Prometheus requirements
ECK
If you're using Prometheus, then you need to perform additional configuration to scrape the metrics endpoint using the configuration you set in Enabling the metrics endpoint and Securing the metrics endpoint.
Configure the RBAC settings for the Prometheus instance to access the metrics endpoint. These typically will be set automatically when using the Prometheus operator.
Your settings should look similar to the following:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus
rules:
- nonResourceURLs:
- /metrics
verbs:
- get
If you're using the Prometheus operator and your Prometheus instance is not in the same namespace as the ECK operator, then configure the Prometheus operator with the following Helm values. These values allow reading PodMonitor and ServiceMonitor across namespaces.
prometheus:
prometheusSpec:
podMonitorNamespaceSelector: {}
podMonitorSelectorNilUsesHelmValues: false
serviceMonitorNamespaceSelector: {}
serviceMonitorSelectorNilUsesHelmValues: false
If you are using a custom TLS certificate and you need to set insecureSkipVerify to false, then you need to do the following:
Create a Kubernetes secret within the Prometheus namespace that contains the Certificate Authority in PEM format.
The easiest way to create the CA secret within the Prometheus namespace is to use the
kubectl create secret genericcommand. For example:kubectl create secret generic eck-metrics-tls-ca -n monitoring --from-file=ca.crt=/path/to/ca.pemEnsure that the CA secret is mounted within the Prometheus Pod.
Steps will vary between Prometheus installations. If you're using the Prometheus operator, you can set the
spec.secretsfield of thePrometheuscustom resource to the name of the previously created Kubernetes Secret. See the ECK Helm chart values file for more information.