prometheus mtls working

2025-12-28 20:17:04 -06:00
parent 015725d2cc
commit 0fb52c50ff
4 changed files with 36 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .env*
+certs/
--- a/certs/.gitkeep
+++ b/certs/.gitkeep
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,9 +12,13 @@ services:
    image: grafana/alloy
    container_name: grafana-alloy
    restart: unless-stopped
+    privileged: true
    volumes:
-      - ./grafana-alloy/config.alloy:/etc/alloy/config.alloy
      - /var/run/docker.sock:/var/run/docker.sock
+      - ./grafana-alloy/config.alloy:/etc/alloy/config.alloy
+      - ./certs:/etc/alloy/certs
+    ports:
+      - '12345:12345'
    command:
      - run
      - --server.http.listen-addr=0.0.0.0:12345
@@ -33,7 +37,7 @@ services:
      WATCHTOWER_SCHEDULE: "0 0 3 * * *"

  docker-proxy:
-    image: ghcr.io/tecnativa/docker-socket-proxy:latest
+    image: ghcr.io/tecnativa/docker-socket-proxy
    container_name: docker-proxy
    restart: unless-stopped
    ports:
--- a/grafana-alloy/config.alloy
+++ b/grafana-alloy/config.alloy
@@ -4,6 +4,7 @@
 prometheus.exporter.cadvisor "docker_metrics" {
  docker_host = "unix:///var/run/docker.sock"
  storage_duration = "5m"
+  allowlisted_container_labels = ["name", "container", "container_name", "id"]
 }

 prometheus.scrape "scraper" {
@@ -15,7 +16,12 @@ prometheus.scrape "scraper" {

 prometheus.remote_write "default" {
  endpoint {
-    url = "http://prometheus:9090/api/v1/write"
+    url = "https://prometheus.john-stream.com:9090/api/v1/write"
+    tls_config {
+      cert_file = "/etc/alloy/certs/prometheus.crt"
+      key_file  = "/etc/alloy/certs/prometheus.key"
+      ca_file   = "/etc/alloy/certs/root_ca.crt"
+    }
  }
 }

@@ -23,27 +29,27 @@ discovery.docker "linux" {
  host = "unix:///var/run/docker.sock"
 }

-discovery.relabel "logs_integrations_docker" {
-  targets = []
+// discovery.relabel "logs_integrations_docker" {
+//   targets = []

-  rule {
-    source_labels = ["__meta_docker_container_name"]
-    regex = "/(.*)"
-    target_label = "service_name"
-  }
-}
+//   rule {
+//     source_labels = ["__meta_docker_container_name"]
+//     regex = "/(.*)"
+//     target_label = "service_name"
+//   }
+// }

-loki.source.docker "default" {
-  host       = "unix:///var/run/docker.sock"
-  targets    = discovery.docker.linux.targets
-  labels     = {"platform" = "docker"}
-  relabel_rules = discovery.relabel.logs_integrations_docker.rules
-  forward_to = [loki.write.default.receiver]
-}
+// loki.source.docker "default" {
+//   host       = "unix:///var/run/docker.sock"
+//   targets    = discovery.docker.linux.targets
+//   labels     = {"platform" = "docker"}
+//   relabel_rules = discovery.relabel.logs_integrations_docker.rules
+//   forward_to = [loki.write.default.receiver]
+// }

-loki.write "default" {
-  endpoint {
-    url = "http://loki:3100/loki/api/v1/push"
-  }
-  external_labels = {}
-}
+// loki.write "default" {
+//   endpoint {
+//     url = "http://loki:3100/loki/api/v1/push"
+//   }
+//   external_labels = {}
+// }