Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-4184

Use mTLS authentication for all monitoring components instead of bearer token

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • 4.12
    • Monitoring
    • None
    • Moderate
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Not all monitoring components configure Prometheus to use mTLS for accessing their /metrics endpoint. Some continue using bearer token authentication (for instance openshift-state-metrics). 

      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      Always

      Steps to Reproduce:

      1. Check the Prometheus configuration
      2.
      3.
      

      Actual results:

      Scrape configuration for the following monitoring components don't configure mTLS for scraping metrics:
      * openshift-state-metrics
      * thanos-ruler (when UWM is enabled)
      
      Scrape configuration looks like (note that there's no cert_file & key_file):
      
        authorization:
          type: Bearer
          credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        tls_config:
          ca_file: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
          server_name: cluster-monitoring-operator.openshift-monitoring.svc
          insecure_skip_verify: false
      

      Expected results:

      scrape configurations use mTLS for authentication like this:
      
        tls_config:
          ca_file: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
          cert_file: /etc/prometheus/secrets/metrics-client-certs/tls.crt
          key_file: /etc/prometheus/secrets/metrics-client-certs/tls.key
          server_name: alertmanager-main.openshift-monitoring.svc
          insecure_skip_verify: false

      Additional info:

      cluster-monitoring-operator still uses bearer token for authentication because it's managed by CVO and we have no easy way to inject the client CA into the cluster-monitoring-operator deployment.

       

       

       

       

            spasquie@redhat.com Simon Pasquier
            spasquie@redhat.com Simon Pasquier
            Junqi Zhao Junqi Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: