Allow control over TLS verification for external-serverless

Description

Impact on the user
The user is unable to add an external-serverless service that uses TLS, but which does not pass all of the verification process.

Steps to reproduce

  • Create new 2 PMM server instances (A and B), allowing the defauit, self-signed TLS cert to be used

  • Add an external-serverless service to instance A to monitor the /prometheus/metrics endpoint of instance B; an admin token/user account is required

Actual result
The connection check will fail

Using localhost

Using 127.0.0.1

Modifying the certificates.conf that is used inside the container to add these in is simple enough:

N.B. inline comments should be removed <-- new line and <-- new lines below here -->

A new self-signed cert can then be generated:

With the files applied and NGINX restarted, the final error appears:

Expected Result
The ability to disable TLS verification and a successful addition of the service.

Workaround
The user can add the CA to the container's trust list and use a certificate that works for whichever address is required (host or IP).

Details
It is not possible to add an external serverless service that does not have a valid certificate (from the PMM server's point of view) and there is no option to disable TLS verification

How to test

None

How to document

None

Activity

Show:

Details

Assignee

Reporter

Priority

Components

Labels

Needs QA

Yes

Needs Doc

No

Affects versions

Smart Checklist

Created June 6, 2023 at 9:18 AM
Updated March 5, 2024 at 10:22 PM