feat(backend): allow disabling TLS certificate validation

Fixes #409
2026-05-19 04:26:41 +00:00 · 2019-02-01 10:49:53 +00:00
parent b30b927c1b
commit b52c3f7af4
6 changed files with 17 additions and 7 deletions
--- a/docs/CONFIGURATION.md
+++ b/docs/CONFIGURATION.md
@@ -41,6 +41,7 @@ alertmanager:
        ca: string
        cert: string
        key: string
+        insecureSkipVerify: bool
      headers:
        any: string
 ```
@@ -87,6 +88,8 @@ alertmanager:
  TLS connections to this Alertmanager instance if it requires a TLS client
  authentication.
  Note that this option requires `tls:cert` to be also set.
+- `tls:insecureSkipVerify` - disable server certificate validation, can be set
+  to allow using self-signed certs, use at your own risk
 - `headers` - a map with a list of key: values which are header: value.
  These custom headers will be sent with every request to the alert manager
  instance.
@@ -120,6 +123,10 @@ alertmanager:
      tls:
        cert: /etc/ssl/client.pem
        key: /etc/ssl/client.key
+    - name: self-signed
+      uri: https://test.example.com
+      tls:
+        insecureSkipVerify: true
 ```

 Defaults:
--- a/internal/alertmanager/tls.go
+++ b/internal/alertmanager/tls.go
@@ -35,8 +35,8 @@ func configureTLSClientCert(tlsConfig *tls.Config, certPath, keyPath string) err

 // NewHTTPTransport handles the logic of creating a http.RoundTripper instance
 // with properl tls.Config setup
-func NewHTTPTransport(caPath, certPath, keyPath string) (http.RoundTripper, error) {
-	tlsConfig := &tls.Config{}
+func NewHTTPTransport(caPath, certPath, keyPath string, insecureSkipVerify bool) (http.RoundTripper, error) {
+	tlsConfig := &tls.Config{InsecureSkipVerify: insecureSkipVerify}

 	if caPath != "" {
 		err := configureTLSRootCAs(tlsConfig, caPath)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -190,6 +190,7 @@ func (config *configSchema) LogValues() {
 			Timeout: s.Timeout,
 			TLS:     s.TLS,
 			Proxy:   s.Proxy,
+			Headers: s.Headers,
 		}
 		servers = append(servers, server)
 	}
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -64,6 +64,7 @@ func testReadConfig(t *testing.T) {
      ca: ""
      cert: ""
      key: ""
+      insecureSkipVerify: false
    headers: {}
 annotations:
  default:
--- a/internal/config/models.go
+++ b/internal/config/models.go
@@ -8,9 +8,10 @@ type alertmanagerConfig struct {
 	Timeout time.Duration
 	Proxy   bool
 	TLS     struct {
-		CA   string
-		Cert string
-		Key  string
+		CA                 string
+		Cert               string
+		Key                string
+		InsecureSkipVerify bool `yaml:"insecureSkipVerify"`
 	}
 	Headers map[string]string
 }
--- a/main.go
+++ b/main.go
@@ -103,8 +103,8 @@ func setupUpstreams() {
 		var httpTransport http.RoundTripper
 		var err error
 		// if either TLS root CA or client cert is configured then initialize custom transport where we have this setup
-		if s.TLS.CA != "" || s.TLS.Cert != "" {
-			httpTransport, err = alertmanager.NewHTTPTransport(s.TLS.CA, s.TLS.Cert, s.TLS.Key)
+		if s.TLS.CA != "" || s.TLS.Cert != "" || s.TLS.InsecureSkipVerify {
+			httpTransport, err = alertmanager.NewHTTPTransport(s.TLS.CA, s.TLS.Cert, s.TLS.Key, s.TLS.InsecureSkipVerify)
 			if err != nil {
 				log.Fatalf("Failed to create HTTP transport for Alertmanager '%s' with URI '%s': %s", s.Name, s.URI, err)
 			}