Description of problem: Two of the new TLS flags (web.tls-min-version and web.tls-cipher-suites) were added as part of the default flagset instead of the locally defined flagset causing them to not be parsed correctly. This fix should be backported from upstream (https://github.com/coreos/prometheus-operator/pull/3157)
checked with 4.5.0-0.nightly-2020-05-05-205255, the parameters are right in the prometheus-operator image, but still wrong in the prometheus-operator deployment, example: tls-cipher-suites should be web.tls-cipher-suites -web.tls-cipher-suites string Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).If omitted, the default Go cipher suites will be used.Note that TLS 1.3 ciphersuites are not configurable. -web.tls-min-version string Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants. (default "VersionTLS13") # oc -n openshift-monitoring get deploy/prometheus-operator -oyaml image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c7339851e78b1f7ca1579757620113e81384a0232f4851792c0082ecf07992f5 imagePullPolicy: IfNotPresent name: prometheus-operator ... - args: - --logtostderr - --secure-listen-address=:8443 - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - --upstream=http://127.0.0.1:8080/ - --tls-cert-file=/etc/tls/private/tls.crt - --tls-private-key-file=/etc/tls/private/tls.key
The "--tls-cipher-suites" parameter here is currently only used for the kube-rbac-proxy container. We're not currently using this setting for the prometheus-operator. The new parameter won't be used in openshift until we merge the prometheus rule validation webhook configuration which will be in 4.6. I think this one is ok to close as long as the new parameter is available in prometheus-operator.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409