Upgrading OCP from 4.16.44 to 4.16.46 removes cookie auth for Prometheus

[a-roberts]

To give more context, we have a container that is using a ServiceAccount token with sufficient privleges e.g. a ClusterRole with cluster-monitoring-view, that can talk to the Prometheus API using the value of the service account token which is automatically updated by OpenShift.
We use this to get monitoring data from the cluster and then we build our own charts and graphs off of this using Prometheus queries.

We now get 401s like this consistently

Received response 401 from GET call to https:/console-openshift-console.apps.somedomain.openshiftapps.com/api/prometheus/api/v1/query?query=(somequeryhere)

I suspect something in here has caused it (like it's now sending on the token redacted):

65d2ed0...334a53b#diff-cb149e746da7ca315f8c9b852dd6f407e04e16a7199587be3ae745fa57fe681eR486

but open to being mistaken.

We rely on this for delivering monitoring capabilities to our customers and we are now blocked from taking this version.

Might we be missing something, please? Everything works fine on older versions and has done since at least March 2024, thank you

[a-roberts]

We opened a case for this with RedHat and determined 4.16.44 supports the cookie we were using.
4.16.45 supports an Authentication Bearer token and the above
And then 4.16.46 removes the cookie method for auth.

We therefore need to cope with all scenarios and in our code we're now going to have to, short of doing an OCP version check, cater for this. This being done in a patch version is causing quite the inconvenience.

To be clear, our code was:

  prometheusEndpoint = `$CLUSTER_URL/api/prometheus/api/v1/query`
  prometheusAuth = { Cookie: `openshift-session-token=${this.ocToken}` }

and we've had to make it

  prometheusEndpoint = `${prometheusUrl}/api/v1/query`
  prometheusAuth = { Authorization: `Bearer ${this.ocToken}`}

the URL also differs and we now need to replace console-openshift-console with prometheus-k8s-openshift-monitoring.