Skip to content

Support scraping of gitlab-exporter and rails metrics by Prometheus over TLS

Balasankar 'Balu' C requested to merge support-scraping-gitlab-exporter-over-tls-by-prometheus into master

What does this MR do?

Support scraping of gitlab-exporter and rails metrics by Prometheus over TLS.

Also disables Puma's HTTP listener if SSL is turned on (we couldn't do that before because Prometheus was hardcoded to listen to the HTTP listener)

Closes: #6811 (closed)

Testing

Follow the steps:

  1. Create a self signed certificate/key with localhost as common name /etc/gitlab/ssl/gitlab-exporter{.crt,.key}.
    1. If you changed gitlab-exporter's listen_address to foobar, then the certificate's CN should be foobar.
    2. If not, you can also instruct Prometheus to use a specific string as server name in the certificate verification using gitlab_exporter['prometheus_scrape_tls_server_name'] = <your string> setting.
  2. Make GitLab trust the certificate chain by following https://docs.gitlab.com/omnibus/settings/ssl.html#other-certificate-authorities. Note that each certificate in the chain must be in individual files inside /etc/gitlab/trusted-certs.
  3. Edit /etc/gitlab/gitlab.rb and add the following 
    # GitLab Exporter
gitlab_exporter['tls_enabled'] = true
gitlab_exporter['tls_cert_path'] = '/etc/gitlab/ssl/server.crt'
gitlab_exporter['tls_key_path'] = '/etc/gitlab/ssl/server.key'

# Puma
puma['ssl_listen'] = '127.0.0.1'
puma['ssl_port'] = 9111
puma['ssl_certificate'] = '/etc/gitlab/ssl/server.crt'
puma['ssl_certificate_key'] = '/etc/gitlab/ssl/server.key'
  4. Run reconfigure and confirm that Prometheus can scrape GitLab Exporter and Rails metrics without any issues.

Related issues

#6811 (closed)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened
Edited by Balasankar 'Balu' C

Merge request reports