for it. It fixes scheme detection for probes, AsURL function. * Second, it allows later to rollout this type to other application and have a generic way of TLS/mTLS configuration * Fixes bug with tlsAssets mount with custom config reloader for alertmanager. Previously it was not mounted correctly and may cause issues with inaccessible assets. related issues: - #994 - #1033 Signed-off-by: f41gh7 <[email protected]>
* api/vmalertmanager: adds webserver configuration Adds a new type for generic webserver TLS configuration. * First of all, it allows to properly configure alertmanager and detect tls related params for it. It fixes scheme detection for probes, AsURL function. * Second, it allows later to rollout this type to other application and have a generic way of TLS/mTLS configuration * Fixes bug with tlsAssets mount with custom config reloader for alertmanager. Previously it was not mounted correctly and may cause issues with inaccessible assets. related issues: - #994 - #1033 Signed-off-by: f41gh7 <[email protected]>
released in v0.47.0 |
I have a secret containing certificates generated using cert-manager that I add to
which is equivalent to:
Even though this is a valid configuration, operator looks for I think this is a bug. There is no documentation specifying that the secret should be mounted on |
I have used examples from repository. But I have issues in alertmanager pod for below configuration.
With
|
Liveness probe failed: Get "https://10.131.60.138:9093/-/healthy": remote error: tls: certificate required |
Provided config at examples does not have client ca definition: tls_server_config:
cert_secret_ref:
key: certValue
name: alertmanager-tls
key_secret_ref:
key: certKey
name: alertmanager-tls Remove client_ca_file and it must work. For mTLS part - configuring mTLS is non-trivial task for kubernetes. It doesn't supported directly by probes. There are following workarounds:
|
It'd be great to have a guide - "How to configure mTLS with operator". I think, liveness and readiness probes are useless for mTLS. It's possible to replace it with "no-op" command and configure minReadySeconds for actual start-up probe check. If any runtime issue happened, application will crash and restart. |
I managed to add custom probes to VMAlertManager and it works. Additionally, I had to remove |
related issue #994 Signed-off-by: f41gh7 <[email protected]>
See linked example with mTLS configuration for alertmanager. It requires external dependency - cert-manager. |
Thank you. As I said earlier, the path at which these certificates are mounted via secret can be any path. I had already used cert-manager to generate certificates successfully. The generated secret by cert-manager was mounted to |
Could you please give some reproducible example? You shouldn't care about secret mount point. If you put secret key references into web configuration file, operator will fill mount points on its own. kind: VMAlertmanager
spec:
webConfig:
tls_server_config:
client_auth_type: RequireAndVerifyClientCert
client_ca_secret_ref:
key: ca.crt
name: alertmanager-tls
cert_secret_ref:
key: tls.crt
name: alertmanager-tls
key_secret_ref:
key: tls.key
name: alertmanager-tls |
I already provided example in above comment. Using cert-manager, I generate a secret containing TLS certificates. Let's call it There are no problems when |
Hi,
In every
*_types.go
, the implementation ofAsURL()
function returns HTTP URL.return fmt.Sprintf("http://%s.%s.svc:%s", cr.PrefixedName(), cr.Namespace, port)
I'm trying to configure TLS between victoriametrics components which means all components must be accessed via HTTPS. For example, VMAuth must invoke https://vmsingle-.... However, because of hard-coding of
http
, VMAuth cannot proxy requests to other components. I get following error.Please fix this if its a bug or advise any work arounds.
The text was updated successfully, but these errors were encountered: