From 415f138e7ec0a7b5bb7b72fd06015b7380351e1b Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Tue, 17 Feb 2026 09:51:49 -0800 Subject: [PATCH 1/7] Add breaking changes section to the release notes for v3.23 ep1 --- .../version-3.23-1/release-notes/index.mdx | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx index fdac719a23..314fdb6cf5 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx @@ -44,6 +44,16 @@ For more information, see [Dashboards](../observability/dashboards.mdx#ingress-g Logs and Service Graph now prioritize namespace-specific matches over GlobalNetworkSets and other namespace matches to ensure more accurate identity attribution. * User experience improvements to the Flow Summary card. +## Breaking changes +* The Manager UI deployment has been moved from the `tigera-manager` namespace to the `calico-system` namespace and is now called `calico-manager`. +If you expose the deployment via an ingress, load balancer or node port service, you need to remove these and recreate the resources in the new namespace. +This also applies to multi-cluster management users exposing the tunnel port. If you are overriding resources and / limits we suggest using the new +container name by replacing `tigera-` with `calico-`, even though we preserved backwards compatibility. +Please consult the following resources for exposing the Manager UI: + * [Access the Manager](../operations/cnx/access-the-manager.mdx). + * [Create a Management Cluster](../multicluster/set-up-multi-cluster-management/standard-install/create-a-management-cluster.mdx). + + ## Deprecated and removed features The following features are deprecated and will be removed in an upcoming release: @@ -60,6 +70,8 @@ The following features are deprecated and will be removed in an upcoming release * In clusters using the eBPF data plane with strict reverse path forwarding (RPF) enabled, link-local discovery packets may be incorrectly dropped. This can interfere with neighbor discovery and local network communication. This issue will be resolved in the next release. +* The combination of BPF dataplane on EKS with Bottlerocket is currently not working, we are currently investigating the issue. +* There is an issue loading the DNS parser on ARM64 with BPF dataplane, which can result in timeouts. {/* ## Bug fixes */} From 2ad778f56ff8556fdee8af0c57e81d1b372bcd0c Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Tue, 17 Feb 2026 09:53:16 -0800 Subject: [PATCH 2/7] Add breaking changes section to the release notes for v3.23 ep1 --- .../version-3.23-1/release-notes/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx index 314fdb6cf5..9c695df681 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx @@ -47,7 +47,7 @@ For more information, see [Dashboards](../observability/dashboards.mdx#ingress-g ## Breaking changes * The Manager UI deployment has been moved from the `tigera-manager` namespace to the `calico-system` namespace and is now called `calico-manager`. If you expose the deployment via an ingress, load balancer or node port service, you need to remove these and recreate the resources in the new namespace. -This also applies to multi-cluster management users exposing the tunnel port. If you are overriding resources and / limits we suggest using the new +This also applies to multi-cluster management users exposing the tunnel port. If you are overriding component resources and/or limits we suggest using the new container name by replacing `tigera-` with `calico-`, even though we preserved backwards compatibility. Please consult the following resources for exposing the Manager UI: * [Access the Manager](../operations/cnx/access-the-manager.mdx). From e2778507118fe4723790e23bf42334fa82d00cf0 Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Tue, 17 Feb 2026 11:42:38 -0800 Subject: [PATCH 3/7] Add breaking changes section to the release notes for v3.23 ep1 --- .../version-3.23-1/release-notes/index.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx b/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx index 9c695df681..335bec01fc 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/release-notes/index.mdx @@ -46,10 +46,10 @@ For more information, see [Dashboards](../observability/dashboards.mdx#ingress-g ## Breaking changes * The Manager UI deployment has been moved from the `tigera-manager` namespace to the `calico-system` namespace and is now called `calico-manager`. -If you expose the deployment via an ingress, load balancer or node port service, you need to remove these and recreate the resources in the new namespace. -This also applies to multi-cluster management users exposing the tunnel port. If you are overriding component resources and/or limits we suggest using the new -container name by replacing `tigera-` with `calico-`, even though we preserved backwards compatibility. -Please consult the following resources for exposing the Manager UI: + If you expose the deployment via an ingress, load balancer or node port service, you need to remove these and recreate the resources in the new namespace. + This also applies to multi-cluster management users exposing the tunnel port. If you are overriding component resources and/or limits we suggest using the new + container name by replacing `tigera-` with `calico-`, even though we preserved backwards compatibility. + Please consult the following resources for exposing the Manager UI: * [Access the Manager](../operations/cnx/access-the-manager.mdx). * [Create a Management Cluster](../multicluster/set-up-multi-cluster-management/standard-install/create-a-management-cluster.mdx). From d3fdf9d5b99386614aaa0935b6b3fb59e466ea4d Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Fri, 20 Mar 2026 13:41:40 -0700 Subject: [PATCH 4/7] Fix BGP metrics docs: use https for mTLS endpoints and simplify troubleshooting BGP metrics in Enterprise/Cloud use mTLS, so the endpoint URL should be https not http. Added inline mTLS access instructions to bgp-metrics pages. Simplified byo-prometheus troubleshooting by collapsing 5 manual steps into a single jsonpath-based extraction command. Hardcoded tigera-prometheus namespace throughout. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../monitor/metrics/bgp-metrics.mdx | 20 ++++- .../monitor/prometheus/byo-prometheus.mdx | 82 +++++-------------- .../monitor/metrics/bgp-metrics.mdx | 20 ++++- .../monitor/prometheus/byo-prometheus.mdx | 80 ++++-------------- .../monitor/metrics/bgp-metrics.mdx | 20 ++++- .../monitor/prometheus/byo-prometheus.mdx | 80 ++++-------------- .../monitor/metrics/bgp-metrics.mdx | 20 ++++- .../monitor/prometheus/byo-prometheus.mdx | 80 ++++-------------- .../monitor/metrics/bgp-metrics.mdx | 20 ++++- .../monitor/prometheus/byo-prometheus.mdx | 80 ++++-------------- .../monitor/metrics/bgp-metrics.mdx | 20 ++++- .../monitor/prometheus/byo-prometheus.mdx | 80 ++++-------------- .../monitor/metrics/bgp-metrics.mdx | 20 ++++- .../monitor/prometheus/byo-prometheus.mdx | 80 ++++-------------- 14 files changed, 260 insertions(+), 442 deletions(-) diff --git a/calico-cloud/operations/monitor/metrics/bgp-metrics.mdx b/calico-cloud/operations/monitor/metrics/bgp-metrics.mdx index 518c7b6320..253ef2fc75 100644 --- a/calico-cloud/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-cloud/operations/monitor/metrics/bgp-metrics.mdx @@ -70,7 +70,25 @@ The metrics generated are: - `bgp_routes_imported` - Current number of routes successfully imported into the routing table. - `bgp_route_updates_received` - Total number of route updates received over time (since startup). -$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://:9900/metrics`. +$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://:9900/metrics`, secured with mTLS. + +To access BGP metrics directly, you must use the TLS credentials: + +1. Extract the TLS credentials and CA bundle from the cluster. + + ```bash + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + ``` + +1. Verify you can access the metrics. + + ```bash + curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics + ``` + +For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. diff --git a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx index bab473a2f6..fd683716f5 100644 --- a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx @@ -1,4 +1,4 @@ ---- +Ba--- description: Steps to get Calico Cloud metrics using your own Prometheus. --- @@ -113,14 +113,10 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -154,14 +150,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -195,14 +187,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. @@ -236,14 +224,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -306,14 +290,10 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -341,14 +321,10 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -358,7 +334,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -372,35 +348,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) section. -1. Use the following command to retrieve the tls.key and tls.cert. - - ```bash - export NAMESPACE= - ``` - - ```bash - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml - ``` - -1. Save the tls.key and tls.cert content into key and cert after base64 decode. - - ```bash - $:tls_key= - $:echo $tls_key|base64 -d >key.pem - - $:tls_cert= - $:echo $cert|base64 -d>cert.pem - ``` - -1. Get the ca-bundle certificate using this command: +1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` -1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE". - -1. Port-forward the prometheus pods and run this command with the forwarded port. +1. Port-forward the Prometheus pods and run this command with the forwarded port. ```bash curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics diff --git a/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx b/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx index 518c7b6320..253ef2fc75 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx @@ -70,7 +70,25 @@ The metrics generated are: - `bgp_routes_imported` - Current number of routes successfully imported into the routing table. - `bgp_route_updates_received` - Total number of route updates received over time (since startup). -$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://:9900/metrics`. +$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://:9900/metrics`, secured with mTLS. + +To access BGP metrics directly, you must use the TLS credentials: + +1. Extract the TLS credentials and CA bundle from the cluster. + + ```bash + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + ``` + +1. Verify you can access the metrics. + + ```bash + curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics + ``` + +For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. diff --git a/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx index bab473a2f6..c0e8dd55e9 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,14 +113,10 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -154,14 +150,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -195,14 +187,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. @@ -236,14 +224,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -306,14 +290,10 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -341,14 +321,10 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -358,7 +334,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -372,35 +348,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) section. -1. Use the following command to retrieve the tls.key and tls.cert. - - ```bash - export NAMESPACE= - ``` +1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` -1. Save the tls.key and tls.cert content into key and cert after base64 decode. - - ```bash - $:tls_key= - $:echo $tls_key|base64 -d >key.pem - - $:tls_cert= - $:echo $cert|base64 -d>cert.pem - ``` - -1. Get the ca-bundle certificate using this command: - - ```bash - kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml - ``` - -1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE". - -1. Port-forward the prometheus pods and run this command with the forwarded port. +1. Port-forward the Prometheus pods and run this command with the forwarded port. ```bash curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics diff --git a/calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx index dacb660116..7db8aba06f 100644 --- a/calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx @@ -70,7 +70,25 @@ The metrics generated are: - `bgp_routes_imported` - Current number of routes successfully imported into the routing table. - `bgp_route_updates_received` - Total number of route updates received over time (since startup). -$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://:9900/metrics`. +$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://:9900/metrics`, secured with mTLS. + +To access BGP metrics directly, you must use the TLS credentials: + +1. Extract the TLS credentials and CA bundle from the cluster. + + ```bash + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + ``` + +1. Verify you can access the metrics. + + ```bash + curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics + ``` + +For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. diff --git a/calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx index 1a1e6f8a48..90d4137af9 100644 --- a/calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,14 +113,10 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -154,14 +150,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -195,14 +187,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. @@ -236,14 +224,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -306,14 +290,10 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -341,14 +321,10 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -358,7 +334,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -372,35 +348,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) section. -1. Use the following command to retrieve the tls.key and tls.cert. - - ```bash - export NAMESPACE= - ``` +1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` -1. Save the tls.key and tls.cert content into key and cert after base64 decode. - - ```bash - $:tls_key= - $:echo $tls_key|base64 -d >key.pem - - $:tls_cert= - $:echo $cert|base64 -d>cert.pem - ``` - -1. Get the ca-bundle certificate using this command: - - ```bash - kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml - ``` - -1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE". - -1. Port-forward the prometheus pods and run this command with the forwarded port. +1. Port-forward the Prometheus pods and run this command with the forwarded port. ```bash curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics diff --git a/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx index dacb660116..7db8aba06f 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx @@ -70,7 +70,25 @@ The metrics generated are: - `bgp_routes_imported` - Current number of routes successfully imported into the routing table. - `bgp_route_updates_received` - Total number of route updates received over time (since startup). -$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://:9900/metrics`. +$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://:9900/metrics`, secured with mTLS. + +To access BGP metrics directly, you must use the TLS credentials: + +1. Extract the TLS credentials and CA bundle from the cluster. + + ```bash + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + ``` + +1. Verify you can access the metrics. + + ```bash + curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics + ``` + +For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. diff --git a/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx index 5f054ad01c..76e6e2174f 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,14 +113,10 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -154,14 +150,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -195,14 +187,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. @@ -236,14 +224,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -324,14 +308,10 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -359,14 +339,10 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -376,7 +352,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -390,35 +366,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) section. -1. Use the following command to retrieve the tls.key and tls.cert. - - ```bash - export NAMESPACE= - ``` +1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` -1. Save the tls.key and tls.cert content into key and cert after base64 decode. - - ```bash - $:tls_key= - $:echo $tls_key|base64 -d >key.pem - - $:tls_cert= - $:echo $cert|base64 -d>cert.pem - ``` - -1. Get the ca-bundle certificate using this command: - - ```bash - kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml - ``` - -1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE". - -1. Port-forward the prometheus pods and run this command with the forwarded port. +1. Port-forward the Prometheus pods and run this command with the forwarded port. ```bash curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics diff --git a/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx index dacb660116..7db8aba06f 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx @@ -70,7 +70,25 @@ The metrics generated are: - `bgp_routes_imported` - Current number of routes successfully imported into the routing table. - `bgp_route_updates_received` - Total number of route updates received over time (since startup). -$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://:9900/metrics`. +$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://:9900/metrics`, secured with mTLS. + +To access BGP metrics directly, you must use the TLS credentials: + +1. Extract the TLS credentials and CA bundle from the cluster. + + ```bash + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + ``` + +1. Verify you can access the metrics. + + ```bash + curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics + ``` + +For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. diff --git a/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx index 1a1e6f8a48..90d4137af9 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,14 +113,10 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -154,14 +150,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -195,14 +187,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. @@ -236,14 +224,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -306,14 +290,10 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -341,14 +321,10 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -358,7 +334,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -372,35 +348,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) section. -1. Use the following command to retrieve the tls.key and tls.cert. - - ```bash - export NAMESPACE= - ``` +1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` -1. Save the tls.key and tls.cert content into key and cert after base64 decode. - - ```bash - $:tls_key= - $:echo $tls_key|base64 -d >key.pem - - $:tls_cert= - $:echo $cert|base64 -d>cert.pem - ``` - -1. Get the ca-bundle certificate using this command: - - ```bash - kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml - ``` - -1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE". - -1. Port-forward the prometheus pods and run this command with the forwarded port. +1. Port-forward the Prometheus pods and run this command with the forwarded port. ```bash curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics diff --git a/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx index dacb660116..7db8aba06f 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx @@ -70,7 +70,25 @@ The metrics generated are: - `bgp_routes_imported` - Current number of routes successfully imported into the routing table. - `bgp_route_updates_received` - Total number of route updates received over time (since startup). -$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://:9900/metrics`. +$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://:9900/metrics`, secured with mTLS. + +To access BGP metrics directly, you must use the TLS credentials: + +1. Extract the TLS credentials and CA bundle from the cluster. + + ```bash + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + ``` + +1. Verify you can access the metrics. + + ```bash + curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics + ``` + +For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. diff --git a/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx index 1a1e6f8a48..90d4137af9 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,14 +113,10 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -154,14 +150,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -195,14 +187,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. @@ -236,14 +224,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -306,14 +290,10 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -341,14 +321,10 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -358,7 +334,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -372,35 +348,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) section. -1. Use the following command to retrieve the tls.key and tls.cert. - - ```bash - export NAMESPACE= - ``` +1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` -1. Save the tls.key and tls.cert content into key and cert after base64 decode. - - ```bash - $:tls_key= - $:echo $tls_key|base64 -d >key.pem - - $:tls_cert= - $:echo $cert|base64 -d>cert.pem - ``` - -1. Get the ca-bundle certificate using this command: - - ```bash - kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml - ``` - -1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE". - -1. Port-forward the prometheus pods and run this command with the forwarded port. +1. Port-forward the Prometheus pods and run this command with the forwarded port. ```bash curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics diff --git a/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx index dacb660116..7db8aba06f 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx @@ -70,7 +70,25 @@ The metrics generated are: - `bgp_routes_imported` - Current number of routes successfully imported into the routing table. - `bgp_route_updates_received` - Total number of route updates received over time (since startup). -$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://:9900/metrics`. +$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://:9900/metrics`, secured with mTLS. + +To access BGP metrics directly, you must use the TLS credentials: + +1. Extract the TLS credentials and CA bundle from the cluster. + + ```bash + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + ``` + +1. Verify you can access the metrics. + + ```bash + curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics + ``` + +For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. diff --git a/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/prometheus/byo-prometheus.mdx index 1a1e6f8a48..90d4137af9 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,14 +113,10 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -154,14 +150,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -195,14 +187,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. @@ -236,14 +224,10 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= -``` - -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -306,14 +290,10 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -341,14 +321,10 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -export NAMESPACE= +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus ``` -```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE -``` - -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. @@ -358,7 +334,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -372,35 +348,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components) section. -1. Use the following command to retrieve the tls.key and tls.cert. - - ```bash - export NAMESPACE= - ``` +1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` -1. Save the tls.key and tls.cert content into key and cert after base64 decode. - - ```bash - $:tls_key= - $:echo $tls_key|base64 -d >key.pem - - $:tls_cert= - $:echo $cert|base64 -d>cert.pem - ``` - -1. Get the ca-bundle certificate using this command: - - ```bash - kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml - ``` - -1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE". - -1. Port-forward the prometheus pods and run this command with the forwarded port. +1. Port-forward the Prometheus pods and run this command with the forwarded port. ```bash curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics From 1ce6888970cca0082a518a69f050d0285836dec3 Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Fri, 20 Mar 2026 13:48:01 -0700 Subject: [PATCH 5/7] Remove byo-prometheus troubleshooting link from bgp-metrics pages and fix frontmatter typo Co-Authored-By: Claude Opus 4.6 (1M context) --- calico-cloud/operations/monitor/metrics/bgp-metrics.mdx | 2 -- calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx | 2 +- .../version-22-2/operations/monitor/metrics/bgp-metrics.mdx | 2 -- calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx | 2 -- .../version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx | 2 -- .../version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx | 2 -- .../version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx | 2 -- .../version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx | 2 -- 8 files changed, 1 insertion(+), 15 deletions(-) diff --git a/calico-cloud/operations/monitor/metrics/bgp-metrics.mdx b/calico-cloud/operations/monitor/metrics/bgp-metrics.mdx index 253ef2fc75..43e8b8357e 100644 --- a/calico-cloud/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-cloud/operations/monitor/metrics/bgp-metrics.mdx @@ -88,8 +88,6 @@ To access BGP metrics directly, you must use the TLS credentials: curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics ``` -For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). - Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. ### BGP peers metric diff --git a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx index fd683716f5..c0e8dd55e9 100644 --- a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx @@ -1,4 +1,4 @@ -Ba--- +--- description: Steps to get Calico Cloud metrics using your own Prometheus. --- diff --git a/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx b/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx index 253ef2fc75..43e8b8357e 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx @@ -88,8 +88,6 @@ To access BGP metrics directly, you must use the TLS credentials: curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics ``` -For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). - Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. ### BGP peers metric diff --git a/calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx index 7db8aba06f..96c2d216b5 100644 --- a/calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx @@ -88,8 +88,6 @@ To access BGP metrics directly, you must use the TLS credentials: curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics ``` -For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). - Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. ### BGP peers metric diff --git a/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx index 7db8aba06f..96c2d216b5 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx @@ -88,8 +88,6 @@ To access BGP metrics directly, you must use the TLS credentials: curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics ``` -For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). - Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. ### BGP peers metric diff --git a/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx index 7db8aba06f..96c2d216b5 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx @@ -88,8 +88,6 @@ To access BGP metrics directly, you must use the TLS credentials: curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics ``` -For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). - Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. ### BGP peers metric diff --git a/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx index 7db8aba06f..96c2d216b5 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx @@ -88,8 +88,6 @@ To access BGP metrics directly, you must use the TLS credentials: curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics ``` -For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). - Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. ### BGP peers metric diff --git a/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx b/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx index 7db8aba06f..96c2d216b5 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/metrics/bgp-metrics.mdx @@ -88,8 +88,6 @@ To access BGP metrics directly, you must use the TLS credentials: curl --cacert bundle.pem --key key.pem --cert cert.pem https://:9900/metrics ``` -For more details on mTLS troubleshooting, see the [Bring your own Prometheus troubleshooting section](../prometheus/byo-prometheus.mdx#troubleshooting). - Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics. ### BGP peers metric From 52ab195509326e9509ad1a5acb43eeb2a96243b1 Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Fri, 20 Mar 2026 13:51:28 -0700 Subject: [PATCH 6/7] Revert export NAMESPACE changes on byo-prometheus pages, keep only troubleshooting compression The byo-prometheus pages need $NAMESPACE to remain user-configurable. Only the troubleshooting section is simplified (jsonpath extraction, removed $: prefixes, fixed $cert typo). Co-Authored-By: Claude Opus 4.6 (1M context) --- .../monitor/prometheus/byo-prometheus.mdx | 56 +++++++++++++------ .../monitor/prometheus/byo-prometheus.mdx | 56 +++++++++++++------ .../monitor/prometheus/byo-prometheus.mdx | 56 +++++++++++++------ .../monitor/prometheus/byo-prometheus.mdx | 56 +++++++++++++------ .../monitor/prometheus/byo-prometheus.mdx | 56 +++++++++++++------ .../monitor/prometheus/byo-prometheus.mdx | 56 +++++++++++++------ .../monitor/prometheus/byo-prometheus.mdx | 56 +++++++++++++------ 7 files changed, 280 insertions(+), 112 deletions(-) diff --git a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx index c0e8dd55e9..8fa0139cfc 100644 --- a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,10 +113,14 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -150,10 +154,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -187,10 +195,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. @@ -224,10 +236,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -290,10 +306,14 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -321,10 +341,14 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -334,7 +358,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -351,9 +375,9 @@ section. 1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem - kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` 1. Port-forward the Prometheus pods and run this command with the forwarded port. diff --git a/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx index c0e8dd55e9..8fa0139cfc 100644 --- a/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-cloud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,10 +113,14 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -150,10 +154,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -187,10 +195,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. @@ -224,10 +236,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -290,10 +306,14 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -321,10 +341,14 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl_CE]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl_CE]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -334,7 +358,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -351,9 +375,9 @@ section. 1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem - kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` 1. Port-forward the Prometheus pods and run this command with the forwarded port. diff --git a/calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx index 90d4137af9..6613fe5735 100644 --- a/calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,10 +113,14 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -150,10 +154,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -187,10 +195,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. @@ -224,10 +236,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -290,10 +306,14 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -321,10 +341,14 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -334,7 +358,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -351,9 +375,9 @@ section. 1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem - kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` 1. Port-forward the Prometheus pods and run this command with the forwarded port. diff --git a/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx index 76e6e2174f..aae414e814 100644 --- a/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise_versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,10 +113,14 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -150,10 +154,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -187,10 +195,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. @@ -224,10 +236,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -308,10 +324,14 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -339,10 +359,14 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -352,7 +376,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -369,9 +393,9 @@ section. 1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem - kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` 1. Port-forward the Prometheus pods and run this command with the forwarded port. diff --git a/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx index 90d4137af9..6613fe5735 100644 --- a/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise_versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,10 +113,14 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -150,10 +154,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -187,10 +195,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. @@ -224,10 +236,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -290,10 +306,14 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -321,10 +341,14 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -334,7 +358,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -351,9 +375,9 @@ section. 1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem - kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` 1. Port-forward the Prometheus pods and run this command with the forwarded port. diff --git a/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx index 90d4137af9..6613fe5735 100644 --- a/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise_versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,10 +113,14 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -150,10 +154,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -187,10 +195,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. @@ -224,10 +236,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -290,10 +306,14 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -321,10 +341,14 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -334,7 +358,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -351,9 +375,9 @@ section. 1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem - kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` 1. Port-forward the Prometheus pods and run this command with the forwarded port. diff --git a/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/prometheus/byo-prometheus.mdx b/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/prometheus/byo-prometheus.mdx index 90d4137af9..6613fe5735 100644 --- a/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-enterprise_versioned_docs/version-3.23-1/operations/monitor/prometheus/byo-prometheus.mdx @@ -113,10 +113,14 @@ components directly using mTLS, or if you wish to enable metrics that are disabl Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/elasticsearch-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -150,10 +154,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/fluentd-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -187,10 +195,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/calico-node-monitor-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in $NAMESPACE. @@ -224,10 +236,14 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/kube-controller-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -290,10 +306,14 @@ kubectl patch felixConfiguration default --type merge --patch '{"spec":{"windows Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/felix-metrics-service-monitor.yaml -n $NAMESPACE +``` + +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -321,10 +341,14 @@ installation.operator.tigera.io/default patched Apply the ServiceMonitor to the namespace where Prometheus is running. ```bash -kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n tigera-prometheus +export NAMESPACE= +``` + +```bash +kubectl apply -f $[filesUrl]/manifests/prometheus/typha-metrics-service-monitor.yaml -n $NAMESPACE ``` -The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the tigera-prometheus. +The .yamls have no namespace defined so when you apply `kubectl`, it is applied in the $NAMESPACE. @@ -334,7 +358,7 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied 1. Access the Prometheus dashboard using the port-forwarding feature. ```bash - kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n tigera-prometheus + kubectl port-forward pod/byo-prometheus-pod 9090:9090 -n $NAMESPACE ``` 1. Browse to the Prometheus dashboard: http://localhost:9090. @@ -351,9 +375,9 @@ section. 1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem - kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem - kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` 1. Port-forward the Prometheus pods and run this command with the forwarded port. From 8959fb709f04db4355fa10115d7335e4563887ed Mon Sep 17 00:00:00 2001 From: Rene Dekker Date: Fri, 20 Mar 2026 13:58:26 -0700 Subject: [PATCH 7/7] Use tigera-prometheus namespace in byo-prometheus troubleshooting section The TLS secrets always live in tigera-prometheus, so hardcode that namespace in the troubleshooting jsonpath commands. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../operations/monitor/prometheus/byo-prometheus.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx index 8fa0139cfc..78cca8be33 100644 --- a/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx +++ b/calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx @@ -375,9 +375,9 @@ section. 1. Extract the TLS credentials and CA bundle from the cluster. ```bash - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem - kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem - kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem + kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem + kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem ``` 1. Port-forward the Prometheus pods and run this command with the forwarded port.