Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dedicated webserver for health check endpoint #111

Open
tejaswiniVadlamudi opened this issue May 31, 2022 · 5 comments
Open

Dedicated webserver for health check endpoint #111

tejaswiniVadlamudi opened this issue May 31, 2022 · 5 comments

Comments

@tejaswiniVadlamudi
Copy link

Prometheus with direct TLS support (by using --web.config.file flag) expects strict client certificates for all HTTP endpoint consumers.
When deployed on k8s, k8s (kubelet) doesn't provide a client certificate when it probes readiness and liveness endpoints.
One needs to disable health check probes in the deployment manifests in order to deploy Prometheus with inbuilt TLS support on k8s.

See k8s documentation here (https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#http-probes). It says "'if the scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification"

Can we move /-/ready and /-/healthy endpoints to a separate web server?

@roidelapluie
Copy link
Member

It would be acceptable to me to be able to somehow allow /-/ready and /-/healthy to not check for certificate.

@tejaswiniVadlamudi
Copy link
Author

@roidelapluie : Do you accept code contributions for this task? If yes, could you hint me at the next step?

@roidelapluie
Copy link
Member

roidelapluie commented Jun 9, 2022 via email

@roidelapluie
Copy link
Member

We are working on this #106

@roidelapluie roidelapluie transferred this issue from prometheus/prometheus Sep 5, 2022
@twiden
Copy link

twiden commented Oct 19, 2022

I think it would be really good to be able to exclude /-/healthy and /-/ready from basic auth and possibly TLS verification as well. My usecase is that I run Pushgateway on ECS and basic auth prevents the Application Load Balancer to perform meaningful health checks. I also only push metrics to the gateway on the local subnet so in my case a good solution would be to bypass basic auth for health, readiness and metrics push and maybe add ip whitelisting based on cidr for those endpoints instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants