Prometheus keeps keepalive HTTP connections to targets open with expired TLS credentials even when new ones have been provided on FS

[Eilyre]

What did you do?

Trying to use Prometheus to monitor a Kubernetes cluster externally, e.g. without running the Prometheus inside the Kubernetes cluster itself. For this I use the configuration below. The main magic of the configuration happens with the ca_file, cert_file and key_file, as in our environment we provide access to Kubernetes with short lived Hashicorp Vault issued certificates.

This means that the Prometheus instance has a Vault identity and automatically updates certificates in the locations of tls_config every 30 minutes.
While the certificates are properly updated, Prometheus refuses to update it's running configuration with these certificates without a full Prometheus restart. Restarting Prometheus every 30 minutes would mean several minutes of downtime with every restart.

What did you expect to see?

Either Prometheus automatically tracks the files for changes or reloads the certificates on a HUP signal.

What did you see instead? Under which circumstances?

Certificates are not updated. When the certificates TTL arrives, Prometheus loses access to Kubernetes, even though valid certificates exist in the defined places, which can be used to access the Kubernetes endpoint. HUP'ing the Prometheus process does not help, only a full restart of the Prometheus service.

Environment

• System information:

Linux 3.10.0-1127.8.2.el7.x86_64 x86_64

• Prometheus version:

prometheus, version 2.30.3 (branch: HEAD, revision: f29caccc42557f6a8ec30ea9b3c8c089391bd5df)
build user:       root@5cff4265f0e3
build date:       20211005-16:10:52
go version:       go1.17.1
platform:         linux/amd64

• Prometheus configuration file:

  - job_name: 'kubernetes-cadvisor'
    scrape_interval: 30s
    scrape_timeout: 10s
    metrics_path: /metrics
    scheme: https
    kubernetes_sd_configs:
      - api_server: https://endpoint:6443
        role: node
        tls_config:
          ca_file: /etc/prometheus/secrets/kubernetes/ca.pem
          cert_file: /etc/prometheus/secrets/kubernetes/cert.pem
          key_file: /etc/prometheus/secrets/kubernetes/key.pem
          insecure_skip_verify: false

    tls_config:
      ca_file: /etc/prometheus/secrets/kubernetes/ca.pem
      cert_file: /etc/prometheus/secrets/kubernetes/cert.pem
      key_file: /etc/prometheus/secrets/kubernetes/key.pem
      insecure_skip_verify: false

    relabel_configs:
      - separator: ;
        regex: __meta_kubernetes_node_label_(.+)
        replacement: $1
        action: labelmap

      - separator: ;
        regex: (.*)
        target_label: __address__
        replacement: endpoint:6443
        action: replace

      - source_labels: [__meta_kubernetes_node_name]
        separator: ;
        regex: (.+)
        target_label: __metrics_path__
        replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
        action: replace

[roidelapluie]

Can you please clarify if it is the TLS certificate to the scapes or to the kubernetes API that cause issue?

Can you confirm that the certificates are really on the disks even without a container restart?

[Eilyre]

@roidelapluie The certificates are on the disks, because a curl to the endpoint with the ca_file, cert_file and key_file works perfectly, at the same time Prometheus gets 401 Unauthorized from the same endpoint (this happens once the TTL of certificate has expired without me having restarted the Prometheus service).

[root@prometheus kubernetes]# pwd
/etc/prometheus/secrets/kubernetes
[root@prometheus kubernetes]# curl https://endpoint:6443/api/v1/nodes/node/proxy/metrics/cadvisor --cert ./cert.pem --key ./key.pem -k  -I
HTTP/1.1 200 OK
Audit-Id: 20dfb33e-6f1b-4aae-b64f-ccf3287d5127
Cache-Control: no-cache, private
Content-Type: text/plain; version=0.0.4; charset=utf-8
Date: Fri, 15 Oct 2021 08:13:34 GMT

Just for clarification, this Prometheus instance does not run inside a container, but as a systemd service on a CentOS host.

I will be looking into which tls_config segment causes the issue.

[Eilyre]

@roidelapluie Logically thinking it has to be the scrape tls_configs that's causing the issue and failing to update on reload, as in the Prometheus UI Status -> Targets, the kubernetes-cadvisor job targets are listed, they just receive a 401 Unauthorized. If it was the SD TLS, then the targets would dissapear from the job.

[roidelapluie]

401 is not a TLS issue.

In this case, Prometheus is using HTTP Keepalive to connect to the target. It seems that go' http client does keep the connection open even if the certificate is expired.

I am not sure what the correct solution to this is. If Prometheus reopens a new connection, it would use the proper certificate.

I would expect the target to close the TLS connection instead of returning a 401.

[Eilyre]

You are correct, once I let the certificates expire, update the certificates on the filesystem, reload Prometheus server, and use tcpkill to kill the keepalive connection to the apiserver endpoints, then the connection starts using the new certificates and everything works.

I presume there's currently no way to force Prometheus to drop the keepalive connections on HUP or to check for validity of certificates in it's open connections?

[roidelapluie]

It's a difficult one, I will need to poke around. What is the endpoint returning 401?

[Eilyre]

Kubernetes cadvisor scrape endpoints, so something like this: curl https://apiserver:6443/api/v1/nodes/node/proxy/metrics/cadvisor --cert ./cert.pem --key ./key.pem --cacert ./ca.pem

I presume the same would happen with any Kubernetes metrics endpoint, e.g. with curl https://apiserver:6443/metrics/ also.

The domain comes from a KUBECONFIG file's server address. It's the same API server that kubectl connects to, just with different credentials and default TLS based auth/authz.

[ide-rea]

I guess the reason why Prometheus not reload the cert and key file?
May be your cert and key file path is not changed, what changed is the cert and key file content,
but Prometheus reload the scrape config file only when the scrape config file compared different from the last time.
so send a HUP signal won't make Prometheus reload the new cert and key file.

You may change the fields, like save ca_file to a different path.

      ca_file: /etc/prometheus/secrets/kubernetes/ca.pem
      cert_file: /etc/prometheus/secrets/kubernetes/cert.pem
      key_file: /etc/prometheus/secrets/kubernetes/key.pem

[roidelapluie]

Prometheus will reload the certificates as soon as they are available but it will not cut existing connections.

[roidelapluie]

This seems like not easy to fix but we could explore the ability to close connections to targets if scrapes are failing.

However, I feel like it is unwise to close all the connections of a scrape pool because it would create a lot of reconnections and make keepalive useless in a busy setup.