Closed jicki closed 2 years ago
I don't understand the question. Can you give me an example of what you're doing and what you're getting back from the exporter?
sorry my english so bad
- job_name: ssl-kubernetes
metrics_path: /probe
params:
module: ["file"]
target: ["/etc/kubernetes/**/*.crt"]
kubernetes_sd_configs:
- role: node
relabel_configs:
- source_labels: [__address__]
regex: ^(.*):(.*)$
target_label: __address__
replacement: prometheus-ssl-exporter:9219
prometheus --- ssl_file_cert_not_after :
I only got ca.crt
I want to get other certificates such as apiserver.crt
proxy-client.crt
kubelet-client.crt
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="master01.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="master02.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="master03.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node01.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node02.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node03.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node04.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node05.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node06.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
ssl_file_cert_not_after{cn="kubernetes",file="/etc/kubernetes/ssl/ca.crt",instance="node07.development-uat-k8s",issuer_cn="kubernetes",job="ssl-kubernetes",serial_no="0"} | 1922176623
help me
Are apiserver.crt
, proxy-client.crt
and kubelet-client.crt
located under /etc/kubernetes
? Do those files actually exist? Are they readable by the exporter?
Are there any errors in the ssl_exporter logs?
Are
apiserver.crt
,proxy-client.crt
andkubelet-client.crt
located under/etc/kubernetes
? Do those files actually exist? Are they readable by the exporter?Are there any errors in the ssl_exporter logs?
yes apiserver.crt
, proxy-client.crt
and kubelet-client.crt
located to /etc/kubernetes/ssl/
but only to Master
node
ls -lt /etc/kubernetes/ssl/*.crt
-rw-r--r-- 1 root root 1879 Dec 2 2020 /etc/kubernetes/ssl/apiserver.crt
-rw-r--r-- 1 root root 1058 Dec 1 2020 /etc/kubernetes/ssl/front-proxy-client.crt
-rw-r--r-- 1 root root 1038 Dec 1 2020 /etc/kubernetes/ssl/front-proxy-ca.crt
-rw-r--r-- 1 root root 1099 Dec 1 2020 /etc/kubernetes/ssl/apiserver-kubelet-client.crt
-rw-r--r-- 1 root root 1025 Dec 1 2020 /etc/kubernetes/ssl/ca.crt
volumes:
hostpath:
path: /etc/kubernetes/ssl
ssl_exporter logs not errors
time="2021-06-21T08:48:59Z" level=info msg="Starting ssl_exporter (version=2.2.0, branch=tags/v2.2.0, revision=5d3ac12e65adb103fe839ecd482fad7dce50cf26)" source="ssl_exporter.go:130"
time="2021-06-21T08:48:59Z" level=info msg="Build context (go=go1.15.6, user=root@95e5d8c3be18, date=20201207-21:37:46)" source="ssl_exporter.go:131"
time="2021-06-21T08:48:59Z" level=info msg="Listening on :9219" source="ssl_exporter.go:148"
It might be to do with your scrape config, specifically this relabel:
relabel_configs:
- source_labels: [__address__]
regex: ^(.*):(.*)$
target_label: __address__
replacement: prometheus-ssl-exporter:9219
This is going to be replacing the address you get from the kubernetes sd discovery (i.e master01.development-uat-k8s
) with what I assume is a kubernetes service prometheus-ssl-exporter
. So for every single node, you're going to the same ssl-exporter, which is presumably running on a non-master node, hence why you only get the ca.crt
.
Try this relabel_config instead:
relabel_configs:
- source_labels: [__address__]
regex: ^(.*):(.*)$
target_label: __address__
replacement: ${1}:9219
Note: ssl_exporter should be running as a Daemonset on every node.
Did you manage to resolve your issues?
Why can only the ca certificate be detected, can other certificates also be detected?