While working on T233956: Deploy Thanos (long-term storage) stateless components: sidecar and query I ran into an issue with using check_http as it is now and Envoy strict sni support, specifically check_http without --sni doesn't work:
icinga1001:~$ /usr/lib/nagios/plugins/check_http -H thanos-swift.discovery.wmnet -S -I 10.192.0.192 -u /healthcheck CRITICAL - Cannot make SSL connection.
Versus
icinga1001:~$ /usr/lib/nagios/plugins/check_http -H thanos-swift.discovery.wmnet -S --sni -I 10.192.0.192 -u /healthcheck HTTP OK: HTTP/1.1 200 OK - 279 bytes in 1.155 second response time |time=1.154771s;;;0.000000;10.000000 size=279B;;;0
I think we (in my decreasing order of preference) could:
- default check_http with --sni for the https cases
- relax the sni requirement on the envoy/thanos side
- add yet another specialized icinga command definition for https+sni