How to enable https for all components of scylladb monitoring?

ScyllaDB
,
1

Installation details
#ScyllaDB version: ScyllaDB Monitoring 4.9.4
#Cluster size:8
os (RHEL/CentOS/Ubuntu/AWS AMI): RHEL

Hello, I would like to enable https for components in ScyllaDB monitoring. I can see there are parameters to the start-all.sh script, but there is also a lot of “http” directly in the code.

Just wanted to know if there was a cheatcode to enable https to all components of scylladb monitoring or if I need to change directly file content like this one grafana/datasource.yml:

# cat grafana/datasource.yml
# config file version
apiVersion: 1
datasources:
- name: prometheus
  type: prometheus
  url: http://DB_ADDRESS
  access: proxy
  basicAuth: false
  isDefault: true
  jsonData:
    timeInterval: '20s'
- name: alertmanager
  type: alertmanager
  orgId: 1
  typeLogoUrl: public/img/icn-datasource.svg
  access: proxy
  url: http://AM_ADDRESS
  password:
  user:
  database:
  basicAuth:
  isDefault:
  jsonData:
    implementation: 'prometheus'

Best regards.

2

Hi @Gwenael ,

Asking @Amnon_Heiman to see if he can assist with an answer.

Thanks,

Gabriel

3

To enable HTTPS for all components of ScyllaDB Monitoring (Grafana, Prometheus, Alertmanager, etc.), there is no universal “cheatcode” that automatically switches all URLs in configs from HTTP to HTTPS. You typically need to configure HTTPS explicitly for each component and update relevant configuration files accordingly.

Grafana HTTPS Configuration

  • Grafana supports HTTPS natively via its grafana.ini config file.

  • You need to provide Grafana with an SSL certificate and key (either self-signed or CA-signed).

  • Set the following in grafana.ini:

    [server] protocol = https
    cert_file = /path/to/cert.pem
    cert_key = /path/to/key.pem

  • Then restart Grafana for changes to take effect.

  • This encrypts the web UI connections.​

Prometheus and Alertmanager HTTPS

  • Prometheus and Alertmanager do not have built-in HTTPS for their web UIs by default.

  • A common approach is to put them behind a reverse proxy (e.g., Nginx, HAProxy, Traefik) configured with SSL termination.

  • Update Alertmanager’s URL in Grafana’s datasource to use HTTPS via the proxy.

  • Similarly, use HTTPS URLs for Prometheus targets accessed by Grafana and alertmanager clients.​

Configuration Files

  • For instance, in grafana/datasource.yml, replace:

    url: http://DB_ADDRESS

    with

    url: https://DB_ADDRESS

  • Similarly update Alertmanager URLs to use HTTPS.

  • Note that some URLs can be hardcoded in configs or scripts, so you may need to manually edit those files.

1 Like