Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provide TLS feature using Prometheus community exporter-toolkit web #231

Closed
wants to merge 5 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -93,16 +93,22 @@ Usage of ./nginx-prometheus-exporter:
An address or unix domain socket path to listen on for web interface and telemetry. The default value can be overwritten by LISTEN_ADDRESS environment variable. (default ":9113")
-web.telemetry-path string
A path under which to expose metrics. The default value can be overwritten by TELEMETRY_PATH environment variable. (default "/metrics")
-web.secured-metrics
Expose metrics using https. The default value can be overwritten by SECURED_METRICS variable. (default false)
-web.ssl-server-cert string
Path to the PEM encoded certificate for the nginx-exporter metrics server(when web.secured-metrics=true). The default value can be overwritten by SSL_SERVER_CERT variable.
-web.ssl-server-key string
Path to the PEM encoded key for the nginx-exporter metrics server (when web.secured-metrics=true). The default value can be overwritten by SSL_SERVER_KEY variable.
-web.config string
Path to config yaml file that can enable TLS or authentication.
-version
Display the NGINX exporter version. (default false)
```

## TLS and basic authentication

The nginx-prometheus Exporter supports TLS and basic authentication. This enables better
control of the various HTTP endpoints.

To use TLS and/or basic authentication, you need to pass a configuration file
using the `--web.config` parameter. The format of the file is described
[in the exporter-toolkit repository](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md).


## Exported Metrics

### Common metrics:
Expand Down
60 changes: 10 additions & 50 deletions exporter.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ import (
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp"
"github.com/prometheus/common/model"
"github.com/prometheus/common/promlog"
"github.com/prometheus/exporter-toolkit/web"
)

func getEnv(key, defaultValue string) string {
Expand Down Expand Up @@ -196,36 +198,12 @@ func parseUnixSocketAddress(address string) (string, string, error) {
return unixSocketPath, requestPath, nil
}

func getListener(listenAddress string) (net.Listener, error) {
var listener net.Listener
var err error

if strings.HasPrefix(listenAddress, "unix:") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want to keep the option to use a unix socket. You can still use this logic in combination with the TLS config

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see answer below

path, _, pathError := parseUnixSocketAddress(listenAddress)
if pathError != nil {
return listener, fmt.Errorf("parsing unix domain socket listen address %s failed: %w", listenAddress, pathError)
}
listener, err = net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
} else {
listener, err = net.Listen("tcp", listenAddress)
}

if err != nil {
return listener, err
}
log.Printf("Listening on %s", listenAddress)
return listener, nil
}

var (
// Set during go build
version string

// Defaults values
defaultListenAddress = getEnv("LISTEN_ADDRESS", ":9113")
defaultSecuredMetrics = getEnvBool("SECURED_METRICS", false)
defaultSslServerCert = getEnv("SSL_SERVER_CERT", "")
defaultSslServerKey = getEnv("SSL_SERVER_KEY", "")
defaultMetricsPath = getEnv("TELEMETRY_PATH", "/metrics")
defaultNginxPlus = getEnvBool("NGINX_PLUS", false)
defaultScrapeURI = getEnv("SCRAPE_URI", "http://127.0.0.1:8080/stub_status")
Expand All @@ -242,15 +220,6 @@ var (
listenAddr = flag.String("web.listen-address",
defaultListenAddress,
"An address or unix domain socket path to listen on for web interface and telemetry. The default value can be overwritten by LISTEN_ADDRESS environment variable.")
securedMetrics = flag.Bool("web.secured-metrics",
defaultSecuredMetrics,
"Expose metrics using https. The default value can be overwritten by SECURED_METRICS variable.")
sslServerCert = flag.String("web.ssl-server-cert",
defaultSslServerCert,
"Path to the PEM encoded certificate for the nginx-exporter metrics server(when web.secured-metrics=true). The default value can be overwritten by SSL_SERVER_CERT variable.")
sslServerKey = flag.String("web.ssl-server-key",
defaultSslServerKey,
"Path to the PEM encoded key for the nginx-exporter metrics server (when web.secured-metrics=true). The default value can be overwritten by SSL_SERVER_KEY variable.")
metricsPath = flag.String("web.telemetry-path",
defaultMetricsPath,
"A path under which to expose metrics. The default value can be overwritten by TELEMETRY_PATH environment variable.")
Expand Down Expand Up @@ -292,6 +261,9 @@ For NGINX, the stub_status page must be available through the URI. For NGINX Plu
constLabels = createConstLabelsFlag("prometheus.const-labels",
defaultConstLabels,
"A comma separated list of constant labels that will be used in every metric. Format is label1=value1,label2=value2... The default value can be overwritten by CONST_LABELS environment variable.")

webcfgFile = flag.String("web.config", "",
"Path to config yaml file that can enable TLS or authentication.")
)

func main() {
Expand Down Expand Up @@ -427,26 +399,14 @@ func main() {
}
})

listener, err := getListener(*listenAddr)
if err != nil {
log.Fatalf("Could not create listener: %v", err)
}

if *securedMetrics {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

related to the other comment we can keep this logic and check if a path to the config was provided and use web.ListenAndServe instead of srv.Serve since the former doesn't support unix sockets.

Copy link
Author

@lucian-vanghele lucian-vanghele Oct 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does it make sense if we are doing it like it's now done in the last node_exporter version? not long ago they added socket option directly in the exporter-toolkit.
not so easy it seems; this exporter is using flag while exporter-toolkit needs kingpin and migrating to this hits the custom implementations of Value.
can you maybe take a look into this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lucacome can you please take a look at my previous comment? thanks

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lucian-vanghele sorry for the long wait, I've finally found some time to work on this.
If you want to take a look at #240 🙂

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just realized I linked the wrong PR, it was #420 😅

_, err = os.Stat(*sslServerCert)
if err != nil {
log.Fatalf("Cert file is not set, not readable or non-existent. Make sure you set -web.ssl-server-cert when starting your exporter with -web.secured-metrics=true: %v", err)
}
_, err = os.Stat(*sslServerKey)
if err != nil {
log.Fatalf("Key file is not set, not readable or non-existent. Make sure you set -web.ssl-server-key when starting your exporter with -web.secured-metrics=true: %v", err)
}
log.Printf("NGINX Prometheus Exporter has successfully started using https")
log.Fatal(srv.ServeTLS(listener, *sslServerCert, *sslServerKey))
promlogConfig := &promlog.Config{}
logger := promlog.New(promlogConfig)
server := &http.Server{Addr: *listenAddr}
if err := web.ListenAndServe(server, *webcfgFile, logger); err != nil {
log.Fatal(err)
}

log.Printf("NGINX Prometheus Exporter has successfully started")
log.Fatal(srv.Serve(listener))
}

type userAgentRoundTripper struct {
Expand Down
16 changes: 16 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,34 @@ module github.com/nginxinc/nginx-prometheus-exporter
go 1.18

require (

github.com/nginxinc/nginx-plus-go-client v0.10.0
github.com/prometheus/client_golang v1.12.2
github.com/prometheus/common v0.37.0
github.com/prometheus/exporter-toolkit v0.7.0
)

require (
github.com/beorn7/perks v1.0.1 // indirect

github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/go-kit/log v0.1.0 // indirect
github.com/go-logfmt/logfmt v0.5.0 // indirect
github.com/jpillora/backoff v1.0.0 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
google.golang.org/protobuf v1.26.0 // indirect
github.com/prometheus/exporter-toolkit v0.7.0
golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e // indirect
golang.org/x/net v0.0.0-20210525063256-abc453219eb5 // indirect
golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect
golang.org/x/text v0.3.6 // indirect
google.golang.org/appengine v1.6.6 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect

)
Loading