search

grafana / mimir

Grafana Mimir provides horizontally scalable, highly available, multi-tenant, long-term storage for Prometheus.
https://grafana.com/oss/mimir/
GNU Affero General Public License v3.0
4.13k stars 527 forks source link

Insecure Skip verify for mimir helm chart. #5425

Open dpreston-wss opened 1 year ago

dpreston-wss commented 1 year ago

Deploying Mimr utilizing an already existing secure minio setup. Running into issues with the storage pods connecting to minio buckets.

Using insecure = false, fails because it does now

To Reproduce

When installing the helm chart (after disabling the minio container creation), using insecure = true fails due to minio redirecting from http to https.

Using insecure = false, fails because it fails to verify cerificate.

Expected behavior

A clear and concise description of what you expected to happen.

Environment

Is there a way to implement Insecure_skip_verify? Is there a way with the helm chart to add our internal certificates so that it can connect to the existing secure minio?

dimitarvdimitrov commented 1 year ago

When installing the helm chart (after disabling the minio container creation), using insecure = true fails due to minio redirecting from http to https.

looks like setting an https scheme for the minio URL should fix this.

there are a couple of open issues related to this - https://github.com/grafana/mimir/issues/1796 and https://github.com/grafana/mimir/issues/1981

But you should be able to verify certs as well.

Technically it should be possible to mount the certificate files onto the Mimir pods on specific locations and the go runtime should pick them up and trust them by default. Juding from the code the locations are 

    "/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
    "/etc/pki/tls/certs",           // Fedora/RHEL
    "/system/etc/security/cacerts", // Android

You can try mounting the self-seigned certificates of Minio somewhere under /etc/ssl/certs. Maybe /etc/ssl/certs/minio.pem.