# Configuring prometheus to scrap SSL etcd cluster

In this setup we will configure the prometheus community helm chart to scrap metrics from a SSL enabled etcd.

The etcd was installed through kupespray kubernetes cluster, but you should be able to adapt to your case.

Generating the SSL Client Keys
==============================

We will need to generate client certificate keys to connect to etcd.

Kubespray install the CA pem in **/etc/ssl/etcd/ssl/** directory on each node

SSH into the first etcd node and generate a new ssl client certificate. The first node is the one with the file **/etc/ssl/etcd/openssl.conf**, you can find the file with the command `find / -name openssl.conf`

  

Create the client request:

```
openssl req -config /etc/ssl/etcd/openssl.conf -new -nodes   -keyout etcd-client-prometheus.key -out etcd-client-prometheus.csr -subj "/CN=etcd-client"
```

Signing the request

```
openssl ca -config openssl.cnf -extensions etcd_client -keyfile private/ca.key -cert certs/ca.crt -out certs/etcd-client.crt -infiles etcd-client.csr
```

Generate the certs

```
openssl x509 -req -in etcd-client-prometheus.csr -CAkey /etc/ssl/etcd/ssl/ca-key.pem -CA /etc/ssl/etcd/ssl/ca.pem -CAcreateserial -days 36500 -extensions ssl_client -out etcd-client-prometheus.crt -extfile /etc/ssl/etcd/openssl.conf
```

Test cert

```
curl --cert etcd-client-prometheus.crt --key etcd-client-prometheus.key https://10.8.0.2:2379/metrics
```

Change the ip for your server ip

Configuring Prometheus to user the certs
========================================

  

Create a secret to old the certs (must be in same namespace as prometheus pods)

```
kubectl create secret generic etcd-client-cert --from-file=./ca.pem --from-file=./etcd-client-prometheus.crt --from-file=./etcd-client-prometheus.key
```

  

Configure Prometheus community to read the secret and to use it in etcd monitoring:

  

```yaml
## Component scraping etcd
##
kubeEtcd:
  enabled: true
  ## If your etcd is not deployed as a pod, specify IPs it can be found on
  ##
  endpoints:
    - 10.8.0.1
    - 10.8.0.2
    - 10.8.0.3

  ## Etcd service. If using kubeEtcd.endpoints only the port and targetPort are used
  ##
  service:
    enabled: true
    port: 2379
    targetPort: 2379
    # selector:
    #   component: etcd
  serviceMonitor:
    scheme: https
    insecureSkipVerify: false
    serverName: etcd.kube-system.svc # this is per kubespray default install
    caFile: /etc/prometheus/secrets/etcd-client-cert/ca.pem
    certFile: /etc/prometheus/secrets/etcd-client-cert/etcd-client-prometheus.crt
    keyFile: /etc/prometheus/secrets/etcd-client-cert/etcd-client-prometheus.key
prometheus:
  prometheusSpec:
    secrets: ["etcd-client-cert"]
```

Apply the new values, for example with the command:

```
helm upgrade -f values.yml prometheus prometheus-community/kube-prometheus-stack
```

Check your targets in prometheus and your etcd dashboard in grafana.
