以旧版本etcd为例。新版本etcd的指标输出以http形式监听在127.0.0.1(可修改为0.0.0.0)的2381端口因此可以免证书配置。

1.创建secret资源，其中包含以https访问etcd集群的证书和私钥
kubectl create secret generic etcd-certs \
--from-file=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
--from-file=/etc/kubernetes/pki/etcd/healthcheck-client.key \
--from-file=/etc/kubernetes/pki/etcd/ca.crt -n monitoring

2.修改prometheus的资源对象，将上步生成的secret挂载至prometheus中
kubectl edit prometheus k8s -n monitoring

  secrets:
  - etcd-certs

查看证书挂载情况：kubectl exec -it prometheus-k8s-0 -n monitoring -- ls /etc/prometheus/secrets/etcd-certs/

3.创建etcd的endpoints对象并关联至headless service
cat > etcd-service.yaml << EOF
apiVersion: v1
kind: Service
metadata:
  name: etcd-k8s
  namespace: kube-system
  labels:
    k8s-app: etcd
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - name: port
    port: 2379

---
apiVersion: v1
kind: Endpoints
metadata:
  name: etcd-k8s
  namespace: kube-system
  labels:
    k8s-app: etcd
subsets:
- addresses:
  - ip: 192.168.200.21
  ports:
  - name: port
    port: 2379
EOF

kubectl apply -f etcd-service.yaml

4.创建etcd的servicemonitor资源对象并应用到集群
cat > etcd-monitor.yaml << EOF
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: etcd-k8s
  namespace: monitoring
  labels:
    k8s-app: etcd-k8s
spec:
  jobLabel: k8s-app
  endpoints:
  - port: port
    interval: 30s
    scheme: https
    tlsConfig:
      caFile: /etc/prometheus/secrets/etcd-certs/ca.crt
      certFile: /etc/prometheus/secrets/etcd-certs/healthcheck-client.crt
      keyFile: /etc/prometheus/secrets/etcd-certs/healthcheck-client.key
      insecureSkipVerify: true
  selector:
    matchLabels:
      k8s-app: etcd
  namespaceSelector:
    matchNames:
    - kube-system
EOF

kubectl apply -f etcd-monitor.yaml