Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does the latest version support TLS for Prometheus --> exporter data collection #15

Open
amgads opened this issue Apr 26, 2023 · 5 comments
Open

Does the latest version support TLS for Prometheus --> exporter data collection #15

amgads opened this issue Apr 26, 2023 · 5 comments

Comments

@amgads
Copy link

amgads commented Apr 26, 2023

Does the latest version support TLS for Prometheus --> exporter data collection
If yes, any documentation pointer?
@vbezgachev
Copy link
Owner

Hey, @amgads. This PR, ae031e7, implemented TLS support. I hope it helps.

@amgads
Copy link
Author

amgads commented Apr 27, 2023

Thanks Vitaly -- will give it a try

@amgads
Copy link
Author

amgads commented May 17, 2023

Hi @vbezgachev --
1). We tried to access the exporter as a server similar to our query above "Prometheus --> exporter" where Prometheus or any other client try to scrape from the exporter as a "Server" -- That doesn't seem to work when we specify explicitly "https":
[root@ahs-ncs-2212-cntrl-edge-01 tmp]# curl -s -g -4 https://192.168.1.154:9195/metrics --ssl --cacert /tmp/mxs-server-ca-cert.pem | grep -v '#' | grep maxctrl_up

2). If we try without https or with http, it works which means it is only using http even with maxscale/exporter configured with tls:
[root@ahs-ncs-2212-cntrl-edge-01 tmp]# curl -s -g -4 192.168.1.154:9195/metrics --ssl --cacert /tmp/mxs-server-ca-cert.pem | grep -v '#' | grep maxctrl_up
maxctrl_up 1
[root@ahs-ncs-2212-cntrl-edge-01 tmp]# curl -s -g -4 http://192.168.1.154:9195/metrics --ssl --cacert /tmp/mxs-server-ca-cert.pem | grep -v '#' | grep maxctrl_up
maxctrl_up 1

==> on your documentation at https://github.com/vbezgachev/maxctrl_exporter/blob/master/README.md
It states --> MAXSCALE_CA_CERTIFICATE. Certificate to use to verify a secure connection

Is it possible to scrape an https end-point? Are also aware of any other way to confirm if you support "https" access to the exporter as a server from an external client (i.e. Prometheus)

@amgads
Copy link
Author

amgads commented May 17, 2023

Appreciate your support!

@vbezgachev
Copy link
Owner

vbezgachev commented May 19, 2023
edited
Loading

Hey, @amgads! Currently, the exporter listens and serves HTTP connections - https://github.com/vbezgachev/maxctrl_exporter/blob/master/maxctrl_exporter.go#L363.

log.Fatal(http.ListenAndServe(localIP+":"+maxScaleExporterPort, nil))

I see two possibilities.

Option 1
Start listening and serve on the TLS port. It would be a change in the code like this:

        go func() {
		log.Fatal(http.ListenAndServe(localIP+":"+maxScaleExporterPort, nil))
	}()

	log.Fatal(http.ListenAndServeTLS(localIP+":"+maxScaleExporterPortSecure, certFile, keyFile, nil))

Option 2
Hide the exporter behind, e.g. nginx, and configure nginx to accept HTTP and HTTPS connections.

IMO, the second option is a cleaner solution. Let me know your thoughts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vbezgachev @amgads