Alertmanager Address Discovery with Mutual TLS

[Devin Trejo]

Prometheus-dev,

I’m excited about an upcoming change that will add TLS auth to the Alertmanager clustering endpoint. Today we run Alertmanager on networks where the hosts are provisioned with public IPs but are still firewalled off from the internet. We understand in the past there were security concerns for having Alertmanager default to listening on a public IP with no auth. With the mutual TLS addition, are these concerns mitigated? 

The motivation here is to remove the need for custom startup configuration we have for our Alertmanagers in these locations. Would the dev-community be open to change removing the privateIP requirement if mutual TLS is configured? I imagine this change looking as follows:

1. If clustering attempt to get privateIP

2. If no privateIP is found and TLS is not configured, error like we do today

3. If no privateIP is found and TLS is configured, attempt to get publicIP

4. If no publicIP is found error

 

Devin T.

[Julien Pivotto]

Hello,

I do not think that we should bind the two things. They are different
layers.

We could have a flag --cluster.allow-insecure-public-advertise-address instead,
independent of whether tls is enabled.


>
> --
> You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/71a6a032-20bd-4dc5-8113-11744129876en%40googlegroups.com.


--
Julien Pivotto
@roidelapluie

[Devin Trejo]

I can see how toggling this feature behind TLS being configurable could be confusing, so I agree a separate flag is nicer.

I'm happy to draft up a PR with the new flag. 

Devin T.

[Devin Trejo]

PR is up for consideration: https://github.com/prometheus/alertmanager/pull/2719