1
Prometheus监控之TLS
source link: https://blog.51cto.com/u_13236892/5885577
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Prometheus监控之TLS
精选 原创在basic_auth账号密码的基础上加上tls加密,密码密钥双保险。
1、生成秘钥文件
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout prom-test.key -out prom-test.crt -subj \
"/C=CN/ST=Beijing/L=Beijing/O=Moelove.info/CN=localhost"
"/C=CN/ST=Beijing/L=Beijing/O=Moelove.info/CN=localhost"
2、将tls密钥文件写入config.yml
vi /usr/local/prometheus/config.yml
basic_auth_users:
# 当前设置的用户名为admin, 可以设置多个
admin: $2y$12$mMnPuKlOQ97ff4NjDsQTMukAtRS/ILpjxjEQrCN0vefs0CBLe/hi6
tls_server_config: # TLS加密
cert_file: prom-test.crt
key_file: prom-test.key
#将秘钥文件放在和config.yml同级目录
basic_auth_users:
# 当前设置的用户名为admin, 可以设置多个
admin: $2y$12$mMnPuKlOQ97ff4NjDsQTMukAtRS/ILpjxjEQrCN0vefs0CBLe/hi6
tls_server_config: # TLS加密
cert_file: prom-test.crt
key_file: prom-test.key
#将秘钥文件放在和config.yml同级目录
3、修改prometheus.yml
scrape_configs:
- job_name: 'prometheus'
basic_auth:
username: admin
password: 123456
#新增tls配置
scheme: https
tls_config:
ca_file: prom-test.crt #crt文件名
insecure_skip_verify: true # 跳过不安全认证
static_configs:
- targets: ['192.168.10.131:9090']
- job_name: 'prometheus'
basic_auth:
username: admin
password: 123456
#新增tls配置
scheme: https
tls_config:
ca_file: prom-test.crt #crt文件名
insecure_skip_verify: true # 跳过不安全认证
static_configs:
- targets: ['192.168.10.131:9090']
4、启动并测试
1、启动
/usr/local/prometheus/prometheus \
--config.file=/usr/local/prometheus/prometheus.yml \
--web.config.file=/usr/local/prometheus/config.yml \
--storage.tsdb.path="/usr/local/prometheus/data" \
--storage.tsdb.retention=15d \
--web.console.templates="/usr/local/prometheus/consoles" \
--web.console.libraries="/usr/local/prometheus/console_libraries" \
--web.max-connections=512 \
--web.external-url "http://192.168.10.131:9090" \
--web.listen-address=192.168.10.131:9090 &>/usr/local/prometheus/prometheus.log &
2、测试http协议
http://192.168.10.131:9090
"Client sent an HTTP request to an HTTPS server."
3、测试https协议
https://192.168.10.131:9090
会出现登录弹窗,输入账号密码登录之后检查target
/usr/local/prometheus/prometheus \
--config.file=/usr/local/prometheus/prometheus.yml \
--web.config.file=/usr/local/prometheus/config.yml \
--storage.tsdb.path="/usr/local/prometheus/data" \
--storage.tsdb.retention=15d \
--web.console.templates="/usr/local/prometheus/consoles" \
--web.console.libraries="/usr/local/prometheus/console_libraries" \
--web.max-connections=512 \
--web.external-url "http://192.168.10.131:9090" \
--web.listen-address=192.168.10.131:9090 &>/usr/local/prometheus/prometheus.log &
2、测试http协议
http://192.168.10.131:9090
"Client sent an HTTP request to an HTTPS server."
3、测试https协议
https://192.168.10.131:9090
会出现登录弹窗,输入账号密码登录之后检查target
三、对接grafana
数据源配置处修改http-url,新增勾选"Basic auth"、"TLS Client Auth"、"Skip TLS Verify"
1、配置Basic Auth Details
2、TLS/SSL Auth Details
填写ServerName,将生成的crt、key文件内密钥信息填写入Client Cert、Client Key文本框内
3、勾选Skip TLS Verify
如果不勾选,save的时候会报错"HTTP Error Bad Gateway"
4、可以连接测试
- 赞
- 收藏
- 评论
- 分享
- 举报
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK