Prometheus-dev,
I’m excited about an upcoming change that will add TLS auth to the Alertmanager clustering endpoint. Today we run Alertmanager on networks where the hosts are provisioned with public IPs but are still firewalled off from the internet. We understand in the past there were security concerns for having Alertmanager default to listening on a public IP with no auth. With the mutual TLS addition, are these concerns mitigated?
The motivation here is to remove the need for custom startup configuration we have for our Alertmanagers in these locations. Would the dev-community be open to change removing the privateIP requirement if mutual TLS is configured? I imagine this change looking as follows:
1. If clustering attempt to get privateIP
2. If no privateIP is found and TLS is not configured, error like we do today
3. If no privateIP is found and TLS is configured, attempt to get publicIP
4. If no publicIP is found error
Devin T.