On 23 Sep 13:10, Devin Trejo wrote: > Prometheus-dev, > > I’m excited about an upcoming change that will add TLS auth to the > Alertmanager clustering endpoint. Today we run Alertmanager on networks > where the hosts are provisioned with public IPs but are still firewalled > off from the internet. We understand in the past there were security > concerns for having Alertmanager default to listening on a public IP with > no auth. With the mutual TLS addition, are these concerns mitigated? > > The motivation here is to remove the need for custom startup configuration > we have for our Alertmanagers in these locations. Would the dev-community > be open to change removing the privateIP requirement if mutual TLS is > configured? I imagine this change looking as follows: > > 1. If clustering attempt to get privateIP > 2. If no privateIP is found and TLS is not configured, error like we do > today > 3. If no privateIP is found and TLS is configured, attempt to get publicIP > 4. If no publicIP is found error > > > Devin T.
Hello, I do not think that we should bind the two things. They are different layers. We could have a flag --cluster.allow-insecure-public-advertise-address instead, independent of whether tls is enabled. > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/71a6a032-20bd-4dc5-8113-11744129876en%40googlegroups.com. -- Julien Pivotto @roidelapluie -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20210923201652.GA341097%40hydrogen.
