Scrape multiple redis instances with different passwords

[ganeshkumarpv]

Describe the problem
A clear and concise description of what the bug is.

What version of redis_exporter are you running?
Please run redis_exporter --version if you're not sure what version you're running.
[ ] 0.3x.x
[ ] 1.x.x

Running the exporter
What's the full command you're using to run the exporter? (please remove passwords and other sensitive data)

Expected behavior
What metrics are missing? What metrics are wrong? Is something missing that was present in an earlier version?
Did you upgrade from 0.3x.x to 1.0 and are scraping multiple hosts? Have a look here how the configuration changed.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

[ganeshkumarpv]

I have installed the new verison of redis exporter v1.0.3 where there is not much to config on redis_exporter side. Instead, we have configured prometheus to scrape various target redis instances.
How/where do I specify the password for redis instances?
Earlier with redis exporter < 1.0, there was a redis_exporter.conf file where we used to specify the passwords.

[oliver006]

redis_exporter v1.x let's you provide the password via the command line using --redis.password.

This will use the same password for all the instances you scrape.

If they use different passwords then right now you need to use multiple exporters and configure each of them with a different password.

There's a discussion here](#256 (comment)) that explains what would need to change to let the exporter support multiple passwords but it's not implemented and right now there's no plan to do so (not enough people seem to have this problem).

[ganeshkumarpv]

Thanks for your response.

[ganeshkumarpv]

The issue is if we pass password as a command string argument, then anyone will be able to see the password, if they do a 'ps -lef ' , right??

[oliver006]

You can use the REDIS_PASSWORD environment variable to pass the password to the exporter.

[ceshihao]

+1
I have the same issue on multiple redis instances with different passwords.
And I find some work around on README.md

redis_exporter/README.md

Lines 136 to 137 in 9e802cd

	Password-protected instances can be accessed by using the URI format including a password: `redis://h:<<PASSWORD>>@<<HOSTNAME>>:<<PORT>>`

[ceshihao]

I try it but it does NOT work.

redis_exporter/exporter.go

Lines 80 to 81 in 4572ac5

	// get rid of username/password info in "target" so users don't send them via http
	u.User = nil

@oliver006 Could redis_exporter keep the password when rediss:// (i.e. tls)? I think the feature is needed on some cloud version redis e.g. AWS ElastiCache .

[oliver006]

The problem isn't the communication from the redis_exporter to the redis instance (you're correct, TLS would help with this) but the plain text http request from the Prometheus server to the redis_exporter.

The paragraph from the README only applies to single-instance configs and doesn't extend to the multiple-instance scraping viz the /scrape endpoint, i should make that more clear in the docs.

[ceshihao]

I see your reason, thanks.
It seems that I have to start multiple redis_exporter for /scrape if instances with different passwords, although it is a little ungraceful.

[oliver006]

Yeah, sorry this is a bit more inconvenient. If enough people complain about this and are affected by it then we can see what options we have but so far it's not been much of an issue.

[roman-vynar]

Same here, we don't have the same password for redis instances and running multiple redis_exporter is not efficient.
Back to my original complaint #256 (comment)
May be we can pass the password in params. In our case it is https traffic between redis_exporter behind nginx and prometheus anyway.

[rhuddleston]

I agree that we should again support multiple instances with different passwords as it's a common use case.

[linuxhub]

I agree that we should again support multiple instances with different passwords as it's a common use case.
we don't have the same password for redis instances and running multiple redis_exporter is not efficient.

[linuxhub]

Multiple instances with different passwords

Build Docker images: linuxhub/redis_exporter:v1.1.0-alpine-auth

docker run -d \
 --restart=always \
 --name redis_exporter \
 -p 9121:9121 \
 linuxhub/redis_exporter:v1.1.0-alpine-auth

Use sample

# No password authentication
curl http://127.0.0.1:9121/scrape?target=redis://192.168.10.115:6379

# Enable password authentication
curl http://127.0.0.1:9121/scrape?target=redis://h:[email protected]:6379

Not recommended, will reveal the password!

[oliver006]

Right, that's the problem, the password will be everywhere as it's part of the target now.

I think you could use a post scrape relabel config to get rid of it but not sure what the regex would look like.

[roman-vynar]

You can relabel to hide password from Target labels but it is still to be shown under Discovered labels.

[roman-vynar]

We should bring back redis multi-instance monitoring support as it was before.

Those "theoretical" best practices do not make sense: running multiple redis_exporters is not efficient, using the same password for all redis instances everyone understands what, providing passwords in URL is even worse.

[miaocbin]

how to monitor redis-cluster by redis_exporter ?

[oliver006]

@miaocbin - have an exporter scrape each of the redis instances

[bigHave]

any ideas how to scrape like thousand redis instances with thousands passwords?

[roman-vynar]

To use this fork #332

[oliver006]

any ideas how to scrape like thousand redis instances with thousands passwords?

It really depends on what your infrastructure looks like,where and how you run those thousands of instances, how you run your service discovery, etc etc

[dotbalo]

This is how I did it. It is not very good, but it works, and the Redis password will not be seen in the Prometheus web console.
I changed exporter.go, it will read system variables to get the password of the target.But there are requirements for Prometheus configuration. If the address of Redis is redis-test.default:6379, then you need to add a variable to the exporter container, the variable name is redis_test_default, and the value of the variable is the password of Redis. Need to change "-" and "." into "_" . If there is no password, there is no need to configure container variables.

Such as:

- job_name: "redis_exporter"
  static_configs:
      - targets:
        - redis-has-password.default:6379
        - redis://redis-no-password.default:6379
  metrics_path: /scrape
  relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - source_labels: [instance]
        target_label: addr
      - target_label: __address__
        replacement: redis-exporter-auth:9121

redis-exporter.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: redis-exporter-auth
  name: redis-exporter-auth
  namespace: monitoring
spec:
  replicas: 1
  selector:
    matchLabels:
      app: redis-exporter-auth
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: redis-exporter-auth
    spec:
      containers:
      - env:
        - name: TZ
          value: Asia/Shanghai
        - name: LANG
          value: C.UTF-8
        - name: redis_has_password_default
          value: PASSWORD_FOR_REDIS
        image: dotbalo/redis-exporter:password-env
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 2
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          tcpSocket:
            port: 9121
          timeoutSeconds: 2
        name: redis-exporter-auth
        ports:
        - containerPort: 9121
          name: web
          protocol: TCP
        readinessProbe:
          failureThreshold: 2
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          tcpSocket:
            port: 9121
          timeoutSeconds: 2
        resources:
          limits:
            cpu: 100m
            memory: 256Mi
          requests:
            cpu: 50m
            memory: 128Mi
      dnsPolicy: ClusterFirst
      restartPolicy: Always

[oliver006]

Closing this, it's been > 1.5 years since 1.x has been released.