As mentioned, the last step below (signing of the certificate with openssl x509. Other than that, it's a straightforward process, and any values can be used. It does not have to be an FQDN, but it will later become useful, when configuring Prometheus server. ) for the exporter(s), it is important to note, what was supplied for Common Name/CN parameter. Next, we would need certificates to be used on Prometheus server and on server(s) running exporter(s) to be signed by this (or production) CA. Openssl req -new -x509 -days 720 -key ca.key -out ca.crt So, to create the ad-hoc CA key and certificate for testing: openssl genrsa -des3 -out ca.key 4096 For production, using a proper, well-protected CA to sign all of the certificates is a must, so following 2 steps in that case would probably not be necessary, since the CA would already be in place. To test this out, we will use an ad-hoc CA and self-signed certificates. TLS certificatesįirst off, we will need TLS certificates for authentication and securing the traffic. This post would go into a bit more technical details on how to secure communication between Prometheus and node_exporter on a remote system with the help of TLS certificates and one such tool - stunnel. There are numerous options out there for this purpose - nginx, HAproxy, hitch, ghostunnel etc. Securing this setup would usually involve some sort of reverse proxy in front of Prometheus and its components, which could enable both - traffic encryption with a TLS certificate, and also authentication with, for example, username and password or the same TLS certificate. If no additional components are set up, which would enable encryption or authentication (or both), all the traffic between Prometheus and its components is sent in plain text, and there are no access restrictions - anyone, who knows where to look, can access these interfaces. Prometheus components do not provide a built-in way tosecure their interfaces in any way, at least for now.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |