scylla-operator icon indicating copy to clipboard operation
scylla-operator copied to clipboard

Published 20 hours ago verified publisher icon scylladb

Verify client certs for Prometheus deployments

Open tnozicka opened this issue 2 years ago • 9 comments

Is this a bug report or feature request?

  • Feature Request

What should the feature do: Currently the managed Prometheus that is part of the new monitoring stack doesn't force mTLS certificate verification.

https://github.com/scylladb/scylla-operator/blob/f20887deee7a7b54c89eb2c11a19a1037f7ce18f/assets/monitoring/prometheus/v1/prometheus.yaml#L21-L22

This was done temporarily on purpose because the prometheus-operator sets up probes behind authenticated enpoints, which obviously doesn't work because kubelets don't have the client certs for mTLS. We need to start by creating a simple reproducer and report it to the prometheus-operator.

What is use case behind this feature: Security

fyi @YvanDaSilva (so you are not surprised when this gets fixed)

# Requires
- [ ] https://github.com/prometheus/prometheus/issues/9166
- [ ] https://github.com/prometheus-operator/prometheus-operator/issues/5419

tnozicka avatar Mar 16 '23 08:03 tnozicka