From b52c3f7af416e553d4dab05a1b4bd1a697e3f7f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Mierzwa?= Date: Fri, 1 Feb 2019 10:49:53 +0000 Subject: [PATCH] feat(backend): allow disabling TLS certificate validation Fixes #409 --- docs/CONFIGURATION.md | 7 +++++++ internal/alertmanager/tls.go | 4 ++-- internal/config/config.go | 1 + internal/config/config_test.go | 1 + internal/config/models.go | 7 ++++--- main.go | 4 ++-- 6 files changed, 17 insertions(+), 7 deletions(-) diff --git a/docs/CONFIGURATION.md b/docs/CONFIGURATION.md index e1bb72679..e925db6f3 100644 --- a/docs/CONFIGURATION.md +++ b/docs/CONFIGURATION.md @@ -41,6 +41,7 @@ alertmanager: ca: string cert: string key: string + insecureSkipVerify: bool headers: any: string ``` @@ -87,6 +88,8 @@ alertmanager: TLS connections to this Alertmanager instance if it requires a TLS client authentication. Note that this option requires `tls:cert` to be also set. +- `tls:insecureSkipVerify` - disable server certificate validation, can be set + to allow using self-signed certs, use at your own risk - `headers` - a map with a list of key: values which are header: value. These custom headers will be sent with every request to the alert manager instance. @@ -120,6 +123,10 @@ alertmanager: tls: cert: /etc/ssl/client.pem key: /etc/ssl/client.key + - name: self-signed + uri: https://test.example.com + tls: + insecureSkipVerify: true ``` Defaults: diff --git a/internal/alertmanager/tls.go b/internal/alertmanager/tls.go index ac054d12b..45f3d9151 100644 --- a/internal/alertmanager/tls.go +++ b/internal/alertmanager/tls.go @@ -35,8 +35,8 @@ func configureTLSClientCert(tlsConfig *tls.Config, certPath, keyPath string) err // NewHTTPTransport handles the logic of creating a http.RoundTripper instance // with properl tls.Config setup -func NewHTTPTransport(caPath, certPath, keyPath string) (http.RoundTripper, error) { - tlsConfig := &tls.Config{} +func NewHTTPTransport(caPath, certPath, keyPath string, insecureSkipVerify bool) (http.RoundTripper, error) { + tlsConfig := &tls.Config{InsecureSkipVerify: insecureSkipVerify} if caPath != "" { err := configureTLSRootCAs(tlsConfig, caPath) diff --git a/internal/config/config.go b/internal/config/config.go index 8c7b6420d..d381fafcc 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -190,6 +190,7 @@ func (config *configSchema) LogValues() { Timeout: s.Timeout, TLS: s.TLS, Proxy: s.Proxy, + Headers: s.Headers, } servers = append(servers, server) } diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 2b1d89f03..0f5c095ec 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -64,6 +64,7 @@ func testReadConfig(t *testing.T) { ca: "" cert: "" key: "" + insecureSkipVerify: false headers: {} annotations: default: diff --git a/internal/config/models.go b/internal/config/models.go index 72b908726..b38e7299b 100644 --- a/internal/config/models.go +++ b/internal/config/models.go @@ -8,9 +8,10 @@ type alertmanagerConfig struct { Timeout time.Duration Proxy bool TLS struct { - CA string - Cert string - Key string + CA string + Cert string + Key string + InsecureSkipVerify bool `yaml:"insecureSkipVerify"` } Headers map[string]string } diff --git a/main.go b/main.go index 5fbc2e1fb..a420d072b 100644 --- a/main.go +++ b/main.go @@ -103,8 +103,8 @@ func setupUpstreams() { var httpTransport http.RoundTripper var err error // if either TLS root CA or client cert is configured then initialize custom transport where we have this setup - if s.TLS.CA != "" || s.TLS.Cert != "" { - httpTransport, err = alertmanager.NewHTTPTransport(s.TLS.CA, s.TLS.Cert, s.TLS.Key) + if s.TLS.CA != "" || s.TLS.Cert != "" || s.TLS.InsecureSkipVerify { + httpTransport, err = alertmanager.NewHTTPTransport(s.TLS.CA, s.TLS.Cert, s.TLS.Key, s.TLS.InsecureSkipVerify) if err != nil { log.Fatalf("Failed to create HTTP transport for Alertmanager '%s' with URI '%s': %s", s.Name, s.URI, err) }