Skip to content
Snippets Groups Projects
Commit 8759546a authored by Alan Christopher Thomas's avatar Alan Christopher Thomas
Browse files

Revert "Remove prometheus"

This reverts commit 2a22b798.
parent 2a22b798
Branches prometheus
No related tags found
No related merge requests found
name: Prometheus (node_exporter)
protocol: https
topics:
client:
links:
- text: HTTPS Package for Prometheus
url: https://github.com/prometheus/node_exporter/blob/master/https/README.md
docs/prometheus-node_exporter/logo.png

23.3 KiB

If you want to connect to a `node_exporter` instance independently, and you have client HTTPS authentication configured, you'll need to present a client certificate signed by your CA.
## With curl
Pass your certificate, private key, and root CA certificate to `curl` to authenticate your request over TLS.
```shell-session
$ curl --cert {{ client_cert }} --key {{ client_key }} --cacert {{ ca_cert }} https://node-exporter-node:9100/metrics
```
## With Firefox
Firefox requires that you import a PKCS#12 (`.p12`) certificate bundle. So, you'll need to create that file using your client certificate and key.
```shell-session
$ openssl pkcs12 -export -in {{ client_cert }} -inkey {{ client_key }} -name myuser > firefox.p12
```
You'll have to enter a dummy password to encrypt the file (which you'll decrypt immediately when you import it into Firefox).
Go to Firefox's [Privacy & Security Preferences](about:preferences#privacy) and choose View Certificates... under Certificates. In the "Your Certificates" tab you can import your `.p12` file.
Now let's configure Prometheus to authenticate in the role of client to your `node_exporter` server. Here's an example job configuration block that you'd add to your `prometheus.yml`:
```yaml
#...
scrape_configs:
- job_name: 'node'
scheme: https
tls_config:
# Prometheus will check that the node_exporter presents a certificate
# signed by this ca.
ca_file: '{{ ca_cert }}'
# The cert and key are presented to node_exporter to authenticate
# Prometheus as a client.
cert_file: '{{ client_cert }}'
key_file: '{{ client_key }}'
static_configs:
- targets: ['node_exporter_node:9100']
#...
```
Reload Prometheus, and confirm that the Prometheus dashboard shows your node_exporter target endpoints as "UP"—and using the `https://` scheme.
\ No newline at end of file
Copy the `{{ server_cert }}`, `{{ server_key }}`, and `{{ ca_cert }}` files to a `node_exporter` configuration directory. You may need to make a directory for this, eg. `/etc/node_exporter`.
```shell-session
$ sudo cp {{ server_cert }} /etc/node_exporter/server.crt
$ sudo cp {{ server_key }} /etc/node_exporter/server.key
$ sudo cp {{ ca_cert }} /etc/node_exporter/root_ca.crt
```
Make sure these files are owned and readable only by the user that `node_exporter` runs as.
Now create a file called `/etc/node_exporter/web-config.yml`:
```ini
tls_server_config:
# This is the server certificate for your `node_exporter` server.
cert_file: "/etc/node_exporter/server.crt"
key_file: "/etc/node_exporter/server.key"
# RequireAndVerifyClientCert is the most secure option; clients
# must present a valid client certificate signed by your CA.
client_auth_type: "RequireAndVerifyClientCert"
# This is the CA the client certificate must be signed by.
client_ca_file: "/etc/node_exporter/root_ca.crt"
```
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment