Re: [prometheus-users] Pushgateway via https
649 views
Skip to first unread message
Bjoern Rabenstein
Jun 18, 2021, 6:53:40 PM6/18/21
to techy, Prometheus Users
On 11.06.21 04:11, techy wrote:
> - Under tls_config, there are options to specify ca_file and cert_file &
> key_file in prometheus.yml. Can anyone clarify what has to be mentioned
> here?
> - Also, somewhere mentioned about --web.config.file.
> https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md
> What is this for?
> - Am I right thinking that, there is no code changes to enable TLS for
> pushgateway except changing the pushgateway url to use https?
The server-side TLS support is always done using the same building
blocks, and how to configure those is described in that file you
linked,
i.e. https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md
Note that "server" is meant in the network sense here. Ironically, the
Prometheus server doesn't act as such a server during metrics
collection. The Prometheus server is a TCP/HTTP(S) _client_ scraping
/metrics endpoint which are served by an TCP/HTTP(S) _server_.
With the Pushgateway in the game, things are getting even spicier,
because pushing to the Pushgateway happens by a _client_ pushing to a
_server_ (the Pushgateway), and then the Pushgateway is scraped by the
Prometheus "server", so from the network perspective, the Pushgateway
acts as a server _twice_.
The Push:
[Pushing binary] --CLIENT-----HTTP(S)-----SERVER--> [Pushgateway]
The Scrape:
[Pushgateway] <--SERVER------HTTP(S)------CLIENT-- [Prometheus]
With TLS, the client-side config is usually the simple part. You
mostly just change the URL from http:// to https:// (YMMV).
The server side is where dragons are. In your case, you need to
configure the Pushgateway for that, see
https://github.com/prometheus/pushgateway#tls-and-basic-authentication
, which (unsurprisingly) points back to
https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md
.
Once you have configured the Pushgateway appropriately, buth pushing
and scraping should "just work".
--
Björn Rabenstein
[PGP-ID] 0x851C3DA17D748D03
[email] bjo...@rabenste.in
> - Under tls_config, there are options to specify ca_file and cert_file &
> key_file in prometheus.yml. Can anyone clarify what has to be mentioned
> here?
> - Also, somewhere mentioned about --web.config.file.
> https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md
> What is this for?
> - Am I right thinking that, there is no code changes to enable TLS for
> pushgateway except changing the pushgateway url to use https?
The server-side TLS support is always done using the same building
blocks, and how to configure those is described in that file you
linked,
i.e. https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md
Note that "server" is meant in the network sense here. Ironically, the
Prometheus server doesn't act as such a server during metrics
collection. The Prometheus server is a TCP/HTTP(S) _client_ scraping
/metrics endpoint which are served by an TCP/HTTP(S) _server_.
With the Pushgateway in the game, things are getting even spicier,
because pushing to the Pushgateway happens by a _client_ pushing to a
_server_ (the Pushgateway), and then the Pushgateway is scraped by the
Prometheus "server", so from the network perspective, the Pushgateway
acts as a server _twice_.
The Push:
[Pushing binary] --CLIENT-----HTTP(S)-----SERVER--> [Pushgateway]
The Scrape:
[Pushgateway] <--SERVER------HTTP(S)------CLIENT-- [Prometheus]
With TLS, the client-side config is usually the simple part. You
mostly just change the URL from http:// to https:// (YMMV).
The server side is where dragons are. In your case, you need to
configure the Pushgateway for that, see
https://github.com/prometheus/pushgateway#tls-and-basic-authentication
, which (unsurprisingly) points back to
https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md
.
Once you have configured the Pushgateway appropriately, buth pushing
and scraping should "just work".
--
Björn Rabenstein
[PGP-ID] 0x851C3DA17D748D03
[email] bjo...@rabenste.in
Reply all
Reply to author
Forward
0 new messages