Details
-
Story
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
Description
While debugging issue caused by the etcd scaling test, it is discovered that prometheus is still using beartoken authentication when scraping services. Per this enhancement: https://github.com/deads2k/openshift-enhancements/blob/master/enhancements/monitoring/client-cert-scraping.md, ServiceMonitor should be configured to use client certificate instead. Throughout many openshift components, client certificates are not used.
It is also discovered that, in addition to the client certificate configuration for ServiceMonitor, kube-rbac-proxy should also be configured with proper client-ca. For this we need to add support to openshift/kub-rbac-proxy to auto detect client-ca. To achieve that, openshift/kube-rbac-proxy needs to first be brought up to the current upstream version.