prometheus通过blackbox-exporter监控web站点证书
1 概述
线上站点普遍是https,因此监控https web站点的证书的过期时间,是一个基础性需求。例如,证书过期会导致tls握手失败,进而导致用户无法正常访问web站点。
blackbox-expoter是一个web服务,它暴露了一个接口,访问这个接口能使得它去访问目标站点,并向客户端响应相关的web站点指标信息。prometheus和black-expoter结合使用,可以监控https web站点的响应时间、证书过期时间等。
2 blackbox-expoter
2.1 指标接口
格式:
GET /probe?module=模块名&target=<网址>
例子:
GET /probe?module=http_get_2xx&target=https://www.baidu.com
2.2 部署
blackbox-exporter的配置中定义了多种模块,例如ping,http_get_2xx等,模块名称可以自行定义。
apiVersion: v1
kind: Namespace
metadata:name: monitoring---apiVersion: v1
kind: Service
metadata:name: blackbox-exporternamespace: monitoringlabels:k8s-app: blackbox-exporter
spec:type: ClusterIPports:- name: httpport: 9115targetPort: 9115selector:k8s-app: blackbox-exporter---apiVersion: apps/v1
kind: Deployment
metadata:name: blackbox-exporternamespace: monitoringlabels:k8s-app: blackbox-exporter
spec:replicas: 1selector:matchLabels:k8s-app: blackbox-exportertemplate:metadata:labels:k8s-app: blackbox-exporterspec:containers:- name: blackbox-exporterimage: prom/blackbox-exporter:latestargs:- --config.file=/etc/blackbox_exporter/blackbox.yml- --web.listen-address=:9115- --log.level=infoports:- name: httpcontainerPort: 9115resources:limits:cpu: 200mmemory: 256Mirequests:cpu: 100mmemory: 50MilivenessProbe:tcpSocket:port: 9115initialDelaySeconds: 5timeoutSeconds: 5periodSeconds: 10successThreshold: 1failureThreshold: 3readinessProbe:tcpSocket:port: 9115initialDelaySeconds: 5timeoutSeconds: 5periodSeconds: 10successThreshold: 1failureThreshold: 3volumeMounts:- name: configmountPath: /etc/blackbox_exportervolumes:- name: configconfigMap:name: blackbox-exporter---apiVersion: v1
kind: ConfigMap
metadata:name: blackbox-exporternamespace: monitoringlabels:app: blackbox-exporter
data:blackbox.yml: |-modules:## ----------- TCP 检测模块配置 -----------tcp_connect:prober: tcptimeout: 5s## ----------- ICMP 检测配置 -----------ping:prober: icmptimeout: 5sicmp:preferred_ip_protocol: "ip4"## ----------- HTTP GET 2xx 检测模块配置 -----------http_get_2xx: prober: httptimeout: 10shttp:method: GETpreferred_ip_protocol: "ip4"valid_http_versions: ["HTTP/1.1","HTTP/2"]valid_status_codes: [200] # 验证的HTTP状态码,默认为2xxno_follow_redirects: false # 是否不跟随重定向## ----------- HTTP GET 3xx 检测模块配置 -----------http_get_3xx: prober: httptimeout: 10shttp:method: GETpreferred_ip_protocol: "ip4"valid_http_versions: ["HTTP/1.1","HTTP/2"]valid_status_codes: [301,302,304,305,306,307] # 验证的HTTP状态码,默认为2xxno_follow_redirects: false # 是否不跟随重定向## ----------- HTTP POST 监测模块 -----------http_post_2xx: prober: httptimeout: 10shttp:method: POSTpreferred_ip_protocol: "ip4"valid_http_versions: ["HTTP/1.1", "HTTP/2"]#headers: # HTTP头设置# Content-Type: application/json#body: '{}' # 请求体设置
3 部署prometheus
apiVersion: v1
kind: Namespace
metadata:name: monitoring---
apiVersion: v1
kind: ServiceAccount
metadata:name: prometheus-appnamespace: monitoring---
apiVersion: apps/v1
kind: Deployment
metadata:labels:app: prometheus-appname: prometheus-appnamespace: monitoring
spec:replicas: 1selector:matchLabels:app: prometheus-apptemplate:metadata:labels:app: prometheus-appname: prometheus-appspec:containers:- args:- --config.file=/etc/prometheus/prometheus.yml- --storage.tsdb.retention=7d- --web.enable-lifecycle- --log.level=debugimage: prom/prometheus:v2.31.0imagePullPolicy: IfNotPresentname: prometheusports:- containerPort: 9090name: webprotocol: TCPvolumeMounts:- mountPath: /etc/prometheusname: config-volume- mountPath: /etc/prometheus/etc.dname: blackbox-web-targetdnsPolicy: ClusterFirstrestartPolicy: AlwaysserviceAccount: prometheus-appserviceAccountName: prometheus-appvolumes:- configMap:name: prometheus-appname: config-volume- configMap:name: blackbox-web-targetname: blackbox-web-target---apiVersion: v1
kind: Service
metadata:labels:app: prometheus-appname: prometheus-appname: prometheus-appnamespace: monitoring
spec:ports:- name: httpport: 9090protocol: TCPtargetPort: 9090selector:app: prometheus-appsessionAffinity: Nonetype: ClusterIP---apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:name: prometheus
rules:
- apiGroups:- ""resources:- nodes- nodes/proxy- services- endpoints- podsverbs:- get- list- watch
- apiGroups:- ""resources:- configmapsverbs:- get
- nonResourceURLs:- /metricsverbs:- get---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:annotations:name: prometheus
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: prometheus
subjects:
- kind: ServiceAccountname: prometheus-appnamespace: monitoring---
apiVersion: v1
data:prometheus.yml: |-global:scrape_interval: 15sscrape_configs:- job_name: blackboxmetrics_path: /probeparams:module: [http_get_2xx] # 会变成http的参数:module=http_get_2xxfile_sd_configs: - files: - '/etc/prometheus/etc.d/web.yml' # 被监控的目标站点是写在此文件refresh_interval: 30s # 30秒热更新一次,不必重启prometheusrelabel_configs:- source_labels: [__address__]target_label: __param_target # 会变成http的参数:target=目标url- source_labels: [__param_target]target_label: instance- target_label: __address__replacement: blackbox-exporter.monitoring.svc.cluster.local:9115
kind: ConfigMap
metadata:name: prometheus-appnamespace: monitoring---
apiVersion: v1
kind: ConfigMap
metadata:name: blackbox-web-targetnamespace: monitoringlabels:app: blackbox-exporter
data:web.yml: |----- targets:- https://www.baidu.com # 被监控的站点labels:env: prodapp: baidu-webproject: baidudesc: desc for baidu web- targets:- https://blog.csdn.net # 被监控的站点labels:env: prodapp: csdn-webproject: csdndesc: desc for csdn
4 promethues界面效果
指标probe_ssl_earliest_cert_expiry表示证书的过期时间的时间戳,那么以下公式表示多少秒后证书过期:
probe_ssl_earliest_cert_expiry - time()
5 小结
prometheus和blackbox-exporter一起协同监控web站点,blackbox-exporter作为一个中间层解耦prometheus和目标web站点,blackbox-exporter是真正去获取目标web站点证书并暴露metrics的服务,prometheus只需要抓取blackbox-exporter暴露的指标即可。