Skip to content

EV-6500: Fix BGP metrics mTLS docs and simplify troubleshooting #2603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ctauchen merged 8 commits into from
Mar 23, 2026
Merged

EV-6500: Fix BGP metrics mTLS docs and simplify troubleshooting #2603

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
415f138
Add breaking changes section to the release notes for v3.23 ep1
rene-dekker Feb 17, 2026
2ad778f
Add breaking changes section to the release notes for v3.23 ep1
rene-dekker Feb 17, 2026
e277850
Add breaking changes section to the release notes for v3.23 ep1
rene-dekker Feb 17, 2026
d3fdf9d
Fix BGP metrics docs: use https for mTLS endpoints and simplify troub…
rene-dekker Mar 20, 2026
1ce6888
Remove byo-prometheus troubleshooting link from bgp-metrics pages and…
rene-dekker Mar 20, 2026
52ab195
Revert export NAMESPACE changes on byo-prometheus pages, keep only tr…
rene-dekker Mar 20, 2026
8959fb7
Use tigera-prometheus namespace in byo-prometheus troubleshooting sec…
rene-dekker Mar 20, 2026
24ce1e1
Merge branch 'main' into EV-6500
ctauchen Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion calico-cloud/operations/monitor/metrics/bgp-metrics.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,23 @@ The metrics generated are:
- `bgp_routes_imported` - Current number of routes successfully imported into the routing table.
- `bgp_route_updates_received` - Total number of route updates received over time (since startup).

$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://<node-IP>:9900/metrics`.
$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://<node-IP>:9900/metrics`, secured with mTLS.

To access BGP metrics directly, you must use the TLS credentials:

1. Extract the TLS credentials and CA bundle from the cluster.

```bash
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

1. Verify you can access the metrics.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://<node-IP>:9900/metrics
```

Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics.

Expand Down
30 changes: 5 additions & 25 deletions calico-cloud/operations/monitor/prometheus/byo-prometheus.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,35 +372,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied
This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components)
section.

1. Use the following command to retrieve the tls.key and tls.cert.
1. Extract the TLS credentials and CA bundle from the cluster.

```bash
export NAMESPACE=<my-prometheus-namespace>
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

```bash
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml
```

1. Save the tls.key and tls.cert content into key and cert after base64 decode.

```bash
$:tls_key=<tls.key content>
$:echo $tls_key|base64 -d >key.pem

$:tls_cert=<tls.crt content>
$:echo $cert|base64 -d>cert.pem
```

1. Get the ca-bundle certificate using this command:

```bash
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml
```

1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE".

1. Port-forward the prometheus pods and run this command with the forwarded port.
1. Port-forward the Prometheus pods and run this command with the forwarded port.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics
Expand Down
18 changes: 17 additions & 1 deletion ...co-cloud_versioned_docs/version-22-2/operations/monitor/metrics/bgp-metrics.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,23 @@ The metrics generated are:
- `bgp_routes_imported` - Current number of routes successfully imported into the routing table.
- `bgp_route_updates_received` - Total number of route updates received over time (since startup).

$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://<node-IP>:9900/metrics`.
$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://<node-IP>:9900/metrics`, secured with mTLS.

To access BGP metrics directly, you must use the TLS credentials:

1. Extract the TLS credentials and CA bundle from the cluster.

```bash
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

1. Verify you can access the metrics.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://<node-IP>:9900/metrics
```

Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics.

Expand Down
30 changes: 5 additions & 25 deletions ...ud_versioned_docs/version-22-2/operations/monitor/prometheus/byo-prometheus.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,35 +372,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied
This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components)
section.

1. Use the following command to retrieve the tls.key and tls.cert.
1. Extract the TLS credentials and CA bundle from the cluster.

```bash
export NAMESPACE=<my-prometheus-namespace>
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

```bash
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml
```

1. Save the tls.key and tls.cert content into key and cert after base64 decode.

```bash
$:tls_key=<tls.key content>
$:echo $tls_key|base64 -d >key.pem

$:tls_cert=<tls.crt content>
$:echo $cert|base64 -d>cert.pem
```

1. Get the ca-bundle certificate using this command:

```bash
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml
```

1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE".

1. Port-forward the prometheus pods and run this command with the forwarded port.
1. Port-forward the Prometheus pods and run this command with the forwarded port.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics
Expand Down
18 changes: 17 additions & 1 deletion calico-enterprise/operations/monitor/metrics/bgp-metrics.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,23 @@ The metrics generated are:
- `bgp_routes_imported` - Current number of routes successfully imported into the routing table.
- `bgp_route_updates_received` - Total number of route updates received over time (since startup).

$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://<node-IP>:9900/metrics`.
$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://<node-IP>:9900/metrics`, secured with mTLS.

To access BGP metrics directly, you must use the TLS credentials:

1. Extract the TLS credentials and CA bundle from the cluster.

```bash
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

1. Verify you can access the metrics.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://<node-IP>:9900/metrics
```

Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics.

Expand Down
30 changes: 5 additions & 25 deletions calico-enterprise/operations/monitor/prometheus/byo-prometheus.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,35 +372,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied
This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components)
section.

1. Use the following command to retrieve the tls.key and tls.cert.
1. Extract the TLS credentials and CA bundle from the cluster.

```bash
export NAMESPACE=<my-prometheus-namespace>
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

```bash
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml
```

1. Save the tls.key and tls.cert content into key and cert after base64 decode.

```bash
$:tls_key=<tls.key content>
$:echo $tls_key|base64 -d >key.pem

$:tls_cert=<tls.crt content>
$:echo $cert|base64 -d>cert.pem
```

1. Get the ca-bundle certificate using this command:

```bash
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml
```

1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE".

1. Port-forward the prometheus pods and run this command with the forwarded port.
1. Port-forward the Prometheus pods and run this command with the forwarded port.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics
Expand Down
18 changes: 17 additions & 1 deletion ...rprise_versioned_docs/version-3.20-2/operations/monitor/metrics/bgp-metrics.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,23 @@ The metrics generated are:
- `bgp_routes_imported` - Current number of routes successfully imported into the routing table.
- `bgp_route_updates_received` - Total number of route updates received over time (since startup).

$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://<node-IP>:9900/metrics`.
$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://<node-IP>:9900/metrics`, secured with mTLS.

To access BGP metrics directly, you must use the TLS credentials:

1. Extract the TLS credentials and CA bundle from the cluster.

```bash
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

1. Verify you can access the metrics.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://<node-IP>:9900/metrics
```

Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics.

Expand Down
30 changes: 5 additions & 25 deletions ..._versioned_docs/version-3.20-2/operations/monitor/prometheus/byo-prometheus.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -390,35 +390,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied
This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components)
section.

1. Use the following command to retrieve the tls.key and tls.cert.
1. Extract the TLS credentials and CA bundle from the cluster.

```bash
export NAMESPACE=<my-prometheus-namespace>
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

```bash
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml
```

1. Save the tls.key and tls.cert content into key and cert after base64 decode.

```bash
$:tls_key=<tls.key content>
$:echo $tls_key|base64 -d >key.pem

$:tls_cert=<tls.crt content>
$:echo $cert|base64 -d>cert.pem
```

1. Get the ca-bundle certificate using this command:

```bash
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml
```

1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE".

1. Port-forward the prometheus pods and run this command with the forwarded port.
1. Port-forward the Prometheus pods and run this command with the forwarded port.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics
Expand Down
18 changes: 17 additions & 1 deletion ...rprise_versioned_docs/version-3.21-2/operations/monitor/metrics/bgp-metrics.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,23 @@ The metrics generated are:
- `bgp_routes_imported` - Current number of routes successfully imported into the routing table.
- `bgp_route_updates_received` - Total number of route updates received over time (since startup).

$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://<node-IP>:9900/metrics`.
$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://<node-IP>:9900/metrics`, secured with mTLS.

To access BGP metrics directly, you must use the TLS credentials:

1. Extract the TLS credentials and CA bundle from the cluster.

```bash
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

1. Verify you can access the metrics.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://<node-IP>:9900/metrics
```

Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics.

Expand Down
30 changes: 5 additions & 25 deletions ..._versioned_docs/version-3.21-2/operations/monitor/prometheus/byo-prometheus.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,35 +372,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied
This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components)
section.

1. Use the following command to retrieve the tls.key and tls.cert.
1. Extract the TLS credentials and CA bundle from the cluster.

```bash
export NAMESPACE=<my-prometheus-namespace>
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

```bash
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml
```

1. Save the tls.key and tls.cert content into key and cert after base64 decode.

```bash
$:tls_key=<tls.key content>
$:echo $tls_key|base64 -d >key.pem

$:tls_cert=<tls.crt content>
$:echo $cert|base64 -d>cert.pem
```

1. Get the ca-bundle certificate using this command:

```bash
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml
```

1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE".

1. Port-forward the prometheus pods and run this command with the forwarded port.
1. Port-forward the Prometheus pods and run this command with the forwarded port.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics
Expand Down
18 changes: 17 additions & 1 deletion ...rprise_versioned_docs/version-3.22-2/operations/monitor/metrics/bgp-metrics.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,23 @@ The metrics generated are:
- `bgp_routes_imported` - Current number of routes successfully imported into the routing table.
- `bgp_route_updates_received` - Total number of route updates received over time (since startup).

$[prodname] will run BGP metrics for Prometheus by default. Metrics are directly available on each compute node at `http://<node-IP>:9900/metrics`.
$[prodname] will run BGP metrics for Prometheus by default. Metrics are available on each compute node at `https://<node-IP>:9900/metrics`, secured with mTLS.

To access BGP metrics directly, you must use the TLS credentials:

1. Extract the TLS credentials and CA bundle from the cluster.

```bash
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n tigera-prometheus calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n tigera-prometheus tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

1. Verify you can access the metrics.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://<node-IP>:9900/metrics
```

Refer to [Configuring Prometheus](../prometheus/index.mdx) for information on how to create a new Alerting rule or updating the scraping interval for how often Prometheus collects the metrics.

Expand Down
30 changes: 5 additions & 25 deletions ..._versioned_docs/version-3.22-2/operations/monitor/prometheus/byo-prometheus.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -372,35 +372,15 @@ The .yamls have no namespace defined so when you apply `kubectl`, it is applied
This section is applicable only if you experience issues with mTLS after following the [Scrape metrics from specific components directly](#scrape-metrics-from-specific-components)
section.

1. Use the following command to retrieve the tls.key and tls.cert.
1. Extract the TLS credentials and CA bundle from the cluster.

```bash
export NAMESPACE=<my-prometheus-namespace>
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.key}' | base64 -d > key.pem
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o jsonpath='{.data.tigera-ca-bundle\.crt}' > bundle.pem
```

```bash
kubectl get secret -n $NAMESPACE calico-node-prometheus-client-tls -o yaml
```

1. Save the tls.key and tls.cert content into key and cert after base64 decode.

```bash
$:tls_key=<tls.key content>
$:echo $tls_key|base64 -d >key.pem

$:tls_cert=<tls.crt content>
$:echo $cert|base64 -d>cert.pem
```

1. Get the ca-bundle certificate using this command:

```bash
kubectl get cm -n $NAMESPACE tigera-ca-bundle -o yaml
```

1. Open a new file (bundle.pem) in your favorite editor, and paste the content from "BEGIN CERTIFICATE" to "END CERTIFICATE".

1. Port-forward the prometheus pods and run this command with the forwarded port.
1. Port-forward the Prometheus pods and run this command with the forwarded port.

```bash
curl --cacert bundle.pem --key key.pem --cert cert.pem https://localhost:8080/metrics
Expand Down
Loading
Loading