Updated by Linode Written by Ben Bigger
In this guide, you will deploy the Prometheus Operator to your Linode Kubernetes Engine (LKE) cluster using Helm, either as:
The Prometheus Operator Monitoring Stack
When administrating any system, effective monitoring tools can empower users to perform quick and effective issue diagnosis and resolution. This need for monitoring solutions has led to the development of several prominent open source tools designed to solve problems associated with monitoring diverse systems.
Since its release in 2016, Prometheus has become a leading monitoring tool for containerized environments including Kubernetes. Alertmanager is often used with Prometheus to send and manage alerts with tools such as Slack. Grafana, an open source visualization tool with a robust web interface, is commonly deployed along with Prometheus to provide centralized visualization of system metrics.
The community-supported Prometheus Operator Helm Chart provides a complete monitoring stack including each of these tools along with Node Exporter and kube-state-metrics, and is designed to provide robust Kubernetes monitoring in its default configuration.
While there are several options for deploying the Prometheus Operator, using Helm, a Kubernetes “package manager,” to deploy the community-supported the Prometheus Operator enables you to:
- Control the components of your monitoring stack with a single configuration file.
- Easily manage and upgrade your deployments.
- Utilize out-of-the-box Grafana interfaces built for Kubernetes monitoring.
Before You Begin
Note
Deploy an LKE Cluster. This guide was written using an example node pool with three 2 GB Linodes. Depending on the workloads you will be deploying on your cluster, you may consider using Linodes with more available resources.
Install Helm 3 to your local environment.
Install kubectl to your local environment and connect to your cluster.
Create the
monitoringnamespace on your LKE cluster:kubectl create namespace monitoringCreate a directory named
lke-monitorto store all of your Helm values and Kubernetes manifest files and move into the new directory:mkdir ~/lke-monitor && cd ~/lke-monitorAdd the Google stable Helm charts repository to your Helm repos:
helm repo add stable https://kubernetes-charts.storage.googleapis.com/Update your Helm repositories:
helm repo update(Optional) For public access with HTTPS and basic auth configured for your web interfaces of your monitoring tools:
Purchase a domain name from a reliable domain registrar and configure your registrar to use Linode’s nameservers with your domain. Using Linode’s DNS Manager, create a new Domain for the one that you have purchased.
Ensure that
htpasswdis installed to your local environment. For many systems, this tool has already been installed. Debian and Ubuntu users will have to install the apache2-utils package with the following command:sudo apt install apache2-utils
Prometheus Operator Minimal Deployment
In this section, you will complete a minimal deployment of the Prometheus Operator for individual/local access with kubectl Port-Forward. If you require your monitoring interfaces to be publicly accessible over the internet, you can skip to the following section on completing a Prometheus Operator Deployment with HTTPS and Basic Auth.
Deploy Prometheus Operator
In this section, you will create a Helm chart values file and use it to deploy Prometheus Operator to your LKE cluster.
Using the text editor of your choice, create a file named
values.yamlin the~/lke-monitordirectory and save it with the configurations below. Since the control plane is Linode-managed, as part of this step we will also disable metrics collection for the control plane component:Caution
The below configuration will establish persistent data storage with three separate 10GiB Block Storage Volumes for Prometheus, Alertmanager, and Grafana. Because the Prometheus Operator deploys as StatefulSets, these Volumes and their associated Persistent Volume resources must be deleted manually if you later decide to tear down this Helm release.- ~/lke-monitor/values.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37# Prometheus Operator Helm Chart values for Linode Kubernetes Engine minimal deployment prometheus: prometheusSpec: storageSpec: volumeClaimTemplate: spec: storageClassName: linode-block-storage-retain resources: requests: storage: 10Gi alertmanager: alertmanagerSpec: storage: volumeClaimTemplate: spec: storageClassName: linode-block-storage-retain resources: requests: storage: 10Gi grafana: persistence: enabled: true storageClassName: linode-block-storage-retain size: 10Gi # Disable metrics for Linode-managed Kubernetes control plane elements kubeEtcd: enabled: false kubeControllerManager: enabled: false kubeScheduler: enabled: false
Export an environment variable to store your Grafana admin password:
Note
Replace
prom-operatorin the below command with a secure password and save the password for later reference.export GRAFANA_ADMINPASSWORD="prom-operator"Using Helm, deploy a Prometheus Operator release labeled
lke-monitorin themonitoringnamespace on your LKE cluster with the settings established in yourvalues.yamlfile:helm install lke-monitor stable/prometheus-operator -f ~/lke-monitor/values.yaml --namespace monitoring --set grafana.adminPassword=$GRAFANA_ADMINPASSWORD --set prometheusOperator.createCustomResource=falseNote
You can safely ignore messages similar to
manifest_sorter.go:192: info: skipping unknown hook: "crd-install"as discussed in this Github issues thread.Alternatively, you can add
--set prometheusOperator.createCustomResource=falseto the above command to prevent the message from appearing.Verify that the Prometheus Operator has been deployed to your LKE cluster and its components are running and ready by checking the pods in the
monitoringnamespace:kubectl -n monitoring get podsYou should see a similar output to the following:
NAME READY STATUS RESTARTS AGE alertmanager-lke-monitor-prometheus-ope-alertmanager-0 2/2 Running 0 45s lke-monitor-grafana-84cbb54f98-7gqtk 2/2 Running 0 54s lke-monitor-kube-state-metrics-68c56d976f-n587d 1/1 Running 0 54s lke-monitor-prometheus-node-exporter-6xt8m 1/1 Running 0 53s lke-monitor-prometheus-node-exporter-dkc27 1/1 Running 0 53s lke-monitor-prometheus-node-exporter-pkc65 1/1 Running 0 53s lke-monitor-prometheus-ope-operator-f87bc9f7c-w56sw 2/2 Running 0 54s prometheus-lke-monitor-prometheus-ope-prometheus-0 3/3 Running 1 35s
Access Monitoring Interfaces with Port-Forward
List the services running in the
monitoringnamespace and review their respective ports:kubectl -n monitoring get svcYou should see an output similar to the following:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE alertmanager-operated ClusterIP None <none> 9093/TCP,9094/TCP,9094/UDP 115s lke-monitor-grafana ClusterIP 10.128.140.155 <none> 80/TCP 2m3s lke-monitor-kube-state-metrics ClusterIP 10.128.165.34 <none> 8080/TCP 2m3s lke-monitor-prometheus-node-exporter ClusterIP 10.128.192.213 <none> 9100/TCP 2m3s lke-monitor-prometheus-ope-alertmanager ClusterIP 10.128.153.6 <none> 9093/TCP 2m3s lke-monitor-prometheus-ope-operator ClusterIP 10.128.198.160 <none> 8080/TCP,443/TCP 2m3s lke-monitor-prometheus-ope-prometheus ClusterIP 10.128.121.47 <none> 9090/TCP 2m3s prometheus-operated ClusterIP None <none> 9090/TCP 105sFrom the above output, the resource services you will access have the corresponding ports:
Resource Service Name Port Prometheus lke‑monitor‑prometheus‑ope‑prometheus 9090 Alertmanager lke‑monitor‑prometheus‑ope‑alertmanager 9093 Grafana lke‑monitor‑grafana 80 Use
kubectlport-forward to open a connection to a service, then access the service’s interface by entering the corresponding address in your web browser:Note
Press control+C on your keyboard to terminate a port-forward process after entering any of the following commands.
To provide access to the Prometheus interface at the address
127.0.0.1:9090in your web browser, enter:kubectl -n monitoring port-forward svc/lke-monitor-prometheus-ope-prometheus 9090To provide access to the Alertmanager interface at the address
127.0.0.1:9093in your web browser, enter:kubectl -n monitoring port-forward svc/lke-monitor-prometheus-ope-alertmanager 9093To provide access to the Grafana interface at the address
127.0.0.1:8081in your web browser, enter:kubectl -n monitoring port-forward svc/lke-monitor-grafana 8081:80Log in with the username
adminand the password you exported as$GRAFANA_ADMINPASSWORD. The Grafana dashboards are accessible at Dashboards > Manage from the left navigation bar.
Prometheus Operator Deployment with HTTPS and Basic Auth
Note
Before you start on this section, ensure that you have completed all of the steps in Before you Begin.
This section will show you how to install and configure the necessary components for secure, path-based, public access to the Prometheus, Alertmanager, and Grafana interfaces using the domain you have configured for use with Linode.
An Ingress is used to provide external routes, via HTTP or HTTPS, to your cluster’s services. An Ingress Controller, like the NGINX Ingress Controller, fulfills the requirements presented by the Ingress using a load balancer.
To enable HTTPS on your monitoring interfaces, you will create a Transport Layer Security (TLS) certificate from the Let’s Encrypt certificate authority (CA) using the ACME protocol. This will be facilitated by cert-manager, the native Kubernetes certificate management controller.
While the Grafana interface is natively password-protected, the Prometheus and Alertmanager interfaces must be secured by other means. This guide covers basic authentication configurations to secure the Prometheus and Alertmanager interfaces.
If you are completing this section of the guide after completing a Prometheus Operator Minimal Deployment, you can use Helm to upgrade your release and maintain the persistent data storage for your monitoring stack.
Install the NGINX Ingress Controller
In this section, you will install the NGINX Ingress Controller using Helm, which will create a NodeBalancer to handle your cluster’s traffic.
Install the Google stable NGINX Ingress Controller Helm chart:
helm install nginx-ingress stable/nginx-ingressAccess your NodeBalancer’s assigned external IP address.
kubectl -n default get svc -o wide nginx-ingress-controllerThe command will return a similar output to the following:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR nginx-ingress-controller LoadBalancer 10.128.41.200 192.0.2.0 80:30889/TCP,443:32300/TCP 59s app.kubernetes.io/component=controller,app=nginx-ingress,release=nginx-ingressCopy the IP address of the
EXTERNAL IPfield and navigate to Linode’s DNS Manager and create an A record using this external IP address and a hostname value corresponding to the subdomain you plan to use with your domain.
Now that your NGINX Ingress Controller has been deployed and your domain’s A record has been updated, you are ready to enable HTTPS on your monitoring interfaces.
Install cert-manager
Note
Before performing the commands in this section, ensure that your DNS has had time to propagate across the internet. You can query the status of your DNS by using the following command, substituting
example.comfor your domain (including a subdomain if you have configured one).dig +short example.comIf successful, the output should return the IP address of your NodeBalancer.
Install cert-manager’s CRDs.
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.2/cert-manager.crds.yamlAdd the Helm repository which contains the cert-manager Helm chart.
helm repo add jetstack https://charts.jetstack.ioUpdate your Helm repositories.
helm repo updateInstall the cert-manager Helm chart. These basic configurations should be sufficient for many use cases, however, additional cert-manager configurable parameters can be found in cert-manager’s official documentation.
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.15.2Verify that the corresponding cert-manager pods are running and ready.
kubectl -n cert-manager get podsYou should see a similar output:
NAME READY STATUS RESTARTS AGE cert-manager-749df5b4f8-mc9nj 1/1 Running 0 19s cert-manager-cainjector-67b7c65dff-4fkrw 1/1 Running 0 19s cert-manager-webhook-7d5d8f856b-4nw9z 1/1 Running 0 19s
Create a ClusterIssuer Resource
Now that cert-manager is installed and running on your cluster, you will need to create a ClusterIssuer resource which defines which CA can create signed certificates when a certificate request is received. A ClusterIssuer is not a namespaced resource, so it can be used by more than one namespace.
Using the text editor of your choice, create a file named
acme-issuer-prod.yamlwith the example configurations, replacing the value ofemailwith your own email address for the ACME challenge:- ~/lke-monitor/acme-issuer-prod.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: email: [email protected] server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-secret-prod solvers: - http01: ingress: class: nginx
This manifest file creates a ClusterIssuer resource that will register an account on an ACME server. The value of
spec.acme.serverdesignates Let’s Encrypt’s production ACME server, which should be trusted by most browsers.Note
Let’s Encrypt provides a staging ACME server that can be used to test issuing trusted certificates, while not worrying about hitting Let’s Encrypt’s production rate limits. The staging URL ishttps://acme-staging-v02.api.letsencrypt.org/directory.The value of
privateKeySecretRef.nameprovides the name of a secret containing the private key for this user’s ACME server account (this is tied to the email address you provide in the manifest file). The ACME server will use this key to identify you.To ensure that you own the domain for which you will create a certificate, the ACME server will issue a challenge to a client. cert-manager provides two options for solving challenges,
http01andDNS01. In this example, thehttp01challenge solver will be used and it is configured in thesolversarray. cert-manager will spin up challenge solver Pods to solve the issued challenges and use Ingress resources to route the challenge to the appropriate Pod.
Create the ClusterIssuer resource:
kubectl apply -f ~/lke-monitor/acme-issuer-prod.yaml
Create a Certificate Resource
After you have a ClusterIssuer resource, you can create a Certificate resource. This will describe your x509 public key certificate and will be used to automatically generate a CertificateRequest which will be sent to your ClusterIssuer.
Using the text editor of your choice, create a file named
certificate-prod.yamlwith the example configurations:Note
Replace the value of
spec.dnsNameswith the domain, including subdomains, that you will use to host your monitoring interfaces.- ~/lke-monitor/certificate-prod.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: prometheus-operator-prod namespace: monitoring spec: secretName: letsencrypt-secret-prod duration: 2160h # 90d renewBefore: 360h # 15d issuerRef: name: letsencrypt-prod kind: ClusterIssuer dnsNames: - example.com
Note
The configurations in this example create a Certificate in the
monitoringnamespace that is valid for 90 days and renews 15 days before expiry.Create the Certificate resource:
kubectl apply -f ~/lke-monitor/certificate-prod.yamlVerify that the Certificate has been successfully issued:
kubectl -n monitoring get certsWhen your certificate is ready, you should see a similar output:
NAME READY SECRET AGE lke-monitor True letsencrypt-secret-prod 33s
Next, you will create the necessary resources for basic authentication of the Prometheus and Alertmanager interfaces.
Configure Basic Auth Credentials
In this section, you will use htpasswd to generate credentials for basic authentication and create a Kubernetes Secret, which will then be applied to your Ingress configuration to secure access to your monitoring interfaces.
Create a basic authentication password file for the user
admin:htpasswd -c ~/lke-monitor/auth adminFollow the prompts to create a secure password, then store your password securely for future reference.
Create a Kubernetes Secret for the
monitoringnamespace using the file you created above:kubectl -n monitoring create secret generic basic-auth --from-file=authVerify that the
basic-authsecret has been created on your LKE cluster:kubectl -n monitoring get secret basic-authYou should see a similar output to the following:
NAME TYPE DATA AGE basic-auth Opaque 1 81s
All the necessary components are now in place to be able to enable HTTPS on your monitoring interfaces. In the next section, you will complete the steps needed to deploy Prometheus Operator.
Deploy or Upgrade Prometheus Operator
In this section, you will create a Helm chart values file and use it to deploy Prometheus Operator to your LKE cluster.
Using the text editor of your choice, create a file named
values-https-basic-auth.yamlin the~/lke-monitordirectory and save it with the configurations below. Since the control plane is Linode-managed, as part of this step we will also disable metrics collection for the control plane component:Note
Caution
The below configuration will establish persistent data storage with three separate 10GiB Block Storage Volumes for Prometheus, Alertmanager, and Grafana. Because the Prometheus Operator deploys as StatefulSets, these Volumes and their associated Persistent Volume resources must be deleted manually if you later decide to tear down this Helm release.- ~/lke-monitor/values-https-basic-auth.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95# Helm chart values for Prometheus Operator with HTTPS and basic auth prometheus: ingress: enabled: true annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: /$2 cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' hosts: - example.com paths: - /prometheus(/|$)(.*) tls: - secretName: lke-monitor-tls hosts: - example.com prometheusSpec: routePrefix: / externalUrl: https://example.com/prometheus storageSpec: volumeClaimTemplate: spec: storageClassName: linode-block-storage-retain resources: requests: storage: 10Gi alertmanager: ingress: enabled: true annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: /$2 cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' hosts: - example.com paths: - /alertmanager(/|$)(.*) tls: - secretName: lke-monitor-tls hosts: - example.com alertmanagerSpec: routePrefix: / externalUrl: https://example.com/alertmanager storage: volumeClaimTemplate: spec: storageClassName: linode-block-storage-retain resources: requests: storage: 10Gi grafana: persistence: enabled: true storageClassName: linode-block-storage-retain size: 10Gi ingress: enabled: true annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: /$2 nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' hosts: - example.com path: /grafana(/|$)(.*) tls: - secretName: lke-monitor-tls hosts: - example.com grafana.ini: server: domain: example.com root_url: "%(protocol)s://%(domain)s/grafana/" enable_gzip: "true" # Disable control plane metrics kubeEtcd: enabled: false kubeControllerManager: enabled: false kubeScheduler: enabled: false
Export an environment variable to store your Grafana admin password:
Note
Replace
prom-operatorin the below command with a secure password and save the password for later reference.export GRAFANA_ADMINPASSWORD="prom-operator"Using Helm, deploy a Prometheus Operator release labeled
lke-monitorin themonitoringnamespace on your LKE cluster with the settings established in yourvalues-https-basic-auth.yamlfile:Note
If you have already deployed a Prometheus Operator release, you can upgrade it by replacing
helm installwithhelm upgradein the below command.helm install lke-monitor stable/prometheus-operator -f ~/lke-monitor/values-https-basic-auth.yaml --namespace monitoring --set grafana.adminPassword=$GRAFANA_ADMINPASSWORDOnce completed, you will see output similar to the following:
NAME: lke-monitor LAST DEPLOYED: Mon Jul 27 17:03:46 2020 NAMESPACE: monitoring STATUS: deployed REVISION: 1 NOTES: The Prometheus Operator has been installed. Check its status by running: kubectl --namespace monitoring get pods -l "release=lke-monitor" Visit https://github.com/coreos/prometheus-operator for instructions on how to create & configure Alertmanager and Prometheus instances using the Operator.Verify that the Prometheus Operator has been deployed to your LKE cluster and its components are running and ready by checking the pods in the
monitoringnamespace:kubectl -n monitoring get podsYou should see a similar output to the following, confirming that you are ready to access your monitoring interfaces using your domain:
NAME READY STATUS RESTARTS AGE alertmanager-lke-monitor-prometheus-ope-alertmanager-0 2/2 Running 0 45s lke-monitor-grafana-84cbb54f98-7gqtk 2/2 Running 0 54s lke-monitor-kube-state-metrics-68c56d976f-n587d 1/1 Running 0 54s lke-monitor-prometheus-node-exporter-6xt8m 1/1 Running 0 53s lke-monitor-prometheus-node-exporter-dkc27 1/1 Running 0 53s lke-monitor-prometheus-node-exporter-pkc65 1/1 Running 0 53s lke-monitor-prometheus-ope-operator-f87bc9f7c-w56sw 2/2 Running 0 54s prometheus-lke-monitor-prometheus-ope-prometheus-0 3/3 Running 1 35s
Access Monitoring Interfaces from your Domain
Your monitoring interfaces are now publicly accessible with HTTPS and basic auth from the domain you have configured for use with this guide at the following paths:
| Resource | Domain and path |
|---|---|
| Prometheus | example.com/prometheus |
| Alertmanager | example.com/alertmanager |
| Grafana | example.com/grafana |
When accessing an interface for the first time, log in as admin with the password you configured for basic auth credentials.
When accessing the Grafana interface, you will then log in again as admin with the password you exported as $GRAFANA_ADMINPASSWORD on your local environment. The Grafana dashboards are accessible at Dashboards > Manage from the left navigation bar.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This guide is published under a CC BY-ND 4.0 license.
