From 79c5bdf760204805a9aedf901255f9d896acd98e Mon Sep 17 00:00:00 2001 From: Marco van Zijl Date: Sun, 17 May 2026 12:02:28 +0200 Subject: [PATCH] Document Metrics Server TLS follow-up --- TODO.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 TODO.md diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..f893947 --- /dev/null +++ b/TODO.md @@ -0,0 +1,40 @@ +# TODO + +## Enable Trusted Kubelet Serving Certificates + +Context: +Metrics Server currently uses `--kubelet-insecure-tls` because Talos kubelet +serving certificates are not trusted by metrics-server by default. + +Goal: +Remove `--kubelet-insecure-tls` from `apps/metrics-server/values.yaml`. + +Required work: +- Enable kubelet server certificate rotation in the Talos machine config: + +```yaml +machine: + kubelet: + extraArgs: + rotate-server-certificates: true +``` + +- Add CSR approval for kubelet serving certificates, for example with + kubelet-serving-cert-approver. +- Apply the Talos config and reboot/restart kubelets as needed so new serving + certificates are requested. +- Confirm kubelet serving CSRs are approved and issued. +- Remove `--kubelet-insecure-tls` from Metrics Server. +- Verify Metrics Server still scrapes all nodes. + +Verification: + +```bash +kubectl get csr +kubectl -n kube-system logs deploy/metrics-server +kubectl top nodes +kubectl top pods -A +``` + +Reference: +- https://docs.siderolabs.com/kubernetes-guides/monitoring-and-observability/deploy-metrics-server