Comment 4 for bug 2004612

The way that the original operation was supposed to work [1] is that etcd has a certificates relation with easyrsa/vault, and then prometheus should have the same relation. Prometheus would then get the certs from easyrsa/vault. In the case of Vern's deployment, it looks like there was no relation between prometheus and easyrsa.

I've just done a deployment using FCE and it looks like FCE configured etcd to use easyrsa, but then related prometheus to vault, so obviously this doesn't work.

It looks like possibly the prometheus-manual interface didn't take client_cert and client_key at the time of this functionality originally being added [2].

It would seem safest to me for etcd to provide the certificates, but I'm not sure if there could be issues if etcd provides the certificates and there is a relation between prometheus and the correct one of easyrsa/vault.

[1] https://github.com/charmed-kubernetes/layer-etcd/pull/187
[2] https://github.com/juju-solutions/interface-prometheus-manual/commit/13501d437928fdafc9241f95265badf777255c8b