Should we set insecureSkipTLSVerify: false in the APIService for production clusters and how do we provide a proper certificate?

[mdzhigarov]

I couldn't help but notice that the APIService manifest https://github.com/kubernetes-sigs/prometheus-adapter/blob/master/deploy/manifests/api-service.yaml#L12 uses insecureSkipTLSVerify: true.

This means that the K8s Aggregator API would not verify the Prometheus' Adapter tls certificate. In a production cluster, does it make sense to set the insecureSkipTLSVerify to false and instead provide a caBundle within the APIService? Is this how we're supposed to secure this connection?

I am not confident I understand how caBundle is supposed to work. Who is responsible for generating the caBundle certificates? How are those certificates getting injected into the Prometheus' adapter itself once we set them to the APIService caBundle?

In general, is there a documentation that explain best practices around how to setup prometheus adapter property for production clusters?

[dgrisonnet]

/triage accepted

[dgrisonnet]

We sadly don't have enough resources to look after support issues for prometheus-adapter right now.