Prometheus not able to scrape metrics on pod

arun_udaiyar · December 1, 2023, 11:33am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OS: 2.10.0

Describe the issue:
Hi All,
I have deployed opensearch using helm chart. now I am trying to scrape the opensearch jvm metrics from the pod. and installed the prometheus-exporter plugin with below config.

plugins:
enabled: true
installList:
- https://artifacts.opensearch.org/releases/plugins/repository-gcs/2.10.0/repository-gcs-2.10.0.zip
- https://github.com/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.10.0.0/prometheus-exporter-2.10.0.0.zip

when i curl the api i am getting the response
curl -u $USER:$PASSWORD https://opensearch.myorg.net/_prometheus/metrics

then when i check at Prometheus end i dont get any metrics, later found that Prometheus is not able to scrape because of the tls enabled.
then tried the below steps, but still i am not getting the metrics.

github.com/Aiven-Open/prometheus-exporter-plugin-for-opensearch

documentation for usage in combination with security plugins

opened 04:08PM - 02 Jun 22 UTC

rursprung

documentation

## background this is the third attempt in the third repo to get an answer to h…ttps://github.com/vvanholl/elasticsearch-prometheus-exporter/issues/324 and https://github.com/aparo/opensearch-prometheus-exporter/issues/4 🙂 there are various security plugins available for OpenSearch (OpenSearch Security and SearchGuard with their upcoming release) and OpenSearch Security is included and enabled by default in the normal distribution. is there any documentation on how to use opensearch-prometheus-exporter in combination with them? ## problems i see two aspects to this: * this plugin does REST calls to elasticsearch, so if security is enabled there it needs to be able to * provide authentication * validate & accept the TLS cert (it might well be a self-signed CA at the top which isn't accepted by the prometheus scrapper!) * since the prometheus plugin exposes a new path on the existing 9200 port instead of opening a dedicated port it is behind HTTPS (if this is enabled in the security plugin) and behind authentication. but when using prometheus in a kubernetes environment with automatic scrapping there's no good way to configure the scraper to accept self-signed CAs or provide authentication ## our workaround (solution?) this is how we got it to work: there's a role for prometheus (both to access the prometheus metrics as well as for the prometheus plugin itself to access the internal metrics; mixed here because as you can see in the role mapping below it's anyway using the same mechanism): ```yaml read_prometheus: cluster_permissions: - "cluster:monitor/prometheus/metrics" # allow access to the prometheus plugin (the prometheus metrics collector doesn't send authentication information) # allow the plugin to access the required metrics (the plugin also doesn't send authentication information) - "cluster:monitor/health" - "cluster:monitor/state" - "cluster:monitor/nodes/info" - "cluster:monitor/nodes/stats" index_permissions: - index_patterns: - "*" allowed_actions: - "indices:monitor/stats" ``` this is then mapped for all anonymous users in a role mapping (which IMHO is bad practice as it requires enabling anonymous auth in the first place): ```yaml read_prometheus: backend_roles: - opendistro_security_anonymous_backendrole ``` this of course requires `config.dynamic.http.anonymous_auth_enabled: true` to be set in the security config. note: this is currently undocumented in OpenSearch, i've raised the corresponding docs ticket: https://github.com/opensearch-project/documentation-website/issues/627 if the prometheus scrapper doesn't know the CA used for the TLS certificates on the http port then you might also have to disable TLS on OpenSearch (or re-configure the prometheus scrapper). with this in place it's then possible for prometheus to scrap the metrics. ## alternatives it would also be possible to set up basic authentication on OpenSearch with a dedicated user for prometheus and then let the prometheus scrapper use this user to read the data. however, this also isn't particularly secure (e.g. when using the k8s annotations for prometheus and having to define the username/password there...) and requires having basic auth enabled in the first place (which isn't what we want given that we have no other usage for it and adding a new auth realm for one single use-case opens a whole new can of worms). ## required solution ### preferred solution * no config is needed for the plugin to be able to access the metrics, it handles this internally (at least for OpenSearch Security as it should IMHO have first-party integration with that) * no config is needed for the plugin to be accessible from the outside (to avoid both the authentication issues and the certificate issues you could potentially spin up your own HTTP(-only) server rather than relying on the OpenSearch mechanism to provide the endpoint) ### minimal solution * the best practices for the (manual) security setup are documented

below is my configs

Configuration:

role

    # prometheus role to scrape metrics.
    prometheus:
      cluster_permissions:
        - "cluster:monitor/prometheus/metrics"
        - "cluster:monitor/health"
        - "cluster:monitor/state"
        - "cluster:monitor/nodes/info"
        - "cluster:monitor/nodes/stats"
      index_permissions:
        - index_patterns:
          - "*"
          allowed_actions:
          - "indices:monitor/stats"

role mapping

    prometheus:
      reserved: false
      users:
      - "*"

ServiceMonitor

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: opensearch-metrics
namespace: logquery
spec:
endpoints:
- path: /_prometheus/metrics
port: http
scheme: https
tlsConfig:
insecureSkipVerify: true
# Used for authentication
ca:
secret:
name: tls-for-opensearch
key: tls.crt
cert:
secret:
name: tls-for-opensearch
key: tls.crt
keySecret:
name: tls-for-opensearch
key: tls.key
selector:
matchLabels:
app.kubernetes.io/name: opensearch

Pod annotation

podAnnotations:
prometheus.io/scrape: “true”
prometheus.io/path: “/_prometheus/metrics”
prometheus.io/port: “9200”

Can anyone help here.
Thanks in advance.

lukas-vlcek · December 5, 2023, 3:30pm

Hi,

thanks for the question. I will need to write a proper tutorial on this. Give me some time (as this includes not only OpenSearch configuration but also Prometheus and K8s configurations).

I opened a new ticket for it: [Tutorial] Write complete tutorial on how to setup OpenSearch with the plugin in K8s and Prometheus craping it · Issue #240 · Aiven-Open/prometheus-exporter-plugin-for-opensearch · GitHub

Regards,
Lukáš

Topic		Replies	Views
Prometheus cannot scrape from prometheus-exporter-plugin-for-opensearch OpenSearch	0	119	April 9, 2024
Prometheus does not scrape from prometheus-exporter-plugin-for-opensearch OpenSearch	6	405	October 17, 2024
How to install opensearch-prometheus-exporter to opensearch pods OpenDistro configure	3	2039	April 28, 2022
Prometheus exporter plugin 1.3.0.0 released! OpenSearch releases	6	1378	April 1, 2022
Query regarding prometheus-exporter-plugin-for-opensearch OpenSearch	4	957	August 12, 2022

Prometheus not able to scrape metrics on pod

Related topics