I can see how toggling this feature behind TLS being configurable could be confusing, so I agree a separate flag is nicer.
I'm happy to draft up a PR with the new flag. Devin T. On Thursday, September 23, 2021 at 4:16:57 PM UTC-4 Julien Pivotto wrote: > On 23 Sep 13:10, Devin Trejo wrote: > > Prometheus-dev, > > > > I’m excited about an upcoming change that will add TLS auth to the > > Alertmanager clustering endpoint. Today we run Alertmanager on networks > > where the hosts are provisioned with public IPs but are still firewalled > > off from the internet. We understand in the past there were security > > concerns for having Alertmanager default to listening on a public IP > with > > no auth. With the mutual TLS addition, are these concerns mitigated? > > > > The motivation here is to remove the need for custom startup > configuration > > we have for our Alertmanagers in these locations. Would the > dev-community > > be open to change removing the privateIP requirement if mutual TLS is > > configured? I imagine this change looking as follows: > > > > 1. If clustering attempt to get privateIP > > 2. If no privateIP is found and TLS is not configured, error like we do > > today > > 3. If no privateIP is found and TLS is configured, attempt to get > publicIP > > 4. If no publicIP is found error > > > > > > Devin T. > > > Hello, > > I do not think that we should bind the two things. They are different > layers. > > We could have a flag --cluster.allow-insecure-public-advertise-address > instead, > independent of whether tls is enabled. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Prometheus Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/71a6a032-20bd-4dc5-8113-11744129876en%40googlegroups.com. > > > > > -- > Julien Pivotto > @roidelapluie > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/ebe56b48-3f1d-4725-94c0-34afae217f8fn%40googlegroups.com.
