-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for using HTTPS in the Prometheus web UI is incomplete #4273
Comments
This is indeed a bug, but changing the config reloader to use https can be problematic for certificates issued by an untrusted CA. We either need to mount the CA's certificate in We can also fix the bug for trusted CAs only and treat untrusted CAs as a separate issue. @simonpasquier @philipgough thoughts on this one? |
@fpetkovski personally, I would be in favour of fixing the reported bug and treating support for self-signed certificates as an enhancement. |
Ah interesting case :) Agreed that it doesn't hurt to adjust the URI scheme but I expect that for most (all?) impacted users, it won't fix the issue (e.g. TLS verification will fail further down the road). |
If we decide to skip TLS verification, this will need to be implemented in the thanos sidecar and config reloader components first. Then we can configure these components with the insecure flag. Another alternative would be to allow Prometheus to listen on both HTTP and HTTPS at the same time. This way internal requests can go to the http endpoint on localhost and external ones can go to https. |
yes this is what I meant too :)
Possible too but I suspect that it will be more complicated to implement... Worth checking with upstream though. |
Reopening since #4276 only fixed the HTTP scheme but the TLS verification is still an issue. |
This issue has been automatically marked as stale because it has not had any activity in the last 60 days. Thank you for your contributions. |
The fix should be to pass down the proper TLS settings to Thanos sidecar and config reloader:
The operator could reuse |
Do we need the prometheus-operater generate a client certificate dedicated to Thanos sidecar and config reloader? or do we expect the user to set a certificate in the Prometheus CRD? |
In this case the certificate should be defined by the user. |
+1 to what @fpetkovski said. Thinking more about this issue, it probably makes sense to disable TLS verification for the config reloader and the Thanos sidecar. Both talk to the Prometheus container via the local address so there's little advantage into verifying the peer's identity (if something manages to spoof/hijack the Prometheus port, you have probably bigger problems). |
Also +1 for what @fpetkovski said. Currently having issues with offering Prometheus over HTTPS with the operator, but the config reloader not trusting said certificate since its self-signed. Prefer to keep using the self managed certificate or to skip TLS verify. |
What happened?
I've been trying to use the feature of having the Prometheus web UI use HTTPS, via config in the
Prometheus
resource like the following:This appears to partially work. It does configure Prometheus to use HTTPS, and it does change the readiness probe for the Prometheus container to use HTTPS. But it doesn't change the
config-reloader
container to use HTTPS when it contacts the Prometheus container (via the--reload-url
option), and it doesn't change thethanos-sidecar
container to use HTTPS when it contacts the Prometheus container (via the--prometheus.url
option).The
config-reloader
log fills up with messages like:and the
thanos-sidecar
log fills up with messages like:I've reproduced this with version v0.50.0 of the Prometheus Operator.
Did you expect to see something different?
The
config-reloader
andthanos-sidecar
containers should be configured to contact Prometheus using HTTPS instead of HTTP, when the Prometheus web UI is using HTTPS.One other important point: My setup uses a self-signed certificate for the Prometheus web UI, so the
config-loader
andthanos-sidecar
would have to (at least optionally) suppress certificate validation when they make their connections.How to reproduce it (as minimally and precisely as possible):
Use some config lines as above in the
Prometheus
resource to ask for HTTPS support in Prometheus.Environment:
Prometheus Operator version: v0.50.0
Kubernetes version information: v1.20.10
Kubernetes cluster kind: IBM Cloud Kubernetes cluster
The text was updated successfully, but these errors were encountered: