When the controller charm is related to e.g. Opentelemetry Collector, it provides its ca cert through relation data so that the collector can scrape the controller's metrics on port 17010 at /introspection/metrics.
The scrape job tells us to scrape over unit IP, however, the cert does not have a SAN IP. Also, the SAN DNS is also missing and the CN is technically invalid. This means that the collector has to do skip_insecure_verify to scrape.
This is the result of looking at the cert with openssl
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
31:d3:da:eb:54:a3:01:fa:10:6e:fa:3b:df:e6:bc:c1:c0:cb:01:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Juju, CN = juju-ca
Validity
Not Before: Jul 2 13:47:34 2025 GMT
Not After : Jul 2 13:52:34 2035 GMT
Subject: O = Juju, CN = juju-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
58:94:AC:C5:B8:DB:9F:2A:7F:B1:FC:D8:D9:63:00:65:B1:1F:B8:F2
Related Issues:
When the controller charm is related to e.g. Opentelemetry Collector, it provides its ca cert through relation data so that the collector can scrape the controller's metrics on port 17010 at
/introspection/metrics.The scrape job tells us to scrape over unit IP, however, the cert does not have a SAN IP. Also, the SAN DNS is also missing and the CN is technically invalid. This means that the collector has to do
skip_insecure_verifyto scrape.This is the result of looking at the cert with openssl
Related Issues:
common_namefield should be optional canonical/tls-certificates-interface#369ca_filenot properly configured canonical/opentelemetry-collector-k8s-operator#132