Document Metrics Server TLS follow-up

This commit is contained in:
Marco van Zijl 2026-05-17 12:02:28 +02:00
parent 88a48ac987
commit 79c5bdf760

40
TODO.md Normal file
View File

@ -0,0 +1,40 @@
# TODO
## Enable Trusted Kubelet Serving Certificates
Context:
Metrics Server currently uses `--kubelet-insecure-tls` because Talos kubelet
serving certificates are not trusted by metrics-server by default.
Goal:
Remove `--kubelet-insecure-tls` from `apps/metrics-server/values.yaml`.
Required work:
- Enable kubelet server certificate rotation in the Talos machine config:
```yaml
machine:
kubelet:
extraArgs:
rotate-server-certificates: true
```
- Add CSR approval for kubelet serving certificates, for example with
kubelet-serving-cert-approver.
- Apply the Talos config and reboot/restart kubelets as needed so new serving
certificates are requested.
- Confirm kubelet serving CSRs are approved and issued.
- Remove `--kubelet-insecure-tls` from Metrics Server.
- Verify Metrics Server still scrapes all nodes.
Verification:
```bash
kubectl get csr
kubectl -n kube-system logs deploy/metrics-server
kubectl top nodes
kubectl top pods -A
```
Reference:
- https://docs.siderolabs.com/kubernetes-guides/monitoring-and-observability/deploy-metrics-server