Details
-
Story
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
Description
While investigating TRT-413, we discovered that many service monitors are configured to use bearer token authentication. Per this document https://github.com/deads2k/openshift-enhancements/blob/master/enhancements/monitoring/client-cert-scraping.md, we should try to use client certification authentication for metrics scraping. This is to make sure metrics collection still works even apiserver is not available.
Currently, the following repos have been identified to be fixed:
Additionally, it is discovered that kube-rabc-proxy is not coded properly to automatically update client ca certificate. That issue is addressed with https://issues.redhat.com/browse/TRT-464. Until the fix lands to openshift, some of the above changes (repositories that uses kube-rbac-proxy) will not be effective.
For the repositories that are not using kube-rbac-proxy (e.g. storage operator), the above change can be merged and verified.
How to verify
- Make sure the corresponding ServiceMonitor object contains certFile and keyFile.
- Make sure ServiceMonitor does NOT have bearerTokenFile configured.
- With ServiceMonitor configuration verified above, check prometheus to make sure service for the corresponding namespace still works. A simple "up{namespace='')" check should be good enough.
Attachments
Issue Links
- clones
-
TRT-413 Investigate 4.12 vsphere upi and ipi job pass rates
-
- Closed
-
- links to