File tree Expand file tree Collapse file tree 7 files changed +79
-0
lines changed
Expand file tree Collapse file tree 7 files changed +79
-0
lines changed Original file line number Diff line number Diff line change 1+ name : Prometheus (node_exporter)
2+ protocol : prometheus
3+ server_port : 9100
4+ topics :
5+ server_auth :
6+ links :
7+ - text : HTTPS Package for Prometheus
8+ url : https://github.com/prometheus/node_exporter/blob/master/https/README.md
Original file line number Diff line number Diff line change 1+ Copy the ` {{ ca_cert }} ` file to a ` node_exporter ` configuration directory. You may need to make a directory for this, eg. ` /etc/node_exporter ` .
2+
3+ ``` shell-session
4+ $ sudo cp {{ ca_cert }} /etc/node_exporter/root_ca.crt
5+ ```
6+
7+ Make sure these files are owned and readable only by the user that ` node_exporter ` runs as.
8+
9+ Now modify ` /etc/node_exporter/web-config.yml ` to require client authentication (in your ` tls_server_config ` block):
10+
11+ ``` ini
12+ tls_server_config:
13+ ...
14+
15+ # RequireAndVerifyClientCert is the most secure option; clients
16+ # must present a valid client certificate signed by your CA.
17+ client_auth_type: " RequireAndVerifyClientCert"
18+
19+ # This is the CA the client certificate must be signed by.
20+ client_ca_file: " /etc/node_exporter/root_ca.crt"
21+
22+ ...
23+ ```
24+
Original file line number Diff line number Diff line change 1+ Copy the ` {{ server_cert }} ` and ` {{ server_key }} ` files to a ` node_exporter ` configuration directory. You may need to make a directory for this, eg. ` /etc/node_exporter ` .
2+
3+ ``` shell-session
4+ $ sudo cp {{ server_cert }} /etc/node_exporter/server.crt
5+ $ sudo cp {{ server_key }} /etc/node_exporter/server.key
6+ ```
7+
8+ Make sure these files are owned and readable only by the user that ` node_exporter ` runs as.
9+
10+ Now create a file called ` /etc/node_exporter/web-config.yml ` and configure your ` tls_server_config ` block to use the server certificate and key:
11+
12+ ``` ini
13+ tls_server_config:
14+ # This is the server certificate for your `node_exporter` server.
15+ cert_file: " /etc/node_exporter/server.crt"
16+ key_file: " /etc/node_exporter/server.key"
17+
18+ ...
19+ ```
20+
Original file line number Diff line number Diff line change 1+ name : Prometheus
2+ protocol : prometheus
3+ server_port : 9100
4+ topics : {}
Original file line number Diff line number Diff line change 1+ Add the following job configuration block to your ` prometheus.yml ` to authenticate as a client to your targets:
2+
3+ ``` yaml
4+ # ...
5+ scrape_configs :
6+ - job_name : ' node'
7+
8+ scheme : https
9+ tls_config :
10+ # Prometheus will check that the node_exporter presents a certificate
11+ # signed by this ca.
12+ ca_file : ' {{ ca_cert }}'
13+ # The cert and key are presented to node_exporter to authenticate
14+ # Prometheus as a client.
15+ cert_file : ' {{ client_cert }}'
16+ key_file : ' {{ client_key }}'
17+
18+ static_configs :
19+ - targets : ['{{ server_name }}:{{ server_port }}']
20+ # ...
21+ ```
22+
23+ Reload Prometheus, and confirm that the Prometheus dashboard shows your target endpoints as "UP"—and using the ` https:// ` scheme.
You can’t perform that action at this time.
0 commit comments