Comment 2 for bug 2004612

I'm unsure why I originally filed this agains charm-aws-iam. That was not my intention. Ah, I see now that I was directed at the charmed-kubernetes project to file the bug and I did not notice there is a drop-down. My apologies.

I agree with your assessment that it should be possible (maybe even simple?) to provide the certificate on the relation.

The charm has an action for getting the certs called package-client-credentials and it references ~/.bash_aliases:

  $ cat ~/.bash_aliases
  export ETCDCTL_KEY=/var/snap/etcd/common/client.key
  export ETCDCTL_CERT=/var/snap/etcd/common/client.crt
  export ETCDCTL_CACERT=/var/snap/etcd/common/ca.crt

This suggests that updating the register job call with ca_cert, client_cert, and client_key with the contents of the above files would be all that is required. And, it turns out, there is already a method for pulling in those files.

I gave that a try by patching a live charm and, it turns out, etcd (724) from latest/stable doesn't have the latest prometheus-manual interface layer so it doesn't support the client cert. I patched that too with the latest and it works. Prometheus is now pulling the etcd metrics.