Icinga · jrauh01 · Feb 18, 2025 · Feb 18, 2025 · Feb 19, 2025
diff --git a/cmd/icinga-kubernetes/main.go b/cmd/icinga-kubernetes/main.go
@@ -38,7 +38,6 @@ import (
 	"k8s.io/client-go/kubernetes"
 	kclientcmd "k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog/v2"
-	"net/http"
 	"os"
 	"strings"
 	"sync"
@@ -316,14 +315,15 @@ func main() {
 	}
 
 	if cfg.Prometheus.Url != "" {
-		var basicAuthTransport http.RoundTripper
+		basicAuthTransport := &com.BasicAuthTransport{}
 
-		if cfg.Prometheus.Username != "" && cfg.Prometheus.Password != "" {
-			basicAuthTransport = &com.BasicAuthTransport{
-				RoundTripper: http.DefaultTransport,
-				Username:     cfg.Prometheus.Username,
-				Password:     cfg.Prometheus.Password,
-			}
+		if cfg.Prometheus.Insecure == "true" {
+			basicAuthTransport.Insecure = true
+		}
+
+		if cfg.Prometheus.Username != "" {
+			basicAuthTransport.Username = cfg.Prometheus.Username
+			basicAuthTransport.Password = cfg.Prometheus.Password
 		}
 
 		promClient, err := promapi.NewClient(promapi.Config{

diff --git a/doc/03-Configuration.md b/doc/03-Configuration.md
@@ -29,6 +29,7 @@ Connection configuration for a Prometheus instance that collects metrics from yo
 from which Icinga for Kubernetes [synchronizes predefined metrics](01-About.md#metric-sync) to display charts in the UI.
 Defined in the `prometheus` section of the configuration file.
 
-| Option | Description                                                                          |
-|--------|--------------------------------------------------------------------------------------|
-| url    | **Optional.** Prometheus server URL. If not set, metric synchronization is disabled. |
+| Option   | Description                                                                                                                |
+|----------|----------------------------------------------------------------------------------------------------------------------------|
+| url      | **Optional.** Prometheus server URL. If not set, metric synchronization is disabled.                                       |
+| insecure | **Optional.** Skip the TLS/SSL certificate verification. Can be set to 'true' or 'false'. If not set, defaults to 'false'. |
diff --git a/internal/prometheus.go b/internal/prometheus.go
@@ -24,6 +24,13 @@ func SyncPrometheusConfig(ctx context.Context, db *database.DB, config *metrics.
 			{ClusterUuid: clusterUuid, Key: schemav1.ConfigKeyPrometheusUrl, Value: config.Url, Locked: _true},
 		}
 
+		if config.Insecure != "" {
+			toDb = append(
+				toDb,
+				schemav1.Config{ClusterUuid: clusterUuid, Key: schemav1.ConfigKeyPrometheusInsecure, Value: config.Insecure, Locked: _true},
+			)
+		}
+
 		if config.Username != "" {
 			toDb = append(
 				toDb,
@@ -85,6 +92,8 @@ func SyncPrometheusConfig(ctx context.Context, db *database.DB, config *metrics.
 				switch r.Key {
 				case schemav1.ConfigKeyPrometheusUrl:
 					config.Url = r.Value
+				case schemav1.ConfigKeyPrometheusInsecure:
+					config.Insecure = r.Value
 				case schemav1.ConfigKeyPrometheusUsername:
 					config.Username = r.Value
 				case schemav1.ConfigKeyPrometheusPassword:

diff --git a/pkg/com/basic_auth_transport.go b/pkg/com/basic_auth_transport.go
@@ -1,6 +1,7 @@
 package com
 
 import (
+	"crypto/tls"
 	"net/http"
 )
 
@@ -9,11 +10,28 @@
 	http.RoundTripper
 	Username string
 	Password string
+	Insecure bool
 }
 
 // RoundTrip executes a single HTTP transaction with the basic auth credentials.
 func (t *BasicAuthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	req.SetBasicAuth(t.Username, t.Password)
+	if t.Username != "" {
+		req.SetBasicAuth(t.Username, t.Password)
+	}
 
-	return t.RoundTripper.RoundTrip(req)
+	rt := t.RoundTripper
+	if rt == nil {
+		rt = http.DefaultTransport
+	}
+
+	if t.Insecure {
+		if transport, ok := rt.(*http.Transport); ok {
+			transportCopy := transport.Clone()
+			// #nosec G402 -- TLS certificate verification is intentionally configurable via YAML config.
+			transportCopy.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+			rt = transportCopy
+		}
+	}
+
+	return rt.RoundTrip(req)
 }
diff --git a/pkg/metrics/config.go b/pkg/metrics/config.go
@@ -7,14 +7,21 @@ import (
 // PrometheusConfig defines Prometheus configuration.
 type PrometheusConfig struct {
 	Url      string `yaml:"url"`
+	Insecure string `yaml:"insecure"`
 	Username string `yaml:"username"`
 	Password string `yaml:"password"`
 }
 
 // Validate checks constraints in the supplied Prometheus configuration and returns an error if they are violated.
 func (c *PrometheusConfig) Validate() error {
-	if c.Url != "" && (c.Username == "") != (c.Password == "") {
-		return errors.New("both username and password must be provided")
+	if c.Url != "" {
+		if (c.Username == "") != (c.Password == "") {
+			return errors.New("both username and password must be provided")
+		}
+
+		if c.Insecure != "" && c.Insecure != "true" && c.Insecure != "false" {
+			return errors.New("'insecure' has to be 'true', 'false' or empty")
+		}
 	}
 
 	return nil

diff --git a/pkg/schema/v1/config.go b/pkg/schema/v1/config.go
@@ -19,6 +19,7 @@ const (
 	ConfigKeyNotificationsUrl              ConfigKey = "notifications.url"
 	ConfigKeyNotificationsKubernetesWebUrl ConfigKey = "notifications.kubernetes_web_url"
 	ConfigKeyPrometheusUrl                 ConfigKey = "prometheus.url"
+	ConfigKeyPrometheusInsecure            ConfigKey = "prometheus.insecure"
 	ConfigKeyPrometheusUsername            ConfigKey = "prometheus.username"
 	ConfigKeyPrometheusPassword            ConfigKey = "prometheus.password"
 )
diff --git a/schema/mysql/schema.sql b/schema/mysql/schema.sql
@@ -1029,6 +1029,7 @@ CREATE TABLE config (
     'notifications.password',
     'notifications.kubernetes_web_url',
     'prometheus.url',
+    'prometheus.insecure',
     'prometheus.username',
     'prometheus.password'
     ) COLLATE utf8mb4_unicode_ci NOT NULL,