一、序言
本篇将介绍如何使用数字证书为Promethus 访问提供加密功能,由于是实验环境证书由openssl生成,操作指南来自官网手册:https://prometheus.io/docs/guides/tls-encryption/
在生产环境中prometheus可能会放在后端,证书一般配置在前端。
二、生成ssl证书
openssl req \
-x509 \
-newkey rsa:4096 \
-nodes \
-keyout prometheus.key \
-out prometheus.crt \
-subj "/CN=192.168.25.225"-subj "/CN=192.168.25.225": 指定服务器地址或者域名
查看证书文件:
ls /root/certificate/
clike
prometheus.crt prometheus.key三、配置Promethus
认证也是这个文件,认证操作指导:https://prometheus.io/docs/guides/basic-auth
1. 创建web-config.yml 文件配置证书
clike
tls_server_config:
cert_file: /root/certificate/prometheus.crt
key_file: /root/certificate/prometheus.key2. 修改prometheus.yml文件
scrape_configs:
- job_name: "node"
metrics_path: "/metrics"
scheme: "https" # 协议这里需要选择https
tls_config:
ca_file: /root/certificate/prometheus.crt
insecure_skip_verify: true
static_configs:
- targets: ['localhost:9090']添加tls_config配置:
ca_file:指定公钥位置insecure_skip_verify:禁用服务器对证书验证(因为是自建证书所以必须开启)
3. Prometheus 启动时指定web-config.yml配置文件
./prometheus \
--config.file=./prometheus.yml \
--web.config.file=./web-config.yml 4. 使用https访问Prometheus
curl --cacert /root/certificate/prometheus.crt https://192.168.25.225:9090/api/v1/label/job/values | jq
clike
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 68 100 68 0 0 4008 0 --:--:-- --:--:-- --:--:-- 4533
{
"status": "success",
"data": [
"node",
"prometheus",
"promethus",
"test"
]
}或者跳过证书:
curl -k https://192.168.25.225:9090/api/v1/label/job/values | jq
clike
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 68 100 68 0 0 3944 0 --:--:-- --:--:-- --:--:-- 4250
{
"status": "success",
"data": [
"node",
"prometheus",
"promethus",
"test"
]
}