Kiali cannot get prometheus data when prometheus enable https #786
Comments
|
probably has to do with a self-signed cert that kiali would need to accept. We'd need to look at this more closely - we have to make sure we don't blindly accept certs that do not have a valid root CA. If that is not the case (if the prometheus cert has a valid root CA) then it may mean kiali has to be told to trust the root CA. Would need more information about what certificate is served by the Prometheus https endpoint. |
|
My case is Prometheus enables https with a self-signed cert. |
|
OK, that might be a problem. I'm not sure we should allow kiali to blindly accept certs without a valid root CA via the InsecureSkipVerify: true setting. There is talk about getting internal network communications within the Istio mesh to be secured (this conversation was going on in the istio community). Hopefully, those discussions will help address something like this (that is, you won't have to have your own self-signed cert in front of Prometheus, you can install it with the Citadel-generated cert which presumably will let kiali access it). I would be curious to know what the community thinks of having kiali turn on InsecureSkipVerify for communications to the prometheus server over https. |
|
@clyang82 How do you set up Istio telemetry to report to that Prometheus with your cert? I Istio-mTLS is set up, there are DestinationRules in place that disable mTLS for certain source-destination pairs. This may also be a way to go here. |
|
Consider that kiali, jaeger, prometheus and grafana(if it is enabled) should be with the same CA if we want to communicate with these services |
@pilhuhn I am using the external prometheus to collect istio components metrics so that the kiali fetches the data from this external prometheus. |
|
any news on this? Thanks. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
ghost
added
the
|
For information, there's now a JIRA ticket to track this issue: https://issues.jboss.org/browse/KIALI-2960 My 2 cts: We should by default reject any untrusted secure connection (like what we do today), however we can have a config flag to explicitly allow untrusted certificate. So an admin would have to knowingly configure it. |
|
Thanks @israel-hdez and @jotak |
|
Hey all, I'm using Kiali with Prometheus running on https, where the cert is signed by our internal CA, and seeing this issue despite setting external_services.prometheus.insecure_skip_verify as mentioned in #1112 This is with Kiali 1.22.1, which I would have thought was recent enough to have this change included, based on the date that 1112 was merged. Can anybody comment on this? Do I need a newer version of Kiali, or might something else be going on? |
|
@mindcrime just to confirm, following the settings described in https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml#L457 is not enough for the version you comment ? |
|
@lucasponce - thanks, I think you pointed me to the answer. I had the insecure_skip_verify setting directly under the "prometheus" key, but I see here: https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml#L602 that it belongs under the "auth" key under "prometheus". I was going off the verbiage from the #1112 PR which mentioned the key being "external_services.prometheus.insecure_skip_verify" (no "auth" in there). I'll update my config to move that setting and I'm guessing that will fix the problem. Edit: Yes, that was the issue. It's working now, thanks for the pointer to that sample config. |
From kiali document:
prometheus_service_urlThe URL used to access and query the Prometheus Server. It must be accessible from Kiali pod. (default is http://prometheus.istio-system:9090)When I configured
prometheus_service_url=https://prometheus.istio-system:9090, the kiali cannot collect prometheus data and there has exception thrown from kiali podCan we support this feature?
The text was updated successfully, but these errors were encountered: