search

vbezgachev / maxctrl_exporter

MaxScale metrics exporter for Prometheus
Apache License 2.0
12 stars 12 forks source link

Does the latest version support TLS for Prometheus --> exporter data collection #15

Open amgads opened 1 year ago

amgads commented 1 year ago

Does the latest version support TLS for Prometheus --> exporter data collection If yes, any documentation pointer?

vbezgachev commented 1 year ago

Hey, @amgads. This PR, https://github.com/vbezgachev/maxctrl_exporter/commit/ae031e788b37038f941bea1ab5d38ebee9e5310e, implemented TLS support. I hope it helps.

amgads commented 1 year ago

Thanks Vitaly -- will give it a try

amgads commented 1 year ago

Hi @vbezgachev -- 1). We tried to access the exporter as a server similar to our query above "Prometheus --> exporter" where Prometheus or any other client try to scrape from the exporter as a "Server" -- That doesn't seem to work when we specify explicitly "https": [root@ahs-ncs-2212-cntrl-edge-01 tmp]# curl -s -g -4 https://192.168.1.154:9195/metrics --ssl --cacert /tmp/mxs-server-ca-cert.pem | grep -v '#' | grep maxctrl_up

2). If we try without https or with http, it works which means it is only using http even with maxscale/exporter configured with tls: [root@ahs-ncs-2212-cntrl-edge-01 tmp]# curl -s -g -4 192.168.1.154:9195/metrics --ssl --cacert /tmp/mxs-server-ca-cert.pem | grep -v '#' | grep maxctrl_up maxctrl_up 1 [root@ahs-ncs-2212-cntrl-edge-01 tmp]# curl -s -g -4 http://192.168.1.154:9195/metrics --ssl --cacert /tmp/mxs-server-ca-cert.pem | grep -v '#' | grep maxctrl_up maxctrl_up 1

==> on your documentation at https://github.com/vbezgachev/maxctrl_exporter/blob/master/README.md It states --> MAXSCALE_CA_CERTIFICATE. Certificate to use to verify a secure connection

Is it possible to scrape an https end-point? Are also aware of any other way to confirm if you support "https" access to the exporter as a server from an external client (i.e. Prometheus)

amgads commented 1 year ago

Appreciate your support!

vbezgachev commented 1 year ago

Hey, @amgads! Currently, the exporter listens and serves HTTP connections - https://github.com/vbezgachev/maxctrl_exporter/blob/master/maxctrl_exporter.go#L363.

log.Fatal(http.ListenAndServe(localIP+":"+maxScaleExporterPort, nil))

I see two possibilities.

Option 1 Start listening and serve on the TLS port. It would be a change in the code like this:

        go func() {
        log.Fatal(http.ListenAndServe(localIP+":"+maxScaleExporterPort, nil))
    }()

    log.Fatal(http.ListenAndServeTLS(localIP+":"+maxScaleExporterPortSecure, certFile, keyFile, nil))

Option 2 Hide the exporter behind, e.g. nginx, and configure nginx to accept HTTP and HTTPS connections.

IMO, the second option is a cleaner solution. Let me know your thoughts.