node-exporter添加凭证

为Node-Exporter添加凭证

生成加密密码

• 使用htpasswd生成加密密码

htpasswd -nBC 12 "密码" | tr -d ':\n'

• 如果没有htpasswd工具，可以Python脚本

#!/usr/bin/python3
import getpass
import bcrypt

password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())

若提示没有bcrypt模块，安装 python3-bcrypt 包即可！

创建认证configmap

cat <<EOF | kubectl -n monitoring apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
    name: node-exporter-auth
data:
  config.yml: |-
    basic_auth_users:
      # 明文密码： Prometheus#8848
      prometheus: $2b$12$2Q0gbz9ImypKSnG5oZbkGemhVobks7fT1iG2IPFlseWsnBO5v7F8q
EOF

更新 kube-prometheus-node-exporter ，让其关联认证

kubectl -n monitoring edit ds kube-prometheus-node-exporter

处理如下：

      containers:
      - args:
        - --web.config.file=/etc/node_exporter/config.yml
        
        volumeMounts:
        - mountPath: /etc/node_exporter
          name: node-exporter-config
          
      volumes:
      - configMap:
          defaultMode: 420
          name: node-exporter-auth
        name: node-exporter-config

因接口追加了凭证，所以需要在探针配置上添加认证头部，否则无法通过

        livenessProbe:
          failureThreshold: 6
          httpGet:
            ### 新增内容开始 ###
            httpHeaders:
            - name: Authorization
              value: Basic cHJvbWV0aGV1czpQcm9tZXRoZXVzIzg4NDg=
            ### 新增内容结束 ###
            path: /
            port: metrics
            scheme: HTTP
          initialDelaySeconds: 120
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
        readinessProbe:
          failureThreshold: 6
          httpGet:
            ### 新增内容开始 ###
            httpHeaders:
            - name: Authorization
              value: Basic cHJvbWV0aGV1czpQcm9tZXRoZXVzIzg4NDg=
            ### 新增内容结束 ###
            path: /
            port: metrics
            scheme: HTTP
          initialDelaySeconds: 30
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5

使用以下测试

$ curl --user prometheus:Prometheus#8848 'http://节点IP地址:9100/metrics'


$ curl -H "Authorization: Basic cHJvbWV0aGV1czpQcm9tZXRoZXVzIzg4NDg=" http://localhost:9100/metrics

ServiceMonitor关联凭证

创建以下prometheus访问node-exporter服务凭证

cat <<EOF | kubectl -n monitoring apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: node-exporter-metrics-auth
stringData:
  password: prometheus
  username: Prometheus#8848
type: Opaque
EOF

编辑名为kube-prometheus-node-exporter的ServiceMonitor

kubectl -n monitoring edit ServiceMonitor kube-prometheus-node-exporter

追加以下内容

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: kube-prometheus-node-exporter
  namespace: monitoring
spec:
  endpoints:
  - port: metrics
  # 新增以下内容
  - basicAuth:
      username:
        key: username
        name: node-exporter-metrics-auth
      password:
        key: password
        name: node-exporter-metrics-auth
...<省略若干行>...

参考引用

• [1] https://dev.to/cod3mason/securing-node-exporter-metrics-2ome