Configuration
When operating a self-managed Prometheus instance, Bindplane's server configuration must be updated to connect to the remote Prometheus instance.
Bindplane Configuration
After installing Bindplane, update the configuration file at /etc/bindplane/config.yamlusing the editor of your choice.
Set
prometheus.enableRemotetotrueSet
prometheus.hostto the IP address or Hostname of your Prometheus server.
prometheus:
enableRemote: true
localFolder: /var/lib/bindplane/prometheus
host: prometheus.c.project.internal
port: '9090'
remoteWrite:
endpoint: /api/v1/write
auth:
type: noneOnce enableRemote and host are configured, restart the Bindplane server process.
sudo systemctl restart bindplaneAt this point, Bindplane is installed and configured to use the remote Prometheus instance.
Security
Prometheus supports several options for security. Basic authentication (Basic auth), Transport Layer Security (TLS), and Mutual TLS (mTLS).
Basic Authentication
Follow the Prometheus Basic Auth Password Hashing documentation to generate a password hash.
Once you have your hash, update /etc/prometheus/web.yml with your basic auth username and password hash.
// cspell:ignore maOicLymWgsIQleRCm604ePbaaavp9cKj3bJUg0IrcVXCHB3terLa
Restart the Prometheus service.
Test by making a curl request, without basic auth. You should expect a "401 Unauthorized" response.
Test by making a curl request with your username and password.
You should expect a "200 OK" response. This will indicate that basic auth is working correctly.
Next, we need to update Bindplane with the new credentials. Edit /etc/bindplane/config.yaml on all of your Bindplane servers.
Restart the Bindplane service.
Transport Layer Security (TLS)
Copy the certificate keypair to /etc/prometheus/tls. The example commands assume that you have a certificate key pair in your working directory named prometheus.crt and prometheus.key
Server side TLS can be configured by editing the web configuration file at /etc/prometheus/web.yml and configuring the certificate file and private key file paths.
Restart the Prometheus service.
You can test if Prometheus is using TLS by using curl.
You should expect a "200 OK" response. This will indicate that server side TLS is working correctly.
Next, we need to update Bindplane to use TLS when communicating with Prometheus. On all of your servers, perform the following steps.
Copy the certificate authority to /etc/bindplane/tls. The example commands assume that you have a certificate authority public key named ca.crt in your working directory.
Edit /etc/bindplane/config.yaml on all of your Bindplane servers and add the tls.tlsCa
parameter.
Restart the Bindplane service.
Mutual TLS
Copy the certificate keypair and certificate authority to/etc/prometheus/tls. The example commands assume that you have a certificate key pair in your working directory named prometheus.crt and prometheus.key and a certificate authority named ca.crt.
Mutual TLS can be configured by editing the web configuration file at /etc/prometheus/web.yml and configuring the certificate file, private key file paths and certificate authority paths.
Restart the Prometheus service.
You can test if Prometheus is using TLS by using curl on the Prometheus system.
You should expect a "200 OK" response. This will indicate that mutual TLS is working correctly.
Next, we need to update Bindplane to use mutual TLS when communicating with Prometheus. On all of your servers, perform the following steps.
Copy the certificate authority and client keypair to /etc/bindplane/tls. The example commands assume that you have a certificate key pair in your working directory named bindplane.crt and bindplane.key and a certficate authority named ca.crt.
Edit /etc/bindplane/config.yaml on all of your Bindplane servers and add the tls parameters.
Restart the Bindplane service.
Last updated
Was this helpful?