-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to skip TLS verification for amtool #2663
Conversation
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
cli/root.go
Outdated
@@ -98,6 +108,7 @@ func Execute() { | |||
app.Flag("alertmanager.url", "Alertmanager to talk to").URLVar(&alertmanagerURL) | |||
app.Flag("output", "Output formatter (simple, extended, json)").Short('o').Default("simple").EnumVar(&output, "simple", "extended", "json") | |||
app.Flag("timeout", "Timeout for the executed command").Default("30s").DurationVar(&timeout) | |||
app.Flag("skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
app.Flag("skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) | |
app.Flag("tls.insecure.skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) |
To match go tls name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for suggestion, applied it.
A bit more verbose but also clearer.
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
cli/root.go
Outdated
@@ -78,6 +81,13 @@ func NewAlertmanagerClient(amURL *url.URL) *client.Alertmanager { | |||
|
|||
cr := clientruntime.New(address, path.Join(amURL.Path, defaultAmApiv2path), schemes) | |||
|
|||
if amURL.Scheme == "https" && skipVerify { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now I notice this. We should not check the scheme, but apply this all the time. You could go to an HTTP endpoint that redirects you (HTTP 302) to HTTPS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't think we automatically followed them.
Thanks, removed it.
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I noticed one thing that was not updated, so I added comments from 2 other small things :) Then it will be OK :)
cli/root.go
Outdated
@@ -151,5 +162,9 @@ static configuration: | |||
|
|||
date.format | |||
Sets the output format for dates. Defaults to "2006-01-02 15:04:05 MST" | |||
|
|||
skip.verify |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was not updated
README.md
Outdated
@@ -315,6 +315,9 @@ output: extended | |||
|
|||
# Set a default receiver | |||
receiver: team-X-pager | |||
|
|||
# Skip TLS certificate verification | |||
tls.insecure.skip.verify: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's get this out of the example configuration to keep it simple and not promote insecure settings.
cli/root.go
Outdated
@@ -35,6 +37,7 @@ var ( | |||
alertmanagerURL *url.URL | |||
output string | |||
timeout time.Duration | |||
skipVerify bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have tlsInsecureSkipVerify ?
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
No problem. |
Thanks! |
Just like with prometheus or alertmanager endpoints, we sometimes need to disable TLS certificate check. We can do that providing
<tls_config>
section there.amtool is a simpler thing but it does provide us some basic features like providing custom port and performing basic auth. I think skipping tls verification will fit in here too.