PR is up for consideration: https://github.com/prometheus/alertmanager/pull/2719
On Friday, September 24, 2021 at 10:21:50 AM UTC-4 Devin Trejo wrote: > I can see how toggling this feature behind TLS being configurable could be > confusing, so I agree a separate flag is nicer. > > I'm happy to draft up a PR with the new flag. > > Devin T. > > On Thursday, September 23, 2021 at 4:16:57 PM UTC-4 Julien Pivotto wrote: > >> On 23 Sep 13:10, Devin Trejo wrote: >> > Prometheus-dev, >> > >> > I’m excited about an upcoming change that will add TLS auth to the >> > Alertmanager clustering endpoint. Today we run Alertmanager on networks >> > where the hosts are provisioned with public IPs but are still >> firewalled >> > off from the internet. We understand in the past there were security >> > concerns for having Alertmanager default to listening on a public IP >> with >> > no auth. With the mutual TLS addition, are these concerns mitigated? >> > >> > The motivation here is to remove the need for custom startup >> configuration >> > we have for our Alertmanagers in these locations. Would the >> dev-community >> > be open to change removing the privateIP requirement if mutual TLS is >> > configured? I imagine this change looking as follows: >> > >> > 1. If clustering attempt to get privateIP >> > 2. If no privateIP is found and TLS is not configured, error like we do >> > today >> > 3. If no privateIP is found and TLS is configured, attempt to get >> publicIP >> > 4. If no publicIP is found error >> > >> > >> > Devin T. >> >> >> Hello, >> >> I do not think that we should bind the two things. They are different >> layers. >> >> We could have a flag --cluster.allow-insecure-public-advertise-address >> instead, >> independent of whether tls is enabled. >> >> >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Prometheus Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-developers/71a6a032-20bd-4dc5-8113-11744129876en%40googlegroups.com. >> >> >> >> >> -- >> Julien Pivotto >> @roidelapluie >> > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/fb829d86-95a4-4871-b134-e1a026ddfbcan%40googlegroups.com.
