HTTPS Authentication Instructions

When you choose to access OCP monitoring via HTTPS, you can refer to this section to add TLS and related certificates for OCP and Prometheus.

Add TLS for Prometheus

For details, refer to the official Prometheus documentation: https://prometheus.ac.cn/docs/guides/tls-encryption/

When configuring TLS encryption for Prometheus, note the following points:

1. The generated prometheus.crt, prometheus.key, and prometheus-ca.pem files must be registered with Prometheus.

2. Add the following configuration to the web.yml file (/etc/ is the path inside the Docker container):

   tls_server_config:
     cert_file: /etc/prometheus/prometheus.crt
     key_file: /etc/prometheus/prometheus.key
   

3. Add the following parameter to the Docker startup command:

   -v /home/admin/docker/prometheus/prometheus.crt:/etc/prometheus/prometheus.crt
   -v /home/admin/docker/prometheus/prometheus.key:/etc/prometheus/prometheus.key
   

Add TLS for OCP

Log in to OCP and modify ocp.site.url to https://ip:port in the system parameters.

How to add Prometheus certificates to OCP

1. On any Prometheus server that can be connected to, execute the following command to export the server certificate, where IP:9090 is the Prometheus address:

   openssl s_client -connect IP:9090 -servername IP </dev/null 2>/dev/null | openssl x509 -out /tmp/prometheus-server.pem
   

2. Import the server certificate into the cacerts of the OCP JDK, modifying the path and password as needed. The default password is often changeit:

   keytool -importcert -noprompt -alias prometheus-61315353-9090 -file /tmp/prometheus-server.pem -cacerts -storepass changeit
   

3. Verify if the certificate was imported successfully:

   keytool -list -cacerts -storepass changeit | grep prometheus
   

4. Restart the OCP container, and you can access Prometheus externally using the format `https://``.

How to add OCP certificates to Prometheus

Step 1: Confirm the certificate type for OCP's HTTPS port 8443

Execute the following command on a server that can access OCP:

openssl s_client -connect $OCP_IP:8443 -servername $OCP_IP </dev/null 2>/dev/null | openssl x509 -noout -issuer -subject -dates

Check the Issuer to ensure that the Prometheus ca_file contains the public key certificate for this Issuer (including certificates issued by third-party CAs and self-signed certificates).

Save the server certificate for comparison:

openssl s_client -connect $OCP_IP:8443 -servername $OCP_IP </dev/null 2>/dev/null | openssl x509 > /tmp/ocp-8443-cert.pem

Step 2: Place the self-signed/single-file certificate in the ca_file

If OCP uses a self-signed certificate (the Issuer and Subject have the same set of DNs), the ca_file should contain the PEM format of this server certificate (which can be the same as the content in /tmp/ocp-8443-cert.pem), for example:

cp /tmp/ocp-8443-cert.pem /path/on/prometheus/ocp-for-prometheus-ca.pem

You need to configure prometheus.yml as follows:

tls_config:
  ca_file: /path/on/prometheus/ocp-for-prometheus-ca.pem

Step 3: Synchronize the OCP certificate to Docker

Run the following command in Docker:

-v /home/admin/docker/prometheus/ocp-for-prometheus-ca.pem:/etc/prometheus/ocp-for-prometheus-ca.pem

After starting Docker, pay close attention to the Prometheus logs. If OCP access fails, it indicates there is still an issue with the OCP certificate.

Step 4: Temporarily skip OCP TLS authentication

Add insecure_skip_verify: true to prometheus.yml and restart the Prometheus service:

scrape_configs:
  - job_name: 'ocp_sd'
    scheme: 'http'
    fallback_scrape_protocol: "PrometheusText1.0.0"
    tls_config:
      insecure_skip_verify: true
      # ca_file: /etc/prometheus/ocp-for-prometheus-ca.pem
    http_sd_configs:
      - url: 'https://xx.xx.xx.xx:8080/api/v2/monitor/prometheus_sd'
        tls_config:
          insecure_skip_verify: true
        basic_auth:  # Access OCP to obtain all targets in prometheus_sd
          username: "******"
          password: "******"
    basic_auth:  # Control access to all targets
      username: "******"
      password: "******"

FAQ

After startup, the Prometheus port of OCP is still inaccessible. How to resolve this?

This issue arises because OCP and OCP-Agent support different transport protocols. OCP supports HTTPS authentication, while OCP-Agent only supports HTTP authentication. You can refer to the following temporary solution by adding a separate job in prometheus.yml to resolve this:

- job_name: 'ocp_self'
  scheme: 'https'
  fallback_scrape_protocol: "PrometheusText1.0.0"  # This parameter is available only in Prometheus 3.x. Remove it for Prometheus 2.x.
  metrics_path: '/api/v2/actuator/prometheus'
  tls_config:
    insecure_skip_verify: true
  static_configs:
    - targets: ['xx.xx.xx.xx:8443']  # This is the TLS address of OCP.
  basic_auth:
    username: "******"
    password: "******"