-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ta https server #2921
Ta https server #2921
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments, but overall this looks good to me. @jaronoff97 can you have a look as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you for your contribution and patience with the review process.
Sure thing. |
Sure, let's do that in the issue. On that note, can you edit your PR description so Github doesn't auto-close the issue when this PR is merged? |
@@ -189,6 +199,20 @@ func main() { | |||
setupLog.Error(shutdownErr, "Error on server shutdown") | |||
} | |||
}) | |||
if cfg.HTTPS.Enabled { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need to put the above srv.Start() in an else block or are we okay to potentially run both a secure and insecure simultaneously? I guess doing it this way would make for a better migration from http to https.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on previous conversation, it was suggested to have both HTTP and HTTPS running at the same time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, the idea is to keep both and only serve secrets over HTTPS. The HTTP service is useful for debugging, for HTTPS you need to do some work to set up mTLS locally.
looks great! thank you for your contribution! 🙇 |
Description:
Added an additional HTTPS server with mTLS to serve scrape_config with secret values. This resolves one part of the issue. An additional PR will be opened for the generation and mounting of certs.
Link to tracking Issue(s):
Testing:
Tested in cluster with self-issued certificates. Successfully retrieved the redacted scrape_config using the existing HTTP server and obtained the scrape_config with actual secret values from the new HTTPS server.
Documentation:
Not yet added. Will be added once the entire feature is available.