-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provide TLS feature using Prometheus community exporter-toolkit web #231
Changes from all commits
8947418
f84a413
803b947
4c0c222
f3ad1ff
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,6 +24,8 @@ import ( | |
"github.com/prometheus/client_golang/prometheus" | ||
"github.com/prometheus/client_golang/prometheus/promhttp" | ||
"github.com/prometheus/common/model" | ||
"github.com/prometheus/common/promlog" | ||
"github.com/prometheus/exporter-toolkit/web" | ||
) | ||
|
||
func getEnv(key, defaultValue string) string { | ||
|
@@ -196,36 +198,12 @@ func parseUnixSocketAddress(address string) (string, string, error) { | |
return unixSocketPath, requestPath, nil | ||
} | ||
|
||
func getListener(listenAddress string) (net.Listener, error) { | ||
var listener net.Listener | ||
var err error | ||
|
||
if strings.HasPrefix(listenAddress, "unix:") { | ||
path, _, pathError := parseUnixSocketAddress(listenAddress) | ||
if pathError != nil { | ||
return listener, fmt.Errorf("parsing unix domain socket listen address %s failed: %w", listenAddress, pathError) | ||
} | ||
listener, err = net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"}) | ||
} else { | ||
listener, err = net.Listen("tcp", listenAddress) | ||
} | ||
|
||
if err != nil { | ||
return listener, err | ||
} | ||
log.Printf("Listening on %s", listenAddress) | ||
return listener, nil | ||
} | ||
|
||
var ( | ||
// Set during go build | ||
version string | ||
|
||
// Defaults values | ||
defaultListenAddress = getEnv("LISTEN_ADDRESS", ":9113") | ||
defaultSecuredMetrics = getEnvBool("SECURED_METRICS", false) | ||
defaultSslServerCert = getEnv("SSL_SERVER_CERT", "") | ||
defaultSslServerKey = getEnv("SSL_SERVER_KEY", "") | ||
defaultMetricsPath = getEnv("TELEMETRY_PATH", "/metrics") | ||
defaultNginxPlus = getEnvBool("NGINX_PLUS", false) | ||
defaultScrapeURI = getEnv("SCRAPE_URI", "http://127.0.0.1:8080/stub_status") | ||
|
@@ -242,15 +220,6 @@ var ( | |
listenAddr = flag.String("web.listen-address", | ||
defaultListenAddress, | ||
"An address or unix domain socket path to listen on for web interface and telemetry. The default value can be overwritten by LISTEN_ADDRESS environment variable.") | ||
securedMetrics = flag.Bool("web.secured-metrics", | ||
defaultSecuredMetrics, | ||
"Expose metrics using https. The default value can be overwritten by SECURED_METRICS variable.") | ||
sslServerCert = flag.String("web.ssl-server-cert", | ||
defaultSslServerCert, | ||
"Path to the PEM encoded certificate for the nginx-exporter metrics server(when web.secured-metrics=true). The default value can be overwritten by SSL_SERVER_CERT variable.") | ||
sslServerKey = flag.String("web.ssl-server-key", | ||
defaultSslServerKey, | ||
"Path to the PEM encoded key for the nginx-exporter metrics server (when web.secured-metrics=true). The default value can be overwritten by SSL_SERVER_KEY variable.") | ||
metricsPath = flag.String("web.telemetry-path", | ||
defaultMetricsPath, | ||
"A path under which to expose metrics. The default value can be overwritten by TELEMETRY_PATH environment variable.") | ||
|
@@ -292,6 +261,9 @@ For NGINX, the stub_status page must be available through the URI. For NGINX Plu | |
constLabels = createConstLabelsFlag("prometheus.const-labels", | ||
defaultConstLabels, | ||
"A comma separated list of constant labels that will be used in every metric. Format is label1=value1,label2=value2... The default value can be overwritten by CONST_LABELS environment variable.") | ||
|
||
webcfgFile = flag.String("web.config", "", | ||
"Path to config yaml file that can enable TLS or authentication.") | ||
) | ||
|
||
func main() { | ||
|
@@ -427,26 +399,14 @@ func main() { | |
} | ||
}) | ||
|
||
listener, err := getListener(*listenAddr) | ||
if err != nil { | ||
log.Fatalf("Could not create listener: %v", err) | ||
} | ||
|
||
if *securedMetrics { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. related to the other comment we can keep this logic and check if a path to the config was provided and use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. does it make sense if we are doing it like it's now done in the last node_exporter version? not long ago they added socket option directly in the exporter-toolkit. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @lucacome can you please take a look at my previous comment? thanks There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @lucian-vanghele sorry for the long wait, I've finally found some time to work on this. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just realized I linked the wrong PR, it was #420 😅 |
||
_, err = os.Stat(*sslServerCert) | ||
if err != nil { | ||
log.Fatalf("Cert file is not set, not readable or non-existent. Make sure you set -web.ssl-server-cert when starting your exporter with -web.secured-metrics=true: %v", err) | ||
} | ||
_, err = os.Stat(*sslServerKey) | ||
if err != nil { | ||
log.Fatalf("Key file is not set, not readable or non-existent. Make sure you set -web.ssl-server-key when starting your exporter with -web.secured-metrics=true: %v", err) | ||
} | ||
log.Printf("NGINX Prometheus Exporter has successfully started using https") | ||
log.Fatal(srv.ServeTLS(listener, *sslServerCert, *sslServerKey)) | ||
promlogConfig := &promlog.Config{} | ||
logger := promlog.New(promlogConfig) | ||
server := &http.Server{Addr: *listenAddr} | ||
if err := web.ListenAndServe(server, *webcfgFile, logger); err != nil { | ||
log.Fatal(err) | ||
} | ||
|
||
log.Printf("NGINX Prometheus Exporter has successfully started") | ||
log.Fatal(srv.Serve(listener)) | ||
} | ||
|
||
type userAgentRoundTripper struct { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We want to keep the option to use a unix socket. You can still use this logic in combination with the TLS config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see answer below