Configuring prometheus to scrap SSL etcd cluster

In this setup we will configure the prometheus community helm chart to scrap metrics from a SSL enabled etcd.

The etcd was installed through kupespray kubernetes cluster, but you should be able to adapt to your case.

Generating the SSL Client Keys

We will need to generate client certificate keys to connect to etcd.

Kubespray install the CA pem in /etc/ssl/etcd/ssl/ directory on each node

SSH into the first etcd node and generate a new ssl client certificate. The first node is the one with the file /etc/ssl/etcd/openssl.conf, you can find the file with the command find / -name openssl.conf

Create the client request:

openssl req -config /etc/ssl/etcd/openssl.conf -new -nodes   -keyout etcd-client-prometheus.key -out etcd-client-prometheus.csr -subj "/CN=etcd-client"

Signing the request

openssl ca -config openssl.cnf -extensions etcd_client -keyfile private/ca.key -cert certs/ca.crt -out certs/etcd-client.crt -infiles etcd-client.csr

Generate the certs

openssl x509 -req -in etcd-client-prometheus.csr -CAkey /etc/ssl/etcd/ssl/ca-key.pem -CA /etc/ssl/etcd/ssl/ca.pem -CAcreateserial -days 36500 -extensions ssl_client -out etcd-client-prometheus.crt -extfile /etc/ssl/etcd/openssl.conf

Test cert

curl --cert etcd-client-prometheus.crt --key etcd-client-prometheus.key https://10.8.0.2:2379/metrics

Change the ip for your server ip

Configuring Prometheus to user the certs

Create a secret to old the certs (must be in same namespace as prometheus pods)

kubectl create secret generic etcd-client-cert --from-file=./ca.pem --from-file=./etcd-client-prometheus.crt --from-file=./etcd-client-prometheus.key

Configure Prometheus community to read the secret and to use it in etcd monitoring:

## Component scraping etcd
##
kubeEtcd:
  enabled: true
  ## If your etcd is not deployed as a pod, specify IPs it can be found on
  ##
  endpoints:
    - 10.8.0.1
    - 10.8.0.2
    - 10.8.0.3

  ## Etcd service. If using kubeEtcd.endpoints only the port and targetPort are used
  ##
  service:
    enabled: true
    port: 2379
    targetPort: 2379
    # selector:
    #   component: etcd
  serviceMonitor:
    scheme: https
    insecureSkipVerify: false
    serverName: etcd.kube-system.svc # this is per kubespray default install
    caFile: /etc/prometheus/secrets/etcd-client-cert/ca.pem
    certFile: /etc/prometheus/secrets/etcd-client-cert/etcd-client-prometheus.crt
    keyFile: /etc/prometheus/secrets/etcd-client-cert/etcd-client-prometheus.key
prometheus:
  prometheusSpec:
    secrets: ["etcd-client-cert"]

Apply the new values, for example with the command:

helm upgrade -f values.yml prometheus prometheus-community/kube-prometheus-stack

Check your targets in prometheus and your etcd dashboard in grafana.