出于安全的考虑，有时候我们需要在Prometheus和node_exporter之间启用TLS认证。

在Prometheus Server端

创建Prometheus CA证书，以及node_exporter CA证书

修改TARGET _IP 为node_exporter IP 192.168.0.107

# vi mutual-tls.sh

#!/bin/bash

set -ex

TARGET_IP="192.168.0.107"

echo '
# From http://apetec.com/support/GenerateSAN-CSR.htm
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MN
localityName = Locality Name (eg, city)
localityName_default = Minneapolis
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max  = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth,serverAuth
subjectAltName = @alt_names
[alt_names]' > openssl-${TARGET_IP}.cnf

echo -en "IP.1 = ${TARGET_IP}\n" >> openssl-${TARGET_IP}.cnf


# create CA
openssl genrsa -out ca.key 4096
chmod 400 ca.key
openssl req -new -x509 -sha256 -days 3650 -key ca.key -out ca.crt -subj "/CN=pro
metheus-ca.example.com"
chmod 644 ca.crt

# Create target key
openssl genrsa -out target.key 2048
chmod 400 target.key
openssl req -new -key target.key -sha256 -out target.csr -config openssl-${TARGE
T_IP}.cnf -subj "/CN=prometheus-target.example.com"

openssl x509 -req -days 365 -sha256 -in target.csr -CA ca.crt -CAkey ca.key -set
_serial 1 -out target.crt -extensions v3_req -extfile openssl-${TARGET_IP}.cnf
chmod 444 target.crt

# Create client key for prometheus server
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/CN=prometheus.example.c
om"
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.crt -CAkey ca.key -set
_serial 2 -out client.crt

mv ca.crt /etc/ssl/certs/prometheus-ca.crt
mv ca.key /etc/ssl/private/prometheus-ca.key
mv client.key /etc/prometheus/prometheus.key
chown prometheus:prometheus /etc/prometheus/prometheus.key
mv client.crt /etc/ssl/certs/prometheus.crt

echo 'Add the following lines to /etc/prometheus/prometheus.yml:'
echo "  - job_name: 'node_exporter_ssl'
    scrape_interval: 5s
    scheme: https
    tls_config:
      ca_file: /etc/ssl/certs/prometheus-ca.crt
      cert_file: /etc/ssl/certs/prometheus.crt
      key_file: /etc/prometheus/prometheus.key
    static_configs:
      - targets: ['${TARGET_IP}:443']"

修改/etc/prometheus/prometheus.yml

  - job_name: 'node_exporter_ssl'
    scrape_interval: 5s
    scheme: https
    tls_config:
      ca_file: /etc/ssl/certs/prometheus-ca.crt
      cert_file: /etc/ssl/certs/prometheus.crt
      key_file: /etc/prometheus/prometheus.key
    static_configs:
      - targets: ['192.168.0.107:443']

Node_exporter端

使用ca证书，nginx反向代理localhost:9100

# vi reverse-proxy-mutual-tls.sh

#!/bin/bash

set -e

mv target.crt /etc/ssl/certs/target.crt
mv target.key /etc/ssl/private/target.key
mv prometheus-ca.crt /etc/ssl/certs/prometheus-ca.crt

HOST="localhost"
PORT="9100"

# run script as root or with sudo

# install nginx and openssl
yum -y install nginx openssl

echo 'server {
  listen 443;
  ssl    on;
  ssl_certificate /etc/ssl/certs/target.crt;
  ssl_certificate_key /etc/ssl/private/target.key;
  ssl_client_certificate /etc/ssl/certs/prometheus-ca.crt;
  ssl_verify_client on;
  location / {
    proxy_pass http://'${HOST}':'${PORT}'/;
  }
}' > /etc/nginx/conf.d/node-exporter.conf

systemctl enable nginx
systemctl restart nginx

EXTERNAL_IP=$(localhost)
echo "Reverse proxy with mutual tls enabled on https://${EXTERNAL_IP}"

检查nginx界面 https://192.168.0.107/

如果提示需要ssl证书，说明nginx反向代理，配置好了

重启Prometheus，让Prometheus配置生效

# systemctl restart prometheus

检查Prometheus UI http://192.168.0.107:9090/targets

Prometheus与node_exporter之间TLS配置完成。