[英]Auto detection of TLS ( self signed) scrape endpoint by Prometheus on k8s
I am scraping metrics of a service on a Kubernetes cluster. 我正在Kubernetes集群上抓取服务的指标。 I just annotated the service so that Prometheus detects and start scraping automatically.
我只是对服务进行了注释,以便Prometheus自动检测并开始抓取。 The following annotations were added to the service:
以下注释已添加到服务:
metadata:
annotations:
prometheus.io/path: /minio/prometheus/metrics
prometheus.io/port: "9000"
prometheus.io/scrape: "true"
This works fine as long as the service is not configured with TLS. 只要未使用TLS配置服务,此方法就可以正常工作。 However when I enable TLS (HTTPS) Prometheus is no longer able to discover and scrape the service automatically.
但是,当我启用TLS(HTTPS)时,Prometheus不再能够自动发现和抓取服务。 To scrape from TLS enabled server I need to explicitly add the scrape endpoint with
insecure_skip_verify
. 要从启用TLS的服务器中进行刮取,我需要使用
insecure_skip_verify
显式添加刮取端点。 I am using self signed certificate. 我正在使用自签名证书。
Is there any way I can configure Prometheus in such way that it can discover and start scraping endpoints automatically when endpoints are TLS enabled with self signed certificate? 有什么方法可以配置Prometheus,使其在使用自签名证书启用TLS时自动发现并开始抓取端点?
The simplest approach is for your app to expose a non-TLS metrics deicated port so you can have all traffic secured and metrics exposed with clear http. 最简单的方法是让您的应用公开非TLS指标专用端口,以便您可以保护所有流量,并使用清晰的http公开指标。 That is the way that's suggested for ie.
这就是建议的方式。 Istio for mTLS and healthchecks
Istio用于mTLS和运行状况检查
You can use a separate port for health check and enable mutual TLS only
on the regular service port.
other then that you can add tls config to your scrape targets 除此之外,您可以将tls配置添加到您的抓取目标 so if you have your own selfsigned CA add it's cert here and it should be fine.
因此,如果您有自己的自签名CA,请在此处添加它的证书,应该没问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.