Update mtls doc , rearrange some parts

Sohamdg081992 · web-flow · commit 935870d04604 · 2024-05-06T22:33:53.000-07:00
diff --git a/articles/azure-monitor/containers/prometheus-metrics-scrape-configuration.md b/articles/azure-monitor/containers/prometheus-metrics-scrape-configuration.md
@@ -458,57 +458,20 @@ metric_relabel_configs:
 
 ---
 
-### TLS based scraping
-
-If you have a Prometheus instance served with TLS and you want to scrape metrics from it, you need to set scheme to `https` and set the TLS settings in your configmap or respective CRD. You can use the `tls_config` configuration property inside a custom scrape job to configure the TLS settings either using a CRD or a configmap. You need to provide a CA certificate to validate API server certificate with. The CA certificate is used to verify the authenticity of the server's certificate when Prometheus connects to the target over TLS. It helps ensure that the server's certificate is signed by a trusted authority.
-
-The secret should be created in kube-system namespace and then the configmap/CRD should be created in kube-system namespace. The order of secret creation matters. When there's no secret but a valid CRD/config map, you will find errors in collector log -> `no file found for cert....`
-
-Below are the details about how to provide the TLS config settings through a configmap or CRD.
-
-- To provide the TLS config setting in a configmap, please create the self-signed certificate and key inside your mtls enabled app.
-        An example tlsConfig inside the config map should look like this:
 
-```yaml
-tls_config:
-    ca_file: /etc/prometheus/certs/client-cert.pem
-    cert_file: /etc/prometheus/certs/client-cert.pem
-    key_file: /etc/prometheus/certs/client-key.pem
-    insecure_skip_verify: false
-```
+Prometheus supports TLS and basic authentication over its HTTP endpoints. Scraping target using HTTPS instead of HTTP is supported. You could fetch metrics using HTTPS, client-certificate authentication, and basic authentication.
 
-- To provide the TLS config setting in a CRD, please create the self-signed certificate and key inside your mtls enabled app.
-    An example tlsConfig inside a Podmonitor should look like this:
+Below are the details on 2 mechanisms of authentication. 
+1. Basic authentication
+2. TLS based authentication
 
-```yaml
-tlsConfig:
-    ca:
-        secret:
-        key: "client-cert.pem" # since it is self-signed
-        name: "ama-metrics-mtls-secret"
-    cert:
-        secret:
-        key: "client-cert.pem"
-        name: "ama-metrics-mtls-secret"
-    keySecret:
-        key: "client-key.pem"
-        name: "ama-metrics-mtls-secret"
-    insecureSkipVerify: false
-```
-> [!NOTE]
-> Make sure that the certificate file name and key name inside the mtls app is in the following format in case of a CRD based scraping.
-    For example: secret_kube-system_ama-metrics-mtls-secret_cert-name.pem and secret_kube-system_ama-metrics-mtls-secret_key-name.pem.
-> The CRD needs to be created in kube-system namespace.
-> The secret name should exactly be ama-metrics-mtls-secret in kube-system namespace. An example command for creating secret: kubectl create secret generic ama-metrics-mtls-secret --from-file=secret_kube-system_ama-metrics-mtls-secret_client-cert.pem=secret_kube-system_ama-metrics-mtls-secret_client-cert.pem --from-file=secret_kube-system_ama-metrics-mtls-secret_client-key.pem=secret_kube-system_ama-metrics-mtls-secret_client-key.pem -n kube-system
+### Basic Authentication
 
-To read more on TLS authentication, the following documents might be helpful.
+If you are using `basic_auth` setting in your prometheus configuration, please follow the steps -
 
-- Generating TLS certificates -> https://o11y.eu/blog/prometheus-server-tls/
-- Configurations -> https://prometheus.io/docs/alerting/latest/configuration/#tls_config
+Below is an example of creating a secret.
 
-### Basic Authentication
-If you are using `basic_auth` setting in your prometheus configuration, please follow the steps -
-1. Create a secret in the **kube-system** namespace named **ama-metrics-mtls-secret**
+1. Create a secret object in the **kube-system** namespace named **ama-metrics-mtls-secret**. 
 
 
 The value for password1 is **base64encoded**
@@ -524,6 +487,12 @@ type: Opaque
 data:
   password1: <base64-encoded-string>
 ```
+> [!NOTE]
+>
+> Make sure the name is **ama-metrics-mtls-secret** and it is in **kube-system** namespace.
+> 
+> Inside the secret object , you can specify as many number of secret values under data section and name them how ever you want. Each secret name-value pair specified in the data section of the secret object will be mounted as a seperate file in this /etc/prometheus/certs  location with filename(s) same as key(s) specified in the data section. The secret values should be base64 encoded before putting them under the data section.
+
 
 2. In the configmap for the custom scrape configuration use the following setting -
 ```yaml
@@ -535,15 +504,85 @@ basic_auth:
 
 > [!NOTE]
 >
-> Make sure the name is **ama-metrics-mtls-secret** and it is in **kube-system** namespace.
->
 > The **/etc/prometheus/certs/** path is mandatory, but *password1* can be any string and needs to match the key for the data in the secret created above.
 This is because the secret **ama-metrics-mtls-secret** is mounted in the path **/etc/prometheus/certs/** within the container.
 >
 > The base64 encoded value is automatically decoded by the agent pods when the secret is mounted as file.
 >
 > Any other configuration setting for authorization that is considered as a secret in the [prometheus configuration](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) needs to use the file setting alternative instead as described above.
 
+
+### TLS based scraping
+
+If you are using `tls_config` setting in your prometheus configuration, please follow the steps -
+
+Below is an example of creating a secret.
+
+1. Create a secret object in the **kube-system** namespace named **ama-metrics-mtls-secret**. 
+
+
+The value for password1 is **base64encoded**
+The key *password1* can be anything, but just needs to match your scrapeconfig *password_file* filepath.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ama-metrics-mtls-secret
+  namespace: kube-system
+type: Opaque
+data:
+  password1: <base64-encoded-string>
+```
+> [!NOTE]
+>
+> Make sure the name is **ama-metrics-mtls-secret** and it is in **kube-system** namespace.
+> 
+> Inside the secret object , you can specify as many number of secret values under data section and name them how ever you want. Each secret name-value pair specified in the data section of the secret object will be mounted as a seperate file in this /etc/prometheus/certs  location with filename(s) same as key(s) specified in the data section. The secret values should be base64 encoded before putting them under the data section.
+
+2. Below are the details about how to provide the TLS config settings through a configmap or CRD.
+
+- To provide the TLS config setting in a configmap, please create the self-signed certificate and key inside your mtls enabled app.
+        An example tlsConfig inside the config map should look like this:
+
+```yaml
+tls_config:
+    ca_file: /etc/prometheus/certs/client-cert.pem
+    cert_file: /etc/prometheus/certs/client-cert.pem
+    key_file: /etc/prometheus/certs/client-key.pem
+    insecure_skip_verify: false
+```
+
+- To provide the TLS config setting in a CRD, please create the self-signed certificate and key inside your mtls enabled app.
+    An example tlsConfig inside a Podmonitor should look like this:
+
+```yaml
+tlsConfig:
+    ca:
+        secret:
+        key: "client-cert.pem" # since it is self-signed
+        name: "ama-metrics-mtls-secret"
+    cert:
+        secret:
+        key: "client-cert.pem"
+        name: "ama-metrics-mtls-secret"
+    keySecret:
+        key: "client-key.pem"
+        name: "ama-metrics-mtls-secret"
+    insecureSkipVerify: false
+```
+> [!NOTE]
+>
+> Make sure that the certificate file name and key name inside the mtls app is in the following format in case of a CRD based scraping. For example: secret_kube-system_ama-metrics-mtls-secret_cert-name.pem and secret_kube-system_ama-metrics-mtls-secret_key-name.pem.
+> The CRD needs to be created in kube-system namespace.
+> The secret name should exactly be ama-metrics-mtls-secret in kube-system namespace. An example command for creating secret: kubectl create secret generic ama-metrics-mtls-secret --from-file=secret_kube-system_ama-metrics-mtls-secret_client-cert.pem=secret_kube-system_ama-metrics-mtls-secret_client-cert.pem --from-file=secret_kube-system_ama-metrics-mtls-secret_client-key.pem=secret_kube-system_ama-metrics-mtls-secret_client-key.pem -n kube-system
+> If you have a Prometheus instance served with TLS and you want to scrape metrics from it, you need to set scheme to `https` and set the TLS settings in your configmap or respective CRD. You can use the `tls_config` configuration property inside a custom scrape job to configure the TLS settings either using a CRD or a configmap. You need to provide a CA certificate to validate API server certificate with. The CA certificate is used to verify the authenticity of the server's certificate when Prometheus connects to the target over TLS. It helps ensure that the server's certificate is signed by a trusted authority.
+> The secret should be created in kube-system namespace and then the configmap/CRD should be created in kube-system namespace. The order of secret creation matters. When there's no secret but a valid CRD/config map, you will find errors in collector log -> `no file found for cert....`
+> To read more on TLS authentication, the following documents might be helpful. 
+> 
+> - Generating TLS certificates -> https://o11y.eu/blog/prometheus-server-tls/
+> - Configurations -> https://prometheus.io/docs/alerting/latest/configuration/#tls_config
+
 ## Next steps
 
 [Setup Alerts on Prometheus metrics](./container-insights-metric-alerts.md)<br>
