How to configure CA or mTLS in remoteWrite configuration of Prometheus for Thanos.

Follow
Table of Contents

Task

Modify the existing "Monitoring" App to add CA and client certificates for remote write for federating Prometheus data to Thanos.

Pre-requisites

  • Rancher v2.5.x
  • Existing Monitoring App.
  • Root CA and Client certificates files for connecting to Thanos receiver.

Resolution

create a secret to store certificates and key.

kubectl create secret generic client-certs --from-file=ca.crt --from-file=tls.crt --from-file=tls.key -n cattle-monitoring-system 

ca.crt -> root CA to trust the Thanos.

tls.crt -> Client certificate.

tls.key -> Client key.

Note: You may exclude tls.crt & tls.key if there is no need of mTLS.

Follow the below steps to configure the parameters to enable CA and/or mTLS in the "Monitoring" chart.

From Cluster explorer, navigate to Apps & Marketplace -> Click Charts -> Select Monitoring -> Click Chart Options -> Click Edit as YAML.

Modify values YAML as below.

prometheus:
...
...
  prometheusSpec:
...
...
    remoteWrite:
      - tlsConfig:
          caFile: /etc/prometheus/secrets/client-certs/ca.crt
          certFile: /etc/prometheus/secrets/client-certs/tls.crt
          insecureSkipVerify: false
          keyFile: /etc/prometheus/secrets/client-certs/tls.key
        url: 'https://<THANOS_FQDN>:<PORT>/api/v1/receive'
...
...
    secrets:
      - client-certs

Once modified, click on "Upgrade."

Note: You may exclude certFile & keyFile lines if there is no need of mTLS.

Further reading

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.