ch-apps: upgrade to kubernetes 1.30 and improve certificate handling for standalone kubelet

1 files changed, 6 insertions, 0 deletions

diff --git a/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml b/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml
index ffeb974f..3335769a 100644
--- a/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/standalone-kubelet/tasks/main.yml
@@ -4,16 +4,22 @@
     content: |
       location = /standalone-kubelet {
           proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics;
+          proxy_ssl_verify on;
+          proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem;
           proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem;
           proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem;
       }
       location = /standalone-kubelet/resource {
           proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics/resource;
+          proxy_ssl_verify on;
+          proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem;
           proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem;
           proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem;
       }
       location = /standalone-kubelet/probes {
           proxy_pass https://{{ kubernetes_standalone_address | default('127.0.0.1') }}:{{ kubernetes_standalone_port | default(10250) }}/metrics/probes;
+          proxy_ssl_verify on;
+          proxy_ssl_trusted_certificate /etc/ssl/standalone-kubelet/ca-crt.pem;
           proxy_ssl_certificate /etc/ssl/standalone-kubelet/client/crt.pem;
           proxy_ssl_certificate_key /etc/ssl/standalone-kubelet/client/key.pem;
       }