I can see how toggling this feature behind TLS being configurable could be confusing, so I agree a separate flag is nicer.
I'm happy to draft up a PR with the new flag. Devin T. On Thursday, September 23, 2021 at 4:16:57 PM UTC-4 Julien Pivotto wrote: > On 23 Sep 13:10, Devin Trejo wrote: > > Prometheus-dev, > > > > I’m excited about an upcoming change that will add TLS auth to the > > Alertmanager clustering endpoint. Today we run Alertmanager on networks > > where the hosts are provisioned with public IPs but are still firewalled > > off from the internet. We understand in the past there were security > > concerns for having Alertmanager default to listening on a public IP > with > > no auth. With the mutual TLS addition, are these concerns mitigated? > > > > The motivation here is to remove the need for custom startup > configuration > > we have for our Alertmanagers in these locations. Would the > dev-community > > be open to change removing the privateIP requirement if mutual TLS is > > configured? I imagine this change looking as follows: > > > > 1. If clustering attempt to get privateIP > > 2. If no privateIP is found and TLS is not configured, error like we do > > today > > 3. If no privateIP is found and TLS is configured, attempt to get > publicIP > > 4. If no publicIP is found error > > > > > > Devin T. > > > Hello, > > I do not think that we should bind the two things. They are different > layers. > > We could have a flag --cluster.allow-insecure-public-advertise-address > instead, > independent of whether tls is enabled. > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Prometheus Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to prometheus-devel...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/71a6a032-20bd-4dc5-8113-11744129876en%40googlegroups.com. > > > > > -- > Julien Pivotto > @roidelapluie > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/ebe56b48-3f1d-4725-94c0-34afae217f8fn%40googlegroups.com.
