How to Configure MongoDB Exporter with SSL/TLS

configure mongodb exporter

configure mongodb exporterPercona provides the mongodb_exporter for monitoring MongoDB. It can feed a Prometheus time-series database by exporting sharding, replication, and storage engine metrics. So basically, it’s the way we monitor MongoDB through Percona Monitoring and Management.

You can download or build mongodb_exporter from the Github repository. It also comes with the pmm-client package, and it’s based on the latest available mongodb_exporter version.

A simple connection method to MongoDB from mongodb_exporter is described in the mongodb_exporter documentation. But the SSL/TLS connection is a bit tricky due to the option changes between versions of MongoDB and mongodb_exporter.

Reference:

https://docs.mongodb.com/manual/reference/connection-string/#tls-options

https://github.com/percona/mongodb_exporter/releases/tag/v0.10.0

This blog post will show how to configure MongoDB Exporter with SSL/TLS options.

Connection Method and Options

mongodb_exporter v 0.9.0

For SSL connection mongodb_exporter and MongoDB, here’s a list of SSL options.

# ./mongodb_exporter --mongodb.uri=mongodb://mongodb_exporter:Admin123@localhost:27017 --mongodb.tls --mongodb.tls-ca /etc/mongodb/rootCA.pem --mongodb.tls-cert /etc/mongodb/mongodb.pem
INFO[0000] Starting mongodb_exporter (version=0.9.0, branch=v0.9.0, revision=a11b3b515ee219ef9bce6af7f41d3ff47cc71720) source="mongodb_exporter.go:108"
INFO[0000] Build context (go=go1.12.9, user=travis@build.travis-ci.com, date=20190830-18:19:56) source="mongodb_exporter.go:109"
INFO[0000] Starting HTTP server for http://:9216/metrics ... source="server.go:140"

MongoDB server logs:

I ACCESS [conn1164] Successfully authenticated as principal mongodb_exporter on admin from client 127.0.0.1:40772

mongodb_exporter v 0.10.0

Now lets test SSL connection with mongodb_exporter v0.10.0 using the same options.

# ./mongodb_exporter --mongodb.uri=mongodb://mongodb_exporter:Admin123@localhost:27017 --mongodb.tls --mongodb.tls-ca /etc/mongodb/rootCA.pem --mongodb.tls-cert /etc/mongodb/mongodb.pem
mongodb_exporter: error: unknown long flag '--mongodb.tls', try --help

As we can see, mongodb_exporter v0.10.0 is not able to identify given options in the document. An error occurred due to changes in the mongodb_exporter v.0.10.0 version.

Reference: https://github.com/percona/mongodb_exporter/releases/tag/v0.10.0

  • go.mongodb.org/mongo-driver was updated to v1.1.1.
  • All –mongodb.tls* flags were removed. Use tls-options instead.

Depending on the MongoDB version and the support for SSL/TSL, we will use the following options in mongodb.uri:

SSL Option
TLS Option
sslclientcertificatekeyfile tlscertificatekeyfile
sslclientcertificatekeypassword tlscertificatekeyfilepassword
sslinsecure tlsinsecure
sslcertificateauthorityfile tlscafile

We should refer to MongoDB documentation for additional URI options. We will not see these options under mongodb_exporter –help since they are part of mongodb.uri

Examples

Using TLS Options

# ./mongodb_exporter --mongodb.uri="mongodb://mongodb_exporter:Admin123@localhost:27017/admin?tls=true&tlsCertificateKeyFile=/etc/mongodb/mongodb.pem&tlsAllowInvalidCertificates=true&tlsCAFile=/etc/mongodb/rootCA.pem"
INFO[0000] Starting mongodb_exporter (version=0.10.0, branch=v0.10.0, revision=bf683745093a9210ebacbeb235bb792e21d17389) source="mongodb_exporter.go:94"
INFO[0000] Build context (go=go1.12.9, user=travis@build.travis-ci.com, date=20190918-13:37:48) source="mongodb_exporter.go:95"
INFO[0000] Starting HTTP server for http://:9216/metrics ... source="server.go:140"

MongoDB logs:

I NETWORK [listener] connection accepted from 127.0.0.1:52146 #1564 (1 connection now open)
I NETWORK [conn1564] received client metadata from 127.0.0.1:52146 conn1564: { driver: { name: "mongo-go-driver", version: "v1.1.1" }, os: { type: "linux", architecture: "amd64" }, platform: "go1.12.9" }
I NETWORK [listener] connection accepted from 127.0.0.1:52148 #1565 (2 connections now open)
I NETWORK [conn1565] received client metadata from 127.0.0.1:52148 conn1565: { driver: { name: "mongo-go-driver", version: "v1.1.1" }, os: { type: "linux", architecture: "amd64" }, platform: "go1.12.9", application: { name: "mongodb_exporter" } }
I ACCESS [conn1565] Successfully authenticated as principal mongodb_exporter on admin from client 127.0.0.1:52148

Using SSL options

# ./mongodb_exporter --mongodb.uri="mongodb://mongodb_exporter:Admin123@localhost:27017/admin?ssl=true&sslclientcertificatekeyfile=/etc/mongodb/mongodb.pem&sslinsecure=true&sslcertificateauthorityfile=/etc/mongodb/rootCA.pem"
INFO[0000] Starting mongodb_exporter (version=0.10.0, branch=v0.10.0, revision=bf683745093a9210ebacbeb235bb792e21d17389) source="mongodb_exporter.go:94"
INFO[0000] Build context (go=go1.12.9, user=travis@build.travis-ci.com, date=20190918-13:37:48) source="mongodb_exporter.go:95"
INFO[0000] Starting HTTP server for http://:9216/metrics ... source="server.go:140"

MongoDB logs:

I NETWORK [listener] connection accepted from 127.0.0.1:51650 #1544 (1 connection now open)
I NETWORK [conn1544] received client metadata from 127.0.0.1:51650 conn1544: { driver: { name: "mongo-go-driver", version: "v1.1.1" }, os: { type: "linux", architecture: "amd64" }, platform: "go1.12.9" }
I NETWORK [listener] connection accepted from 127.0.0.1:51652 #1545 (2 connections now open)
I NETWORK [conn1545] received client metadata from 127.0.0.1:51652 conn1545: { driver: { name: "mongo-go-driver", version: "v1.1.1" }, os: { type: "linux", architecture: "amd64" }, platform: "go1.12.9", application: { name: "mongodb_exporter" } }
I ACCESS [conn1545] Successfully authenticated as principal mongodb_exporter on admin from client 127.0.0.1:51652

As I mentioned, while the SSL/TLS connection can be a little tricky, I am hopeful that this post helps you properly configure MongoDB Exporter!


by Lalit Choudhary via Percona Database Performance Blog

Comments

Popular posts from this blog