假设我们必须为两个团队Team Fruit和Team Veggie提供集中的度量平台。我们不希望每个团队都看到彼此的数据,甚至不知道它们的存在。让我们看看如何通过Thanos实现这一目标。
请移步官网。
Fruit团队的Prometheus配置
[root@host01 editor]# cat prometheus0_fruit.yml
global:
scrape_interval: 5s
external_labels:
cluster: eu1
replica: 0
tenant: team-fruit
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['127.0.0.1:9090']
Veggie团队的Prometheus配置
[root@host01 editor]# cat prometheus0_veggie.yml
global:
scrape_interval: 5s
external_labels:
cluster: eu1
replica: 0
tenant: team-veggie
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['127.0.0.1:9091','127.0.0.1:9092']
[root@host01 editor]# cat prometheus1_veggie.yml
global:
scrape_interval: 5s
external_labels:
cluster: eu1
replica: 1
tenant: team-veggie
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['127.0.0.1:9091','127.0.0.1:9092']
[root@host01 editor]#
创建持久化卷
[root@host01 ~]# mkdir -p prometheus0_fruit_data prometheus0_veggie_data prometheus1_veggie_data
部署Fruit团队的Prometheus以及其sidecar
[root@host01 ~]# docker run -d --net=host --rm \
> -v $(pwd)/editor/prometheus0_fruit.yml:/etc/prometheus/prometheus.yml \
> -v $(pwd)/prometheus0_fruit_data:/prometheus \
> -u root \
> --name prometheus-0-fruit \
> quay.io/prometheus/prometheus:v2.20.0 \
> --config.file=/etc/prometheus/prometheus.yml \
> --storage.tsdb.path=/prometheus \
> --web.listen-address=:9090 \
> --web.external-url=https://2886795295-9090-elsy05.environments.katacoda.com \
> --web.enable-lifecycle \
> --web.enable-admin-api && echo "Prometheus for Fruit Team started!"
f8f3793870998f7a1c91cd29238f61299059ea0e20427fcccb5f19218d42eb49
Prometheus for Fruit Team started!
[root@host01 ~]# docker run -d --net=host --rm \
> -v $(pwd)/editor/prometheus0_fruit.yml:/etc/prometheus/prometheus.yml \
> --name prometheus-0-sidecar-fruit \
> -u root \
> quay.io/thanos/thanos:v0.20.0 \
> sidecar \
> --http-address 0.0.0.0:19090 \
> --grpc-address 0.0.0.0:19190 \
> --reloader.config-file /etc/prometheus/prometheus.yml \
> --prometheus.url http://127.0.0.1:9090 && echo "Started sidecar for Fruit Prometheus"
1c9e6b74a7691d2b8047dc840699d3a21983b36d18860936ea69f954eb0b28cf
Started sidecar for Fruit Prometheus
[root@host01 ~]#
启动Veggie的Prometheus与sidecar,双副本
[root@host01 ~]# docker run -d --net=host --rm \
> -v $(pwd)/editor/prometheus0_veggie.yml:/etc/prometheus/prometheus.yml \
> -v $(pwd)/prometheus0_veggie_data:/prometheus \
> -u root \
> --name prometheus-0-veggie \
> quay.io/prometheus/prometheus:v2.20.0 \
> --config.file=/etc/prometheus/prometheus.yml \
> --storage.tsdb.path=/prometheus \
> --web.listen-address=:9091 \
> --web.external-url=https://2886795295-9091-elsy05.environments.katacoda.com \
> --web.enable-lifecycle \
> --web.enable-admin-api && echo "Prometheus for Veggie Team started!"
397c33b62a41c8e87c0d67e5e37ad5d8a77f1c08da2f28869d243da9970b5432
Prometheus for Veggie Team started!
[root@host01 ~]# docker run -d --net=host --rm \
> -v $(pwd)/editor/prometheus0_veggie.yml:/etc/prometheus/prometheus.yml \
> --name prometheus-0-sidecar-veggie \
> -u root \
> quay.io/thanos/thanos:v0.20.0 \
> sidecar \
> --http-address 0.0.0.0:19091 \
> --grpc-address 0.0.0.0:19191 \
> --reloader.config-file /etc/prometheus/prometheus.yml \
> --prometheus.url http://127.0.0.1:9091 && echo "Started sidecar for Veggie Prometheus"
2abf6b3095498c35d0b8ad5aae065ccdcfdeb474eaf31fe00512ff42cbb3e265
Started sidecar for Veggie Prometheus
[root@host01 ~]# docker run -d --net=host --rm \
> -v $(pwd)/editor/prometheus1_veggie.yml:/etc/prometheus/prometheus.yml \
> -v $(pwd)/prometheus1_veggie_data:/prometheus \
> -u root \
> --name prometheus-1-veggie \
> quay.io/prometheus/prometheus:v2.20.0 \
> --config.file=/etc/prometheus/prometheus.yml \
> --storage.tsdb.path=/prometheus \
> --web.listen-address=:9092 \
> --web.external-url=https://2886795295-9092-elsy05.environments.katacoda.com \
> --web.enable-lifecycle \
> --web.enable-admin-api && echo "Prometheus for Veggie Team started!"
3a190b19aff523d068acfd3edb5d1d24e5b001c95e8bb5a72660222ba87f9117
Prometheus for Veggie Team started!
[root@host01 ~]# docker run -d --net=host --rm \
> -v $(pwd)/editor/prometheus1_veggie.yml:/etc/prometheus/prometheus.yml \
> --name prometheus-01-sidecar-veggie \
> -u root \
> quay.io/thanos/thanos:v0.20.0 \
> sidecar \
> --http-address 0.0.0.0:19092 \
> --grpc-address 0.0.0.0:19192 \
> --reloader.config-file /etc/prometheus/prometheus.yml \
> --prometheus.url http://127.0.0.1:9092 && echo "Started sidecar for Veggie Prometheus"
2e83dd73870d7651ca177c42c1db3d264ccbb579329fc36bc041893ee9f95d3f
Started sidecar for Veggie Prometheus
[root@host01 ~]#
分别为Fruit与Veggie部署Querier
[root@host01 ~]# docker run -d --net=host --rm \
> --name querier-fruit \
> quay.io/thanos/thanos:v0.20.0 \
> query \
> --http-address 0.0.0.0:29091 \
> --grpc-address 0.0.0.0:29191 \
> --query.replica-label replica \
> --store 127.0.0.1:19190 && echo "Started Thanos Fruit Querier"
ac87e4bb25a4ef2dce04e592f8b65bba23a9ec96626bbe797c10a0bdc79c2a3d
Started Thanos Fruit Querier
[root@host01 ~]# docker run -d --net=host --rm \
> --name querier-veggie \
> quay.io/thanos/thanos:v0.20.0 \
> query \
> --http-address 0.0.0.0:29092 \
> --grpc-address 0.0.0.0:29192 \
> --query.replica-label replica \
> --store 127.0.0.1:19191 \
> --store 127.0.0.1:19192 && echo "Started Thanos Veggie Querier"
eeace09de61007f7c00dcbc6c8f7b66b235e084fd3bc7c3786416d67ff872b6d
Started Thanos Veggie Querier
到此我们就部署了独立的Querier,如下图
这个设置可以被称为没有或是硬租户——因为是为不同租户设置了隔离的组件来完成。
上面这个架构有以下两个问题:
别着急,Thanos天生就支持多租户。
让我们停掉上面创建的Querier
[root@host01 ~]# docker stop querier-fruit && docker stop querier-veggie
querier-fruit
querier-veggie
[root@host01 ~]# docker stop querier-fruit && docker stop querier-veggie
querier-fruit
querier-veggie
启动一个Querier即可
[root@host01 ~]# docker run -d --net=host --rm \
> --name querier-multi \
> quay.io/thanos/thanos:v0.20.0 \
> query \
> --http-address 0.0.0.0:29090 \
> --grpc-address 0.0.0.0:29190 \
> --query.replica-label replica \
> --store 127.0.0.1:19190 \
> --store 127.0.0.1:19191 \
> --store 127.0.0.1:19192 && echo "Started Thanos Querier with access to both Veggie's and Fruit's data"
86e31514a34d5770e80a2dd45f985eb4e2e6ebec39a4ef3c339e51ff747ec0dc
Started Thanos Querier with access to both Veggie's and Fruit's data
[root@host01 ~]#
到这里问题就编程了如何为每一个租户配置成只看自己的数据,如下图
Prometheus和Thanos都遵循UNIX哲学。原则之一是确保每个组件都在做一件事情并且做好事。Thanos Querier不做任何的认证与授权。这也是因为你的组织里,已经有一个一致的认证授权机制。那么我们如何实现多租户呢?
prom-label-proxy通过强制某些承租人标签在所有检索数据的API中使用,从而允许Prometheus和Thanos当前公开的所有资源的读取租约。该代理在本地适用于Prometheus,但由于Thanos在顶部使用相同的HTTP API,因此它也对我们有效。
启动prom-label-proxy
[root@host01 ~]# docker run -d --net=host --rm \
> --name prom-label-proxy \
> quay.io/thanos/prom-label-proxy:v0.3.0-rc.0-ext1 \
> -label tenant \
> -upstream http://127.0.0.1:29090 \
> -insecure-listen-address 0.0.0.0:39090 \
> -non-api-path-passthrough \
> -enable-label-apis && echo "Started prom-label-proxy"
1a9956d1fcd94a9a0ae1e69c59059f8c75e8d00f9ddb7720e0f2a8339f126e76
Started prom-label-proxy
[root@host01 ~]#
所有的请求都要带参数tenant=
,我们可以通过配置代理,不同端口加上不同的请求参数
序号 | 端口 | 参数补全 |
---|---|---|
1 | 39091 | tenant=team-fruit |
2 | 39092 | tenant=team-veggie |
Caddy配置
[root@host01 editor]# cat Caddyfile
{
admin off
}
:39091 {
rewrite * ?{
query}&tenant=team-fruit
reverse_proxy 127.0.0.1:39090
}
:39092 {
rewrite * ?{
query}&tenant=team-veggie
reverse_proxy 127.0.0.1:39090
}
启动Caddy
[root@host01 ~]# docker run -d --net=host --rm --name caddy -v $PWD/editor/Caddyfile:/etc/caddy/Caddyfile caddy:2.2.1 && echo "Started Caddy Server"
0a4d714030bb9da6fb4d314892dc21aa78800291dfcefebe9277bd334926c501
Started Caddy Server
到这里,多租户配置完成
验证
访问39091
访问39092
以上就是本文演示Thanos多租户的配置,满足公司内不同部门的数据隔离,同时又提供管理员视角(Tomato视图)的全部数据视图。