Allow control over TLS verification for external-serverless
General
Escalation
General
Escalation
Description
Impact on the user The user is unable to add an external-serverless service that uses TLS, but which does not pass all of the verification process.
Steps to reproduce
Create new 2 PMM server instances (A and B), allowing the defauit, self-signed TLS cert to be used
Add an external-serverless service to instance A to monitor the /prometheus/metrics endpoint of instance B; an admin token/user account is required
Actual result The connection check will fail
Using localhost
Using 127.0.0.1
Modifying the certificates.conf that is used inside the container to add these in is simple enough:
N.B. inline comments should be removed <-- new line and <-- new lines below here -->
A new self-signed cert can then be generated:
With the files applied and NGINX restarted, the final error appears:
Expected Result The ability to disable TLS verification and a successful addition of the service.
Workaround The user can add the CA to the container's trust list and use a certificate that works for whichever address is required (host or IP).
Details It is not possible to add an external serverless service that does not have a valid certificate (from the PMM server's point of view) and there is no option to disable TLS verification
Impact on the user
The user is unable to add an
external-serverlessservice that uses TLS, but which does not pass all of the verification process.Steps to reproduce
Create new 2 PMM server instances (A and B), allowing the defauit, self-signed TLS cert to be used
Add an
external-serverlessservice to instance A to monitor the/prometheus/metricsendpoint of instance B; an admin token/user account is requiredActual result
The connection check will fail
Using localhost
Using 127.0.0.1
Modifying the
certificates.confthat is used inside the container to add these in is simple enough:N.B. inline comments should be removed
<-- new lineand<-- new lines below here -->A new self-signed cert can then be generated:
With the files applied and NGINX restarted, the final error appears:
Expected Result
The ability to disable TLS verification and a successful addition of the service.
Workaround
The user can add the CA to the container's trust list and use a certificate that works for whichever address is required (host or IP).
Details
It is not possible to add an external serverless service that does not have a valid certificate (from the PMM server's point of view) and there is no option to disable TLS verification