prometheus-nats-exporter-fips

Chainguard Container for prometheus-nats-exporter-fips

FIPS-compliant Wolfi-based Prometheus NATS Exporter image for exporting NATS metrics to Prometheus.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/prometheus-nats-exporter-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

Chainguard's prometheus-nats-exporter-fips container image is comparable to the natsio/prometheus-nats-exporter image on Docker Hub, with the following differences:

• Like all other Chainguard Containers, prometheus-nats-exporter-fips features a stripped-down, minimal design
• It has few-to-zero CVEs
• It does not run as the root user (runs as UID 65532)
• It does not include a shell or package manager in the production image (use the -dev variant for debugging)

FIPS Support

The prometheus-nats-exporter-fips Chainguard Image ships with a validated redistribution of OpenSSL's FIPS provider module. For more on FIPS support in Chainguard Images, consult the guide on FIPS-enabled Chainguard Images on Chainguard Academy.

Supported NATS Versions

The exporter is compatible with NATS Server 2.x and works with:

• NATS Server monitoring endpoints (/varz, /connz, /routez, /subsz)
• NATS Streaming Server monitoring endpoints
• JetStream metrics (NATS Server 2.2+)

Prometheus Integration

The exporter exposes metrics on port 7777 (default) and is compatible with:

• Prometheus 2.x and later
• Standard Prometheus scrape configurations
• Kubernetes ServiceMonitor resources (for Prometheus Operator)

Getting Started

The prometheus-nats-exporter-fips can be run as a standalone container or deployed to Kubernetes. It connects to a NATS server's monitoring endpoint and exposes Prometheus metrics on port 7777.

Running with Docker

To run the exporter with a local NATS server:

docker run -d \
  --name nats-exporter \
  -p 7777:7777 \
  cgr.dev/ORGANIZATION/prometheus-nats-exporter-fips:latest \
  -varz http://nats-server:8222

Once running, you can verify the exporter is working by checking the metrics endpoint:

curl http://localhost:7777/metrics

# HELP gnatsd_varz_connections Current number of client connections
# TYPE gnatsd_varz_connections gauge
gnatsd_varz_connections 0
# HELP gnatsd_varz_in_msgs Number of messages received
# TYPE gnatsd_varz_in_msgs counter
gnatsd_varz_in_msgs 0
...

Deploying to Kubernetes with Helm

The recommended way to deploy prometheus-nats-exporter-fips to Kubernetes is using the official Helm chart. First, create a values file:

cat > nats-exporter-values.yaml <<EOF
image:
  repository: cgr.dev/ORGANIZATION/prometheus-nats-exporter-fips
  tag: latest

natsUrl: http://nats:8222

serviceMonitor:
  enabled: true
  interval: 30s
EOF

Then install the chart:

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm install nats-exporter prometheus-community/prometheus-nats-exporter \
  -f nats-exporter-values.yaml

Verify the deployment:

kubectl get pods -l app.kubernetes.io/name=prometheus-nats-exporter

NAME                                     READY   STATUS    RESTARTS   AGE
nats-exporter-prometheus-nats-exporter   1/1     Running   0          30s

Monitoring Multiple NATS Endpoints

The exporter can monitor multiple NATS server endpoints simultaneously. Create a values file with multiple endpoints:

cat > nats-exporter-multi.yaml <<EOF
image:
  repository: cgr.dev/ORGANIZATION/prometheus-nats-exporter-fips
  tag: latest

config:
  varz: http://nats-1:8222,http://nats-2:8222,http://nats-3:8222
  connz: true
  routez: true
  subz: true
EOF

Configuration

The prometheus-nats-exporter-fips supports various configuration options to customize metric collection:

Command-Line Flags

The most commonly used flags are:

• -varz <url> - Monitor NATS server variables endpoint (comma-separated list for multiple servers)
• -channelz <url> - Monitor NATS Streaming channel metrics
• -connz <url> - Monitor connection metrics
• -routez <url> - Monitor route metrics
• -subz <url> - Monitor subscription metrics
• -http_port <port> - HTTP server port for metrics (default: 7777)

Environment Variables

Configuration can also be provided via environment variables when running in containers:

docker run -d \
  -p 7777:7777 \
  -e VARZ_URL=http://nats-server:8222 \
  -e CONNZ_URL=http://nats-server:8222 \
  cgr.dev/ORGANIZATION/prometheus-nats-exporter-fips:latest

Prometheus Scrape Configuration

To configure Prometheus to scrape the exporter, add the following to your prometheus.yml:

scrape_configs:
  - job_name: 'nats'
    static_configs:
      - targets: ['nats-exporter:7777']

When using the Prometheus Operator with the Helm chart, enable the ServiceMonitor in your values file:

serviceMonitor:
  enabled: true
  interval: 30s
  scrapeTimeout: 10s
  labels:
    release: prometheus

This configuration instructs Prometheus to scrape NATS metrics every 30 seconds with a 10-second timeout.

Documentation and Resources

For more information about working with the prometheus-nats-exporter-fips image:

• prometheus-nats-exporter GitHub Repository - Official documentation and source code
• NATS Server Monitoring Documentation - Details on NATS monitoring endpoints
• Prometheus Documentation - General Prometheus concepts and configuration
• FIPS-enabled Chainguard Images - Learn about FIPS compliance in Chainguard Images
• Chainguard Academy - Learn more about working with Chainguard Images

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Need additional packages?

To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.

To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.

Learn More

Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.