-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing TLS configuration during self service scrape creation by operator #1033
Comments
There is a workaround for it. Manually defined needed options at For example: kind: VMAlert
spec:
serviceScrapeSpec:
endpoints:
- port: http
scheme: https I think we should add best-effort params detection later. |
Sure. It would also mean that we have to disable |
There is no need to disable servicescrape auto-creation. This setting allows to override default values at operator-generated servicescrape. It's only workaround for now. Later it should be fixed and operator must respect values from extraArgs to correctly generate servicescrape. |
Adds a new type for generic webserver TLS configuration. * First of all, it allows to properly configure alertmanager and detect tls related params for it. It fixes scheme detection for probes, AsURL function. * Second, it allows later to rollout this type to other application and have a generic way of TLS/mTLS configuration * Fixes bug with tlsAssets mount with custom config reloader for alertmanager. Previously it was not mounted correctly and may cause issues with inaccessible assets. related issues: - #994 - #1033 Signed-off-by: f41gh7 <[email protected]>
* api/vmalertmanager: adds webserver configuration Adds a new type for generic webserver TLS configuration. * First of all, it allows to properly configure alertmanager and detect tls related params for it. It fixes scheme detection for probes, AsURL function. * Second, it allows later to rollout this type to other application and have a generic way of TLS/mTLS configuration * Fixes bug with tlsAssets mount with custom config reloader for alertmanager. Previously it was not mounted correctly and may cause issues with inaccessible assets. related issues: - #994 - #1033 Signed-off-by: f41gh7 <[email protected]>
What about ServiceMonitor/VMServiceScrape for victoriametrics-operator itself? Operator sends metrics over |
* automagically add `tls_config.insecure_skip_verify: true` and scheme: https to VMServiceScrape's generated by operator, if extraArgs have tls=true * automagically sets `authKey` scrape param to generated VMServiceScrape, if extraArgs have `metricsAuthKey` set #1033 Signed-off-by: f41gh7 <[email protected]>
It's useful for mTLS configuration at reload-url target. #1033 Signed-off-by: f41gh7 <[email protected]>
It allows to protect metrics endpoint with tls and mTLS protection. It may be required for security hardened environment. `tls.enable=true` - switches metrics webserver into secure mode. Corresponding certificate must be accessible by manager. related issue #1033 Signed-off-by: f41gh7 <[email protected]>
released in v0.47.0 |
It's possible to protect operator endpoints with tls configuration starting with v0.47.0 release for endpoints:
In addition, operator will automatically configure VMServiceScrape objects for managed CRDs. |
Why |
The main reason behind that - operator is not aware ( at least for now), how to access needed tls certificate parts used at vmagent side. It's a good place for the feature improvements. |
TLS certificates may be passed using |
The problem with When we introduce |
Sorry CAFile is not necessary.
See above logs from VMAgent. It loads arguments
|
Please let me know if new issue is required to continue work on above mentioned problem. |
Hello,
As per this statement from documentation, we expect that VMServiceScrapes created automatically by the operator must honor
HTTPS scheme
andTLSConfig
when TLS is configured.The endpoints of the automatically created VMServiceScrape for all VM components contains only Port and Path. It is from the logic here. When constructing endpoints, neither scheme nor TLSConfig is populated to VMServiceScrape. This violates the documentation.
Please fix it if its a bug. If my understanding is incorrect and there is some way to tell operator to add TLSConfig and Scheme to generated VMServiceScrapes, please provide such instructions.
The text was updated successfully, but these errors were encountered: