Files
awoooi/k8s/monitoring/prometheus-config-phase-o.yaml

84 lines
3.3 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# =============================================================================
# Prometheus Config Additions - Phase O-1.3/O-1.4
# =============================================================================
# 建立者: Claude Code (首席架構師)
# 日期: 2026-04-02 (台北時間)
# 用途: MinIO 監控 + Kali 健康探測
# 部署位置: 192.168.0.188 /home/ollama/momo-pro/monitoring/prometheus.yml
# 實際部署: 2026-04-02 已手動追加至 .188
# =============================================================================
#
# 部署方式:
# 1. SSH 到 192.168.0.188 (ollama 使用者)
# 2. 追加至 /home/ollama/momo-pro/monitoring/prometheus.yml scrape_configs 末端
# 3. docker kill -s SIGHUP prometheus
#
# ⚠️ MinIO 認證說明:
# MinIO 此版本 (RELEASE.2024-03-26) 不支援 MINIO_PROMETHEUS_AUTH_TYPE=public
# 必須使用 Bearer Token 認證
# Token 產生: docker exec minio mc admin prometheus generate local/
# Token 不得提交到 Git正式值應由主機本機 secret file 或 secret manager 注入。
# =============================================================================
# ===== MinIO 監控 (O-1.3) =====
# 前置條件: Bearer Token 由 mc admin prometheus generate 產生
#
# 重新產生 Token:
# docker exec minio mc alias set local http://localhost:9000 <MINIO_ACCESS_KEY> '<MINIO_SECRET_KEY>'
# docker exec minio mc admin prometheus generate local/
# 驗證:
# curl -H "Authorization: Bearer <token>" http://192.168.0.188:9000/minio/v2/metrics/cluster | head -5
- job_name: minio
honor_timestamps: true
scrape_interval: 30s
scrape_timeout: 10s
metrics_path: /minio/v2/metrics/cluster
scheme: http
# ⚠️ Bearer Token 認證必須走檔案或 secret manager不得把 token value 寫入 Git。
# 即時資安處置:已移除 repo 內明文 tokenlive 主機上若仍使用舊 token需安排輪替。
bearer_token_file: /etc/prometheus/secrets/minio-prometheus-bearer-token
static_configs:
- targets:
- 192.168.0.188:9000
labels:
instance: minio-188
service: backup-storage
# ===== Kali Scanner 健康探測 (O-1.4) =====
# 使用 Blackbox Exporter TCP probe 檢查 Scanner API 是否存活
# Kali (192.168.0.112) 是隔離環境,僅做 TCP 可達性檢查
- job_name: blackbox-kali
honor_timestamps: true
scrape_interval: 60s
scrape_timeout: 10s
metrics_path: /probe
params:
module: [tcp_connect]
static_configs:
- targets:
- 192.168.0.112:8080 # Kali Scanner API
labels:
service: kali-scanner
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
# R1 Review Critical Fix: Prometheus 在主機上,無法解析 K8s DNS
# Blackbox Exporter 部署在 .188 主機上
- target_label: __address__
replacement: 192.168.0.188:9115
# =============================================================================
# 驗證指令
# =============================================================================
#
# MinIO:
# curl -s "http://192.168.0.188:9090/api/v1/targets" | jq '.data.activeTargets[] | select(.labels.job=="minio")'
#
# Kali:
# curl -s "http://192.168.0.188:9090/api/v1/targets" | jq '.data.activeTargets[] | select(.labels.job=="blackbox-kali")'
#