Skip to content

Should we set insecureSkipTLSVerify: false in the APIService for production clusters and how do we provide a proper certificate? #681

New issue
New issue
Open
Open
Should we set insecureSkipTLSVerify: false in the APIService for production clusters and how do we provide a proper certificate?#681
Labels
kind/supportCategorizes issue or PR as a support question.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
@mdzhigarov

Description

@mdzhigarov
mdzhigarov
opened on Sep 25, 2024

I couldn't help but notice that the APIService manifest https://github.com/kubernetes-sigs/prometheus-adapter/blob/master/deploy/manifests/api-service.yaml#L12 uses insecureSkipTLSVerify: true.

This means that the K8s Aggregator API would not verify the Prometheus' Adapter tls certificate.
In a production cluster, does it make sense to set the insecureSkipTLSVerify to false and instead provide a caBundle within the APIService? Is this how we're supposed to secure this connection?

I am not confident I understand how caBundle is supposed to work. Who is responsible for generating the caBundle certificates? How are those certificates getting injected into the Prometheus' adapter itself once we set them to the APIService caBundle?

In general, is there a documentation that explain best practices around how to setup prometheus adapter property for production clusters?

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/supportCategorizes issue or PR as a support question.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions