84 lines
3.3 KiB
YAML
84 lines
3.3 KiB
YAML
# =============================================================================
|
||
# Prometheus Config Additions - Phase O-1.3/O-1.4
|
||
# =============================================================================
|
||
# 建立者: Claude Code (首席架構師)
|
||
# 日期: 2026-04-02 (台北時間)
|
||
# 用途: MinIO 監控 + Kali 健康探測
|
||
# 部署位置: 192.168.0.188 /home/ollama/momo-pro/monitoring/prometheus.yml
|
||
# 實際部署: 2026-04-02 已手動追加至 .188
|
||
# =============================================================================
|
||
#
|
||
# 部署方式:
|
||
# 1. SSH 到 192.168.0.188 (ollama 使用者)
|
||
# 2. 追加至 /home/ollama/momo-pro/monitoring/prometheus.yml scrape_configs 末端
|
||
# 3. docker kill -s SIGHUP prometheus
|
||
#
|
||
# ⚠️ MinIO 認證說明:
|
||
# MinIO 此版本 (RELEASE.2024-03-26) 不支援 MINIO_PROMETHEUS_AUTH_TYPE=public
|
||
# 必須使用 Bearer Token 認證
|
||
# Token 產生: docker exec minio mc admin prometheus generate local/
|
||
# Token 不得提交到 Git;正式值應由主機本機 secret file 或 secret manager 注入。
|
||
# =============================================================================
|
||
|
||
# ===== MinIO 監控 (O-1.3) =====
|
||
# 前置條件: Bearer Token 由 mc admin prometheus generate 產生
|
||
#
|
||
# 重新產生 Token:
|
||
# docker exec minio mc alias set local http://localhost:9000 <MINIO_ACCESS_KEY> '<MINIO_SECRET_KEY>'
|
||
# docker exec minio mc admin prometheus generate local/
|
||
# 驗證:
|
||
# curl -H "Authorization: Bearer <token>" http://192.168.0.188:9000/minio/v2/metrics/cluster | head -5
|
||
|
||
- job_name: minio
|
||
honor_timestamps: true
|
||
scrape_interval: 30s
|
||
scrape_timeout: 10s
|
||
metrics_path: /minio/v2/metrics/cluster
|
||
scheme: http
|
||
# ⚠️ Bearer Token 認證必須走檔案或 secret manager,不得把 token value 寫入 Git。
|
||
# 即時資安處置:已移除 repo 內明文 token;live 主機上若仍使用舊 token,需安排輪替。
|
||
bearer_token_file: /etc/prometheus/secrets/minio-prometheus-bearer-token
|
||
static_configs:
|
||
- targets:
|
||
- 192.168.0.188:9000
|
||
labels:
|
||
instance: minio-188
|
||
service: backup-storage
|
||
|
||
# ===== Kali Scanner 健康探測 (O-1.4) =====
|
||
# 使用 Blackbox Exporter TCP probe 檢查 Scanner API 是否存活
|
||
# Kali (192.168.0.112) 是隔離環境,僅做 TCP 可達性檢查
|
||
|
||
- job_name: blackbox-kali
|
||
honor_timestamps: true
|
||
scrape_interval: 60s
|
||
scrape_timeout: 10s
|
||
metrics_path: /probe
|
||
params:
|
||
module: [tcp_connect]
|
||
static_configs:
|
||
- targets:
|
||
- 192.168.0.112:8080 # Kali Scanner API
|
||
labels:
|
||
service: kali-scanner
|
||
relabel_configs:
|
||
- source_labels: [__address__]
|
||
target_label: __param_target
|
||
- source_labels: [__param_target]
|
||
target_label: instance
|
||
# R1 Review Critical Fix: Prometheus 在主機上,無法解析 K8s DNS
|
||
# Blackbox Exporter 部署在 .188 主機上
|
||
- target_label: __address__
|
||
replacement: 192.168.0.188:9115
|
||
|
||
# =============================================================================
|
||
# 驗證指令
|
||
# =============================================================================
|
||
#
|
||
# MinIO:
|
||
# curl -s "http://192.168.0.188:9090/api/v1/targets" | jq '.data.activeTargets[] | select(.labels.job=="minio")'
|
||
#
|
||
# Kali:
|
||
# curl -s "http://192.168.0.188:9090/api/v1/targets" | jq '.data.activeTargets[] | select(.labels.job=="blackbox-kali")'
|
||
#
|