The way that the original operation was supposed to work [1] is that etcd has a certificates relation with easyrsa/vault, and then prometheus should have the same relation. Prometheus would then get the certs from easyrsa/vault. In the case of Vern's deployment, it looks like there was no relation between prometheus and easyrsa.
I've just done a deployment using FCE and it looks like FCE configured etcd to use easyrsa, but then related prometheus to vault, so obviously this doesn't work.
It looks like possibly the prometheus-manual interface didn't take client_cert and client_key at the time of this functionality originally being added [2].
It would seem safest to me for etcd to provide the certificates, but I'm not sure if there could be issues if etcd provides the certificates and there is a relation between prometheus and the correct one of easyrsa/vault.
The way that the original operation was supposed to work [1] is that etcd has a certificates relation with easyrsa/vault, and then prometheus should have the same relation. Prometheus would then get the certs from easyrsa/vault. In the case of Vern's deployment, it looks like there was no relation between prometheus and easyrsa.
I've just done a deployment using FCE and it looks like FCE configured etcd to use easyrsa, but then related prometheus to vault, so obviously this doesn't work.
It looks like possibly the prometheus-manual interface didn't take client_cert and client_key at the time of this functionality originally being added [2].
It would seem safest to me for etcd to provide the certificates, but I'm not sure if there could be issues if etcd provides the certificates and there is a relation between prometheus and the correct one of easyrsa/vault.
[1] https:/ /github. com/charmed- kubernetes/ layer-etcd/ pull/187 /github. com/juju- solutions/ interface- prometheus- manual/ commit/ 13501d437928fda fc9241f95265bad f777255c8b
[2] https:/