Not all monitoring components configure Prometheus to use mTLS for accessing their /metrics endpoint. Some continue using bearer token authentication (for instance openshift-state-metrics). 

4.12

Always

1. Check the Prometheus configuration
2.
3.

Scrape configuration for the following monitoring components don't configure mTLS for scraping metrics:
* openshift-state-metrics
* thanos-ruler (when UWM is enabled)

Scrape configuration looks like (note that there's no cert_file & key_file):

  authorization:
    type: Bearer
    credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
  tls_config:
    ca_file: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
    server_name: cluster-monitoring-operator.openshift-monitoring.svc
    insecure_skip_verify: false

scrape configurations use mTLS for authentication like this:

  tls_config:
    ca_file: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt
    cert_file: /etc/prometheus/secrets/metrics-client-certs/tls.crt
    key_file: /etc/prometheus/secrets/metrics-client-certs/tls.key
    server_name: alertmanager-main.openshift-monitoring.svc
    insecure_skip_verify: false

cluster-monitoring-operator still uses bearer token for authentication because it's managed by CVO and we have no easy way to inject the client CA into the cluster-monitoring-operator deployment.