Prometheus with direct TLS support (by using --web.config.file flag) expects strict client certificates for all HTTP endpoint consumers.
When deployed on k8s, k8s (kubelet) doesn't provide a client certificate when it probes readiness and liveness endpoints.
One needs to disable health check probes in the deployment manifests in order to deploy Prometheus with inbuilt TLS support on k8s.
See k8s documentation here (https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#http-probes). It says "'if the scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification"
Can we move /-/ready and /-/healthy endpoints to a separate web server?
Prometheus with direct TLS support (by using --web.config.file flag) expects strict client certificates for all HTTP endpoint consumers.
When deployed on k8s, k8s (kubelet) doesn't provide a client certificate when it probes readiness and liveness endpoints.
One needs to disable health check probes in the deployment manifests in order to deploy Prometheus with inbuilt TLS support on k8s.
See k8s documentation here (https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#http-probes). It says "'if the scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification"
Can we move /-/ready and /-/healthy endpoints to a separate web server?