Open Stack

Hello,

I was debugging the monitoring stack of our deployment and I noticed
that our Prometheus could not reach the OpenStack Exporter. The error is
about a certificate name mismatch because Prometheus is scraping the
exporter with the internal IP address instead of the internal FQDN while
the certificate we have is only valid for the internal FQDN.

Indeed, the Prometheus config specifies kolla_internal_vip_address as a
target and uses HTTPS when kolla_enable_tls_internal is true. Replacing
the target with kolla_internal_fqdn which is a DNS name for which the
certificate is valid fixed my issue.

My question is the following: should the internal certificate also be
valid for the internal VIP when kolla_enable_tls_internal is set to true
 or is it okay if it's only valid for the FQDN? In the later case, does
it make sense if I open an issue to use the FQDN instead of the IP
address in the Prometheus config?

Regards,

-- 
Nicolas Froger