Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose /metrics an a separate port #8060

Closed
fabxc opened this issue Jun 8, 2017 · 11 comments
Closed

Expose /metrics an a separate port #8060

fabxc opened this issue Jun 8, 2017 · 11 comments
Assignees
Milestone

Comments

@fabxc
Copy link
Contributor

fabxc commented Jun 8, 2017

In many scenarios etcd nodes run on designated nodes that are very restrictive for outside traffic.

If we want to monitor etcd, we don't need access to any critical APIs but just /metrics. It's not generally feasible to run Prometheus on the same nodes as etcd though. Having etcd expose /metrics on a designated port that can be exposed relatively safely would solve those scenarios.

It could be an optional flag,that exposes an additonal /metrics endpoint on another address if set.

@xiang90 @brancz

@heyitsanthony
Copy link
Contributor

@fabxc would etcd get an allocation on https://github.com/prometheus/prometheus/wiki/Default-port-allocations or is that something different?

@brancz
Copy link
Contributor

brancz commented Jun 14, 2017

That would generally make sense @heyitsanthony. Next one up is usually marked. It is 9267 right now. This should of course be configurable if a user desires to bind it differently.

@fabxc
Copy link
Contributor Author

fabxc commented Jun 14, 2017 via email

@brancz
Copy link
Contributor

brancz commented Jun 14, 2017

FWIW certainly not all exporters and applications oblige to it, so etcd being a relatively prominent application I think it's valid to choose whatever we like best. The wiki page is also open and I don't think anyone monitors the changes much, so the reliability is questionable either way (I've brought this up before but it was decided to keep as guidance for now).

@xiang90
Copy link
Contributor

xiang90 commented Jun 19, 2017

@heyitsanthony

do you think this is a reasonable enhancement we could do in 3.3?

@gyuho
Copy link
Contributor

gyuho commented Jul 11, 2017

@xiang90 @heyitsanthony Do we want to move /metrics endpoints to a separate port, or duplicate the handler in the separate port?

@heyitsanthony
Copy link
Contributor

Duplicate the handler. There could be clients that have access to the internal port that expect /metrics to be available.

@brancz
Copy link
Contributor

brancz commented Jul 17, 2017

Awesome! Thanks for the collaboration everyone!

CyberDem0n pushed a commit to zalando-stups/stups-etcd-cluster that referenced this issue Mar 7, 2018
etcd v3.3 introduced a new flag to allow serving `/metrics` and `/health` under a different port than e.g. `/v2/keys`. This allows us to protect etcd's data via firewall rules but still let monitoring tools to access the monitoring information.

See feature request in etcd repo: etcd-io/etcd#8060.
The implementation landed in v3.3: etcd-io/etcd#8242

This PR instructs etcd to serve metrics and health under the additonal port `2381` *unconditionally* **when the used etcd binary is** `>=v3.3.x`. However, if not explicitely set in the `senza.yaml` this port won't be mapped to the outside and therefore isn't accessible. It doesn't expose more information than anything under `2379` already does.
@seh
Copy link
Contributor

seh commented Sep 7, 2018

Is it correct that even if one activates additional URLs with distinct ports for etcd serving metrics (per #8242), the server still demands the same authentication credentials as the other etcd ports (2379, 2380)? It is challenging to arrange for Prometheus to have the client key and certificate available to authenticate to etcd—as mentioned in kubernetes/kubernetes#53405.

Running a dedicated Prometheus server on each Kubernetes master machine would allow mounting the client key and certificate files from the host—permissions willing. An alternative is to place those files into a Secret object, though creating such a Secret poses challenges too.

@gyuho
Copy link
Contributor

gyuho commented Sep 7, 2018

server still demands the same authentication credentials as the other etcd ports

You can specify HTTP URL, bypassing TLS auth.

@seh
Copy link
Contributor

seh commented Sep 7, 2018

Thank you, @gyuho. I see that accommodation here in transport.wrapTLS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

6 participants