带Prometheus Pushgateway的千分尺-增加TLS支持

Question

我有一个使用千分尺的Pushgateway的Spring应用程序，主要基于本教程：https://luramarchanjo.tech/2020/01/05/spring-boot-2.2-and-prometheus-pushgateway-with-micrometer.html

pom.xml有以下相关的依赖关系：

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
    <groupId>io.micrometer</groupId>
    <artifactId>micrometer-core</artifactId>
</dependency>
<dependency>
    <groupId>io.micrometer</groupId>
    <artifactId>micrometer-registry-prometheus</artifactId>
</dependency>
<dependency>
    <groupId>io.prometheus</groupId>
    <artifactId>simpleclient_pushgateway</artifactId>
    <version>0.16.0</version>
</dependency>

application.properties文件有：

management.metrics.export.prometheus.pushgateway.enabled=true
management.metrics.export.prometheus.pushgateway.shutdown-operation=PUSH
management.metrics.export.prometheus.pushgateway.baseUrl=localhost:9091

在Dev环境下，它在没有任何TLS的情况下连接到Pushgateway时，在本地运行良好。在我们的CI环境中，Prometheus Pushgateway已经启用了TLS。如何在这个Spring引导应用程序中配置TLS支持和配置证书？

Answer 1

由于TLS的使用，您需要定制几个Spring类：

• HttpConnectionFactory -> PushGateway -> PrometheusPushGatewayManager

一个HttpConnectionFactory，由prometheus的PushGateway用来创建一个安全连接，然后创建一个使用前一个推送网关的PrometheusPushGatewayManager。

您将需要实现prometheus的接口HttpConnectionFactory，我假设您能够创建一个有效的javax.net.ssl.SSLContext对象(如果不能，则最终获得更多详细信息)。

HttpConnectionFactory示例：

public class MyTlsConnectionFactory implements io.prometheus.client.exporter.HttpConnectionFactory {
    @Override
    public HttpURLConnection create(String hostUrl) {
        // considering you can get javax.net.ssl.SSLContext or javax.net.ssl.SSLSocketFactory
        URL url = new URL(hostUrl);
        HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
        connection.setSSLSocketFactory(sslContext.getSocketFactory());
        return connection;
    }
}

PrometheusPushGatewayManager与PushGateway

@Bean 
public HttpConnectionFactory tlsConnectionFactory() {
    return new MyTlsConnectionFactory();
}

@Bean 
public PushGateway pushGateway(HttpConnectionFactory connectionFactory) throws MalformedURLException {
    String url = "https://localhost:9091"; // replace by your props
    PushGateway pushGateway = new PushGateway(new URL(url));
    pushGateway.setConnectionFactory(connectionFactory); 
    return pushGateway;
}

@Bean 
public PrometheusPushGatewayManager tlsPrometheusPushGatewayManager(PushGateway pushGateway,
                                                                    CollectorRegistry registry) {
    // fill the others params accordingly (the important is pushGateway!)
    return new PrometheusPushGatewayManager(
            pushGateway,
            registry,
            Duration.of(15, ChronoUnit.SECONDS),
            "some-job-id",
            null,
            PrometheusPushGatewayManager.ShutdownOperation.PUSH
    );
}

如果您在从java代码中检索SSLContext时遇到困难，我建议您学习库https://github.com/Hakky54/sslcontext-kickstart和https://github.com/Hakky54/mutual-tls-ssl (这说明了如何使用不同的客户端库)。

然后，就可以以一种干净的方式在java代码中生成SSLContext，例如：

String keyStorePath = "client.jks";
char[] keyStorePassword = "password".toCharArray();
SSLFactory sslFactory = SSLFactory.builder()
        .withIdentityMaterial(keyStorePath, keyStorePassword)
        .build();
javax.net.ssl.SSLContext sslContext = sslFactory.getSslContext();

最后，如果您需要为测试目的设置本地Prometheus + TLS环境，我建议您按照下面的贴子：https://smallstep.com/hello-mtls/doc/client/prometheus