Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-1850

Migrate all monitoring components to use client TLS certificate instead of bearer token for metrics scraping

    XMLWordPrintable

Details

    • False
    • False
    • NEW
    • NEW
    • undefined
    • Monitoring - Sprint 207, Monitoring - Sprint 208
    • 0

    Description

      Thanks to https://github.com/openshift/cluster-monitoring-operator/pull/1282, Prometheus is able to authenticate using TLS certificates instead of bearer tokens when scraping metrics. This improves the reliability of metrics collection and lowers the load on the API server since there's no additional round-trip to the authentication/authorization APIs. The initial work targeted kubelet, kube-state-metrics, node_exporter and prometheus-operator. We need to follow up for all other monitoring components:

      • Alertmanager
      • telemeter-client
      • Prometheus
      • Grafana
      • Prometheus adapter (no kube-rbac-proxy - would require #425)
      • Thanos querier
      • UWM components

      DoD:

      • Prometheus scrapes monitoring components using TLS certificates.
      • Bearer tokens are removed from all monitoring service monitors.

      Attachments

        Issue Links

          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MON-1679 use static authorizer feature of kube-rbac-proxy

          • Undefined - Priority not specified.
          • Closed

          Activity

            People

              hasun@redhat.com Haoyu Sun
              spasquie@redhat.com Simon Pasquier
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: