Prometheus的TLS认证

有点问题,看了在做

对于一些隐私数据的 Exporter,有时我只想让 Prometheus 访问而不想暴露出来,一种方式是通过双向 TLS 加密认证来完成,在这篇文章中我将介绍一下我是如何实现这个的。

所谓双向加密,那么就是双方的事情,这里分别有:

Prometheus 怎样自带证书去拉取 Exporter
Exporter 如何以 TLS 的形式暴露出来
所以这两个问题就是这一篇文章要解决的问题。因为第一个问题依赖于第二个问题,所以,我第一步肯定要先解决第二个问题,然后才能介绍如何解决第一个问题。

  1. Exporter TLS 暴露
    因为 Exporter 都是 HTTP(s) 的,所以所谓的 TLS 暴露其实就是如何将 HTTP 转换成 HTTPS,这个已经是一个老生常谈的话题了,所以就无需介绍了。但是,关键在于,在以 HTTPS 暴露的同时,还需要验证客户端,这对于很多 Exporter 来说,不是一个正常的需求,所以一般的 Exporter 都没有实现。

由于我的mysqld_exporter 在grafana上获取数据500,查看日志,需要配置tls

level=info ts=2022-01-12T08:12:28.788Z caller=mysqld_exporter.go:293 msg="Scraper enabled" scraper=info_schema.innodb_cmpmem
level=info ts=2022-01-12T08:12:28.789Z caller=mysqld_exporter.go:303 msg="Listening on address" address=:9104
level=info ts=2022-01-12T08:12:28.789Z caller=tls_config.go:191 msg="TLS is disabled." http2=false

创建证书,


[root@zabbix_granfana prometheus]# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout prometheus_exporter.key -out prometheus_exporter.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=test.cn/CN=192.168.1.179"
Generating a 2048 bit RSA private key
............................................................+++
...............................................................+++
writing new private key to 'prometheus_exporter.key'

配置mysqld_exporter的TLS

配置证书

[root@zabbix_granfana prometheus]#cp prometheus_exporter.* /opt/mysqld_exporter/
[root@zabbix_granfana prometheus]#cd /opt/mysqld_exporter/
[root@zabbix_granfana mysqld_exporter]# cat /opt/mysqld_exporter/config.yaml 
tls_server_config:
  cert_file: prometheus_exporter.crt
  key_file: prometheus_exporter.key

启动mysqld_exporter

[root@zabbix_granfana mysqld_exporter]# nohup /opt/mysqld_exporter/mysqld_exporter --config.my-cnf=/opt/mysqld_exporter/.my.cnf --web.config.file=/opt/mysqld_exporter/config.yaml > /opt/mysqld_exporter/access.log 2>&1 &
[1] 3565

查看日志

[root@zabbix_granfana ~]# tail -F /opt/mysqld_exporter/access.log 
level=info ts=2022-01-13T02:31:07.643Z caller=mysqld_exporter.go:278 msg="Build context" (gogo1.16.4,userroot@e2043849cb1f,date20210531-07:30:16)=(MISSING)
level=info ts=2022-01-13T02:31:07.644Z caller=mysqld_exporter.go:293 msg="Scraper enabled" scraper=global_status
level=info ts=2022-01-13T02:31:07.644Z caller=mysqld_exporter.go:293 msg="Scraper enabled" scraper=global_variables
level=info ts=2022-01-13T02:31:07.644Z caller=mysqld_exporter.go:293 msg="Scraper enabled" scraper=slave_status
level=info ts=2022-01-13T02:31:07.644Z caller=mysqld_exporter.go:293 msg="Scraper enabled" scraper=info_schema.innodb_cmp
level=info ts=2022-01-13T02:31:07.644Z caller=mysqld_exporter.go:293 msg="Scraper enabled" scraper=info_schema.innodb_cmpmem
level=info ts=2022-01-13T02:31:07.644Z caller=mysqld_exporter.go:293 msg="Scraper enabled" scraper=info_schema.query_response_time
level=info ts=2022-01-13T02:31:07.644Z caller=mysqld_exporter.go:303 msg="Listening on address" address=:9104
level=info ts=2022-01-13T02:31:07.645Z caller=tls_config.go:224 msg="TLS is enabled." http2=true
2022/01/13 10:31:14 http: TLS handshake error from [::1]:45324: remote error: tls: bad certificate
2022/01/13 10:31:29 http: TLS handshake error from [::1]:45328: remote error: tls: bad certificate
2022/01/13 10:31:44 http: TLS handshake error from [::1]:45334: remote error: tls: bad certificate
2022/01/13 10:31:59 http: TLS handshake error from [::1]:45338: remote error: tls: bad certificate
2022/01/13 10:32:14 http: TLS handshake error from [::1]:45344: remote error: tls: bad certificate
2022/01/13 10:32:29 http: TLS handshake error from [::1]:45356: remote error: tls: bad certificate

level=info ts=2022-01-13T02:31:07.645Z caller=tls_config.go:224 msg="TLS is enabled." http2=true

配置prometheus监控mysql添加Tls

[root@zabbix_granfana prometheus]# cat /opt/prometheus/web-config.yml 
#mysql      
  - job_name: "zabbix_grafana_mysql"
  # 静态添加node
    scheme: https
    tls_config:
      ca_file: 'prometheus_exporter.crt'
    # 指定监控端
    static_configs:
      - targets: ["192.168.1.179:9104"]

Get “https://localhost:9104/metrics”: x509: certificate is not valid for any names, but wanted to match localhost
在这里插入图片描述

参考
https://hulining.gitbook.io/prometheus/guides/tls-encryption
https://zhuanlan.zhihu.com/p/144048025

部署nginx代理prometheus,由于没有内网dns,配置本地hosts文件解析,重新部署

你可能感兴趣的:(监控,监控类)