Add ability to skip TLS verification for amtool#2663
Add ability to skip TLS verification for amtool#2663roidelapluie merged 5 commits intoprometheus:mainfrom
Conversation
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
cli/root.go
Outdated
| app.Flag("alertmanager.url", "Alertmanager to talk to").URLVar(&alertmanagerURL) | ||
| app.Flag("output", "Output formatter (simple, extended, json)").Short('o').Default("simple").EnumVar(&output, "simple", "extended", "json") | ||
| app.Flag("timeout", "Timeout for the executed command").Default("30s").DurationVar(&timeout) | ||
| app.Flag("skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) |
There was a problem hiding this comment.
| app.Flag("skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) | |
| app.Flag("tls.insecure.skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) |
To match go tls name.
There was a problem hiding this comment.
Thanks for suggestion, applied it.
A bit more verbose but also clearer.
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
cli/root.go
Outdated
|
|
||
| cr := clientruntime.New(address, path.Join(amURL.Path, defaultAmApiv2path), schemes) | ||
|
|
||
| if amURL.Scheme == "https" && skipVerify { |
There was a problem hiding this comment.
Now I notice this. We should not check the scheme, but apply this all the time. You could go to an HTTP endpoint that redirects you (HTTP 302) to HTTPS.
There was a problem hiding this comment.
Didn't think we automatically followed them.
Thanks, removed it.
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
roidelapluie
left a comment
roidelapluie
left a comment
There was a problem hiding this comment.
Sorry, I noticed one thing that was not updated, so I added comments from 2 other small things :) Then it will be OK :)
cli/root.go
Outdated
| date.format | ||
| Sets the output format for dates. Defaults to "2006-01-02 15:04:05 MST" | ||
|
|
||
| skip.verify |
README.md
Outdated
| receiver: team-X-pager | ||
|
|
||
| # Skip TLS certificate verification | ||
| tls.insecure.skip.verify: true |
There was a problem hiding this comment.
Let's get this out of the example configuration to keep it simple and not promote insecure settings.
cli/root.go
Outdated
| alertmanagerURL *url.URL | ||
| output string | ||
| timeout time.Duration | ||
| skipVerify bool |
There was a problem hiding this comment.
Can we have tlsInsecureSkipVerify ?
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
No problem. |
|
Thanks! |
2 participants
Just like with prometheus or alertmanager endpoints, we sometimes need to disable TLS certificate check. We can do that providing
<tls_config>section there.amtool is a simpler thing but it does provide us some basic features like providing custom port and performing basic auth. I think skipping tls verification will fit in here too.