Hi Akshay, Yes. If my understanding is correct, mTLS just means that the server (in this case, your application) also validates the client (Prometheus), in addition to the client validating the server (which you can turn off via "insecure_skip_verify: true"). That means configuring a client cert & key via the "cert_file" and "key_file" fields of the "tls_config". See also this article about Prometheus + mTLS: https://smallstep.com/hello-mtls/doc/client/prometheus
Regards, Julius On Tue, Jul 20, 2021 at 2:50 PM akshay sharma <[email protected]> wrote: > Hi , > > Thanks for your reply. I've seen tls_config in the prometheus doc. > One query here: does it support mtls? Because there is no such information > related to this. If yes, can you please give me a dummy configuration for > mtls. > > and yes, that's a typo. > > thanks, > Akshay > > > On Tue, Jul 20, 2021 at 6:11 PM Julius Volz <[email protected]> > wrote: > >> Hi Akshay, >> >> Though it's not really clear from >> https://prometheus.io/docs/prometheus/latest/configuration/https/, the >> "tls_server_config" is about the serving endpoints in Prometheus itself. So >> this won't be the interesting part for your scenario, you'll want to set >> the "tls_config" in your "scrape_config" in your main config file instead: >> https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tls_config >> >> If you want to disable verification of the endpoint that Prometheus is >> scraping from, you can set "insecure_skip_verify: true" in your >> "tls_config" block. >> >> Btw., I'm not sure why you are sending a "Content-type: application/json" >> header as part of the request in your curl example? Probably that's just a >> copy-and-paste bug? >> >> Regards, >> Julius >> >> On Mon, Jul 19, 2021 at 2:26 PM akshay sharma <[email protected]> >> wrote: >> >>> Hi, >>> >>> I was going through the *Prometheus tls configuration*. I've come across* >>> two different tls configurations* in Prometheus. >>> One is tls_config and the other one is tls_server_config. >>> >>> I want to understand the difference between these two. >>> >>> >>> I want to achieve the following: >>> 1) I've a service running with MTLS, and I want Prometheus to scrape >>> metrics from that service. >>> 2) Service needs client cert and client key and cacert as well. >>> >>> For ex: >>> 1) curl -v --cert ./client.crt --key ./client.key GET -H >>> "Content-type: application/json" https://xxx.xxx.xxx.xx:xxxx/metrics >>> --cacert server.crt >>> 2) What if I don't want to pass cacert, I want to use -k(insecure >>> in configuration) . How can I do that? >>> >>> So, what configuration can I use in prometheus to achieve this? >>> >>> >>> Thanks, >>> Akshay >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Prometheus Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/prometheus-users/CAOrgXNJ7e1hGc59YBjGmFfLVud-0%2BfDZ0vEFiAPhh4cuTqo_LQ%40mail.gmail.com >>> <https://groups.google.com/d/msgid/prometheus-users/CAOrgXNJ7e1hGc59YBjGmFfLVud-0%2BfDZ0vEFiAPhh4cuTqo_LQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Julius Volz >> PromLabs - promlabs.com >> > -- Julius Volz PromLabs - promlabs.com -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CAObpH5y%2BWG6NaGoN-0NbhdSo3Yz5HL_o69dtgWogm85cgD_QNg%40mail.gmail.com.
