Uploaded image for project: 'OpenShift Monitoring'
  1. OpenShift Monitoring
  2. MON-1850

Migrate all monitoring components to use client TLS certificate instead of bearer token for metrics scraping


    • False
    • False
    • NEW
    • NEW
    • undefined
    • Monitoring - Sprint 207, Monitoring - Sprint 208

      Thanks to https://github.com/openshift/cluster-monitoring-operator/pull/1282, Prometheus is able to authenticate using TLS certificates instead of bearer tokens when scraping metrics. This improves the reliability of metrics collection and lowers the load on the API server since there's no additional round-trip to the authentication/authorization APIs. The initial work targeted kubelet, kube-state-metrics, node_exporter and prometheus-operator. We need to follow up for all other monitoring components:

      • Alertmanager
      • telemeter-client
      • Prometheus
      • Grafana
      • Prometheus adapter (no kube-rbac-proxy - would require #425)
      • Thanos querier
      • UWM components


      • Prometheus scrapes monitoring components using TLS certificates.
      • Bearer tokens are removed from all monitoring service monitors.

            hasun@redhat.com Haoyu Sun
            spasquie@redhat.com Simon Pasquier
            0 Vote for this issue
            3 Start watching this issue