alloy icon indicating copy to clipboard operation
alloy copied to clipboard
verified publisher icon grafana

Allow defining scrape-time TLS setting for operator components

Open tpaschalis opened this issue 1 year ago • 2 comments

Discussed in https://github.com/grafana/agent/discussions/6136

Originally posted by joke January 13, 2024 Hi,

I'm using istio with strict mTLS settings. Consequently the grafana agent needs to scrape the prometheus endpoints with special tls settings as described here.

The prometheus.scrape components allows specifying a tls_config block which can be used for this.

Unfortunately the neither servicemonitors nor podmonitors support this configuration. The client->tls_config is used for accessing the kubernetes api and the scrape block does not include a configurations options.

It would be possible to include all the tls configuration in each monitor specification but in addition to being quite repetitive certificate would need to be referenced as secrets instead of files.

Is there any possibility to specify an agent wide http client configuration or an other option to pass a default tls configuration to the scraping process?

Thanks in advance.

tpaschalis avatar Jan 25 '24 11:01 tpaschalis

cc @captncraig who has worked on the Operator components in case he has any other insights/ideas here.

tpaschalis avatar Jan 25 '24 11:01 tpaschalis

This issue has not had any activity in the past 30 days, so the needs-attention label has been added to it. If the opened issue is a bug, check to see if a newer release fixed your issue. If it is no longer relevant, please feel free to close this issue. The needs-attention label signals to maintainers that something has fallen through the cracks. No action is needed by you; your issue will be kept open and you do not have to respond to this comment. The label will be removed the next time this job runs if there is new activity. Thank you for your contributions!

github-actions[bot] avatar Feb 27 '24 00:02 github-actions[bot]

I beleive this is the same as what I was going to request: A single, central place to define tls_config information for when Alloy is acting as a client. eg. Now it is

loki.write "xxx" {
    tls_config {
        // once
    }
}
prometheus.scrape "remote_metrics_api" {
    tls_config {
        // again
    }
}

prometheus.remote_write "mimir" {
    tls_config {
        // and again
    }
}

Ideally it would be:

common {
    tls_config {
        // once
    }
}
loki.write "loki" {
}
prometheus.scrape "remote_metrics_api" {
}
prometheus.remote_write "mimir" {
}

(If I missed the point of the original ask, let me know and I can open a new Issue)

erichiller avatar Jun 11 '24 02:06 erichiller