TLS For Metrics
Overview
To enhance security, using TLS for accessing metrics is recommended. This document outlines how the metrics served securely using TLS for each exporter. Each node typically has a Node Exporter and a corresponding database-specific exporter to provide detailed metrics. Access to these metrics is limited to the sources specified in Firewall Management.
Service discovery
There is a service discovery endpoint created for each datastore. Available from CCX v1.53 onwards.
It’s available at https://<ccxFQDN>/metrics/<storeID>/targets and
implements Prometheus HTTP SD Endpoint.
note:
<ccxFQDN>is the domain you see in your address bar with CCX UI open, not a datastore URL or a connection string. We’ll useccx.example.comhereafter.
Here is an example of a scrape config for Prometheus:
scrape_configs:
- job_name: 'my datastore'
http_sd_configs:
- url: 'https://ccx.example.com/metrics/50e4db2a-85cd-4190-b312-e9e263045b5b/targets'
Individual Metrics Endpoints Format
Metrics for each exporter is served on:
https://ccx.example.com/metrics/<storeID>/<nodeName>/<exporterType>
Where nodeName is short name, not full fqdn.
Exporter Type Examples:
-
MSSQL:
- URL:
https://ccx.example.com/metrics/<storeID>/<nodeName>/mssql_exporter
- URL:
-
Redis:
- URL:
https://ccx.example.com/metrics/<storeID>/<nodeName>/redis_exporter
- URL:
-
PostgreSQL:
- URL:
https://ccx.example.com/metrics/<storeID>/<nodeName>/postgres_exporter
- URL:
-
MySQL:
- URL:
https://ccx.example.com/metrics/<storeID>/<nodeName>/mysqld_exporter
- URL:
-
MariaDB:
- URL:
https://ccx.example.com/metrics/<storeID>/<nodeName>/mysqld_exporter
- URL:
-
NodeExporter:
- URL:
https://ccx.example.com/metrics/<storeID>/<nodeName>/node_exporter
- URL:
By serving metrics over HTTPS with TLS, we ensure secure monitoring access for customers.