一、prometheus
#创建证书以及证书secret
openssl genrsa -out prome.key 2048
openssl req -new -x509 -key prome.key -out prome.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=prome.test.com
kubectl create secret tls prome-tls-secret --cert=prome.crt --key=prome.key -n Prometheus
kubectl get secrets -A | grep prome-tls-secret
#修改kube-prometheus-stack的values.yaml文件
prometheus.prometheusSpec.web
web:
tlsConfig:
keySecret:
key: tls.key
name: prome-tls-secret
cert:
secret:
key: tls.crt
name: prome-tls-secret
二、alertmanage
#创建证书以及证书secret
openssl genrsa -out alert.key 2048
openssl req -new -x509 -key alert.key -out alert.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=alert.test.com
kubectl create secret tls alert-tls-secret --cert=alert.crt --key=alert.key -n Prometheus
kubectl get secrets -A | grep alert-tls-secret
#修改kube-prometheus-stack的values.yaml文件
alertmanage.alertmanagerSpec.web
web:
tlsConfig:
keySecret:
key: tls.key
name: alert-tls-secret
cert:
secret:
key: tls.crt
name: alert-tls-secret
#修改完成后使用helm安装kube-prometheus-stack
helm install prometheus . -n prometheus
三、grafana
修改grafana的cm配置
kubectl get cm -A | grep grafana
kubectl edit cm -n prometheus prometheus-grafana
data:
grafana.ini: | # 添加以下配置
[server]
protocol = https
cert_file = /etc/grafana/ssl/tls.crt
cert_key = /etc/grafana/ssl/tls.key
#创建证书secret
openssl genrsa -out grafana.key 2048
openssl req -new -x509 -key grafana.key -out grafana.crt -subj /C=CN/ST=Beijing/L=Beijing/O=DevOps/CN=grafana.test.com
kubectl create secret tls grafana-tls-secret --cert=grafana.crt --key=grafana.key -n prometheus
kubectl get secrets -A | grep grafana-tls-secret
#将证书挂载到grafana容器内
kubectl get sts -A | grep grafana
kubectl edit sts -n prometheus prometheus-grafana
volumeMounts: # volumeMounts下添加证书挂载路径
- mountPath: /etc/grafana/ssl
name: tls
volumes: #volumes 下添加secret
- name: tls
secret:
defaultMode: 420
secretName: grafana-tls-secret
# 修改livenessProbe生存探针的协议为HTTPS
livenessProbe:
failureThreshold: 10
httpGet:
path: /api/health
port: 3000
scheme: HTTPS
# 修改readinessProbe就绪探针的协议为HTTPS
readinessProbe:
failureThreshold: 3
httpGet:
path: /api/health
port: 3000
scheme: HTTPS
修改完成后保存退出,重启容器, 到浏览器使用https://ip:port访问验证