promtool: Add TLSClientConfig to query subcmd

[mrueg]

This adds client cert support to promtool query subcmd, allowing queries against a prometheus server.

Usage:

./promtool query --cacert chain.pem --cert client.pem --key key.pem instant $SERVER $QUERY

usage: promtool query instant [<flags>] <server> <expr>

Run instant query.

Flags:
  -h, --help           Show context-sensitive help (also try --help-long and --help-man).
      --version        Show application version.
      --cacert=CACERT  Path to CA Certificate File
      --cert=CERT      Path to Client Certificate File
      --key=KEY        Path to Client Key File
  -o, --format=promql  Output format of the query.
      --time=TIME      Query evaluation time (RFC3339 or Unix timestamp).

Args:
  <server>  Prometheus server to query.
  <expr>    PromQL query expression.

Fixes: https://github.com/prometheus/prometheus/issues/8081

[roidelapluie]

Thanks for your pull request.

I think that instead of supporting passwords on the command line, promtool should take a yaml config file as input, with the same TLS client config options as Prometheus.

[mrueg]

Just to make sure that I understand correctly, which passwords are you referring to? The PR adds three arguments, which are file paths to key-file, cert-file and cacert-file.

The difference between prometheus and promtool is also: prometheus being a service (and thus it makes sense to have a config) while the promtool is meant to be a cli (where I feel a config-only solution might make it more difficult to use).

[roidelapluie]

Just to make sure that I understand correctly, which passwords are you referring to? The PR adds three arguments, which are file paths to key-file, cert-file and cacert-file.

The difference between prometheus and promtool is also: prometheus being a service (and thus it makes sense to have a config) while the promtool is meant to be a cli (where I feel a config-only solution might make it more difficult to use). Reusing the same (known) config file fields as Prometheus does not add a lot of complexity I think?

I don't follow you: certificates are already files and difficult to use. I think it does not make sense to only support certificates, and not basic auth, proxy, etc...

But maybe we can have more opinions than mine. @simonpasquier is the actual maintainer of Promtool and shall have the last word on this.

[brian-brazil]

We should also consider amtool, we should try to avoid duplicating security-related code.

[roidelapluie]

https://github.com/prometheus/alertmanager/pull/2391

[parinapatel]

@mrueg This is really neat feature that would allow to support prometheus that requires mtls. can you take a look at the conflicts when you have few moments ?

[mrueg]

@mrueg This is really neat feature that would allow to support prometheus that requires mtls. can you take a look at the conflicts when you have few moments ?

Unfortunately won't have time to work on it or test it in the next months. I would suggest to reuse the solution provided in https://github.com/prometheus/alertmanager/pull/2391 and open a new PR and close this one.

[mrueg]

@parinapatel found some time to rebase on latest main.

[roidelapluie]

We have looked at this pull request during our bug scrub.

promtool now supports --http.config.file= where you can configure the TLS configuration (#11487). This pull request is therefore implemented in another way and we have decided to close it.

Thank you for your contribution.