一、序言
本篇将介绍如何使用数字证书为Promethus 访问提供加密功能,由于是实验环境证书由openssl生成,操作指南来自官网手册:https://prometheus.io/docs/guides/tls-encryption/
在生产环境中prometheus可能会放在后端,证书一般配置在前端。
二、生成ssl证书
openssl req \-x509 \-newkey rsa:4096 \-nodes \-keyout prometheus.key \-out prometheus.crt \-subj "/CN=192.168.25.225"
-subj "/CN=192.168.25.225": 指定服务器地址或者域名
查看证书文件:
ls /root/certificate/
prometheus.crt prometheus.key
三、配置Promethus
认证也是这个文件,认证操作指导:https://prometheus.io/docs/guides/basic-auth
1. 创建web-config.yml 文件配置证书
tls_server_config:cert_file: /root/certificate/prometheus.crtkey_file: /root/certificate/prometheus.key
2. 修改prometheus.yml文件
scrape_configs:- job_name: "node"metrics_path: "/metrics"scheme: "https" # 协议这里需要选择httpstls_config:ca_file: /root/certificate/prometheus.crtinsecure_skip_verify: truestatic_configs:- targets: ['localhost:9090']
添加tls_config配置:
ca_file:指定公钥位置insecure_skip_verify:禁用服务器对证书验证(因为是自建证书所以必须开启)
3. Prometheus 启动时指定web-config.yml配置文件
./prometheus \--config.file=./prometheus.yml \--web.config.file=./web-config.yml
4. 使用https访问Prometheus
curl --cacert /root/certificate/prometheus.crt https://192.168.25.225:9090/api/v1/label/job/values | jq
% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 68 100 68 0 0 4008 0 --:--:-- --:--:-- --:--:-- 4533
{"status": "success","data": ["node","prometheus","promethus","test"]
}
或者跳过证书:
curl -k https://192.168.25.225:9090/api/v1/label/job/values | jq
% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed
100 68 100 68 0 0 3944 0 --:--:-- --:--:-- --:--:-- 4250
{"status": "success","data": ["node","prometheus","promethus","test"]
}
)
)
)
)
![[TG开发]简单的回声机器人](http://pic.xiahunao.cn/[TG开发]简单的回声机器人)
)
