Add ability to skip TLS verification for amtool #2663
Conversation
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
cli/root.go
Outdated
| @@ -98,6 +108,7 @@ func Execute() { | |||
| app.Flag("alertmanager.url", "Alertmanager to talk to").URLVar(&alertmanagerURL) | |||
| app.Flag("output", "Output formatter (simple, extended, json)").Short('o').Default("simple").EnumVar(&output, "simple", "extended", "json") | |||
| app.Flag("timeout", "Timeout for the executed command").Default("30s").DurationVar(&timeout) | |||
| app.Flag("skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) | |||
There was a problem hiding this comment.
| app.Flag("skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) | |
| app.Flag("tls.insecure.skip.verify", "Skip TLS certificate verification").BoolVar(&skipVerify) |
To match go tls name.
There was a problem hiding this comment.
Thanks for suggestion, applied it.
A bit more verbose but also clearer.
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
cli/root.go
Outdated
| @@ -78,6 +81,13 @@ func NewAlertmanagerClient(amURL *url.URL) *client.Alertmanager { | |||
|
|
|||
| cr := clientruntime.New(address, path.Join(amURL.Path, defaultAmApiv2path), schemes) | |||
|
|
|||
| if amURL.Scheme == "https" && skipVerify { | |||
There was a problem hiding this comment.
Now I notice this. We should not check the scheme, but apply this all the time. You could go to an HTTP endpoint that redirects you (HTTP 302) to HTTPS.
There was a problem hiding this comment.
Didn't think we automatically followed them.
Thanks, removed it.
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
cli/root.go
Outdated
| @@ -151,5 +162,9 @@ static configuration: | |||
|
|
|||
| date.format | |||
| Sets the output format for dates. Defaults to "2006-01-02 15:04:05 MST" | |||
|
|
|||
| skip.verify | |||
README.md
Outdated
| @@ -315,6 +315,9 @@ output: extended | |||
|
|
|||
| # Set a default receiver | |||
| receiver: team-X-pager | |||
|
|
|||
| # Skip TLS certificate verification | |||
| tls.insecure.skip.verify: true | |||
There was a problem hiding this comment.
Let's get this out of the example configuration to keep it simple and not promote insecure settings.
cli/root.go
Outdated
| @@ -35,6 +37,7 @@ var ( | |||
| alertmanagerURL *url.URL | |||
| output string | |||
| timeout time.Duration | |||
| skipVerify bool | |||
There was a problem hiding this comment.
Can we have tlsInsecureSkipVerify ?
Signed-off-by: Nikita Nedvetskii <72229464+nedvna@users.noreply.github.com>
No problem. |
|
Thanks! |
Just like with prometheus or alertmanager endpoints, we sometimes need to disable TLS certificate check. We can do that providing
<tls_config>section there.amtool is a simpler thing but it does provide us some basic features like providing custom port and performing basic auth. I think skipping tls verification will fit in here too.