-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify client certs for Prometheus deployments #1186
Comments
Tried to follow it up in the most recent PR which tried to address it: prometheus/exporter-toolkit#106. It seems to have lost traction and I haven't received any replies so far. The developers seem to agree on an approach of excluding certain paths from cert verification - although I don't know how exactly they want to achieve that atm. Anyway waiting for a reply there to agree on an approach - I wouldn't want to invest into sending a PR if we don't get anyone to look at it. |
Just sent prometheus/exporter-toolkit#151. I will update this issue once (if?) it gets merged. |
No response from developers so far. Pinged the maintainers on prometheus/exporter-toolkit#151 and reached out on their slack channel in CNCF workspace. If I don't get a reply in the next couple of days, I'll attend Prometheus Developer Office Hours next Monday. |
I added the PR to the Developer Office Hours' agenda today but was only informed by the moderator that we'll just have to wait for the maintainers to reply in the PR. Pinged the maintainers again. |
As per prometheus/exporter-toolkit#151 (comment), this should be discussed on Prometheus Dev Summit today. Update: it wasn't 🫠 |
The Scylla Operator project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
/lifecycle stale |
/remove-lifecycle stale |
Update: it seems like prometheus/exporter-toolkit#151 is likely to finally go through as I've got a first review. @tnozicka can we try accommodating this again in our roadmap? |
Update: prometheus/exporter-toolkit#151 got an approval and is waiting to be merged. The next step after that would be to update the prometheus-operator issue (or send a PR myself) but we'll have to wait for exporter-toolkit release and for it to propagate to prometheus itself. So at this point this item is blocked. |
Is this a bug report or feature request?
What should the feature do:
Currently the managed Prometheus that is part of the new monitoring stack doesn't force mTLS certificate verification.
scylla-operator/assets/monitoring/prometheus/v1/prometheus.yaml
Lines 21 to 22 in f20887d
This was done temporarily on purpose because the prometheus-operator sets up probes behind authenticated enpoints, which obviously doesn't work because kubelets don't have the client certs for mTLS. We need to start by creating a simple reproducer and report it to the prometheus-operator.
What is use case behind this feature:
Security
fyi @YvanDaSilva (so you are not surprised when this gets fixed)
Requires
The text was updated successfully, but these errors were encountered: