Not able to pass a CA certificate in "tls_config" parameter

[gruyaume]

Bug Description

Prometheus supports specifying the CA certificate of an https target. Here I'm specifically referencing the "ca" parameter (not "ca_file"). Therefore we are trying to use the prometheus_scrape integration like so:

self._metrics_endpoint = MetricsEndpointProvider(
            self,
            jobs=[
                {
                    "scheme": "https",
                    "tls_config": {"ca": self._get_ca_certificate()},
                    "metrics_path": "/v1/sys/metrics",
                    "static_configs": [{"targets": [f"*:{self.VAULT_PORT}"]}],
                }
            ],
        )

Here _get_ca_certificate() returns the CA certificate in the format:

-----BEGIN CERTIFICATE-----
MIIDPzCCAiegAwIBAgIUKCyyNhuiJndASdCnIEVm1VfM0lswDQYJKoZIhvcNAQEL
BQAwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAMMFFZhdWx0IHNlbGYgc2lnbmVkIENB
MCAXDTIzMDkyODIzMzYxMloYDzIwNzMwOTE1MjMzNjEyWjAsMQswCQYDVQQGEwJV
UzEdMBsGA1UEAwwUVmF1bHQgc2VsZiBzaWduZWQgQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCdiqqS4G443e5FbaFhT+VBlyTYiEA9DQYPHxpLC6a4
9EUZhGYWcVV0BRWpTPvLfRwifwZ6xPhuYB1KICYLsFyPihytFhbP0fCK46GtflVP
UERqjC8MH9gdwRRFxXUihMRxyuPBbpgIPZQXIXYuFLvVtllEgjSrrICAVPsACEbI
PFf54P13HFWWO96gUysLaOX0NoOBnqAgZPRTuUfBJW0cLmut0Ft9nxgMFFNZuSqJ
DCZ0f5gcdpliF7JREh0NbE8WkaOORpr/zsiDVOXDfAgSbJVns6Fy94/61a0l9Tq5
5FYYJepTTXaGRltXs4SnSGI9Svl5mQl+ymulHHNM9PIfAgMBAAGjVzBVMB8GA1Ud
DgQYBBYEFEHE2IDQWfHkiRl2mKKhqNzBJkXfMCEGA1UdIwQaMBiAFgQUQcTYgNBZ
8eSJGXaYoqGo3MEmRd8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAmwrDx+K0NSho1GaSX/pA0HXD66vKlFnIdY9Ska2sML0zjMqCbTJS3/g+42gY
S4zFyDHF/bvuP1MHs+GuX4uRRbNwUWlC/USivtUEXArYoeWIHq18nUAtvoDx+guC
jyOZJeDo5Pxe2e2u8aoXgOBjmGizLmUmxBgBdyNJFBR2ZKaQ3mRG70X64+to/isJ
Shwl+c1TlhmbC0hppTqHROQB3sfxgV1OOy133fwIE58sptJ6GcEM5Aq2bm5zZYzp
4wMHaozDtRqtM4BQyBIiyMuGSpEN1n1nsj5h0JqCATZDFY1cRO0tb7/m4/ESUVoQ
F6QGQXflkcF9kX/0DcVwBF2Ucw==
-----END CERTIFICATE-----

This does not work as expected, Prometheus does not add this CA certificate in its configuration file.

In order to avoid this issue we have to use "insecure_skip_verify".

You can test this for yourself using this branch of the Vault K8s operator.

Reference:

• tls_config in Prometheus

To Reproduce

juju deploy prometheus-k8s
juju deploy <charm>
juju integrate <charm> prometheus-k8s

Where has a ca in the tls_config parameter

Environment

Prometheus:

• version: 2.43.0
• Channel: stable
• Revision: 129

Relevant log output

unit-prometheus-0: 20:47:38 ERROR unit.prometheus/0.juju-log metrics-endpoint:34: Validating scrape jobs failed: b'time="2023-09-29T00:47:38Z" level=fatal msg="parsing YAML file /tmp/tmprz18qtv8: yaml: unmarshal errors:\\n  line 25: field ca not found in type config.TLSConfig\\n  line 25: field ca not found in type config.TLSConfig"\n'

### Additional context

_No response_

[gruyaume]

Ahh I'm realising that this "ca" field is relatively new and was not available in 2.43 (the current version that the charm uses), this seems to be only available as of 2.45. In any case, it would be great to be able to pass the CA content over this relation and avoid using the insecure_skip_verify parameter.

[gruyaume]

Tried this with the edge release of the prometheus charm (rev 149, v2.46.0) and I'm still getting this error:

unit-prometheus-k8s-0: 07:48:37 ERROR unit.prometheus-k8s/0.juju-log metrics-endpoint:2: Validating scrape jobs failed: b'time="2023-09-29T11:48:37Z" level=fatal msg="parsing YAML file /tmp/tmpvlm1c3do: yaml: unmarshal errors:\\n  line 25: field ca not found in type config.TLSConfig\\n  line 25: field ca not found in type config.TLSConfig\\n  line 25: field ca not found in type config.TLSConfig"\n'

[lucabello]

I believe this is not an issue anymore with the latest prometheus revision 209. Closing, but feel free to reopen if this is still an issue :)