From 45951d86d191d27df9b242df222057737ae0f6e2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 23 Jan 2024 17:51:59 +0200 Subject: [PATCH] Add mash_playbook_metrics_exposure_* variables and integrate with prometheus-node-exporter and apisix-gateway --- docs/services/prometheus-node-exporter.md | 12 ++++++------ roles/mash/playbook_base/defaults/main.yml | 9 +++++++++ .../playbook_base/tasks/validate_config.yml | 10 ++++++---- templates/group_vars_mash_servers | 18 +++++++++++++----- 4 files changed, 34 insertions(+), 15 deletions(-) diff --git a/docs/services/prometheus-node-exporter.md b/docs/services/prometheus-node-exporter.md index 7496639..75b74a3 100644 --- a/docs/services/prometheus-node-exporter.md +++ b/docs/services/prometheus-node-exporter.md @@ -18,12 +18,12 @@ prometheus_node_exporter_enabled: true # To expose the metrics publicly, enable and configure the lines below: # prometheus_node_exporter_hostname: mash.example.com -# prometheus_node_exporter_path_prefix: /metrics/node-exporter +# prometheus_node_exporter_path_prefix: /metrics/mash-prometheus-node-exporter -# To protect the metrics with HTTP Basic Auth, enable and configure the lines below: -# prometheus_node_exporter_basicauth_enabled: true -# prometheus_node_exporter_basicauth_user: your_username -# prometheus_node_exporter_basicauth_password: your password +# To protect the metrics with HTTP Basic Auth, enable and configure the lines below. +# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users +# prometheus_node_exporter_container_labels_metrics_middleware_basic_auth_enabled: true +# prometheus_node_exporter_container_labels_metrics_middleware_basic_auth_users: '' ######################################################################## # # @@ -36,6 +36,6 @@ Unless you're scraping the Prometheus Node Exporter metrics from a local [Promet ## Usage -After you installed the node exporter, your node stats will be available on `mash.example.com/metrics/node-exporter` with basic auth credentials you configured +After you installed the node exporter, your node stats will be available on `mash.example.com/metrics/mash-prometheus-node-exporter` with the basic auth credentials you configured. To integrate Prometheus Node Exporter with a [Prometheus](prometheus.md) instance, see the [Integrating with Prometheus Node Exporter](prometheus.md#integrating-with-prometheus-node-exporter) section of the documentation. diff --git a/roles/mash/playbook_base/defaults/main.yml b/roles/mash/playbook_base/defaults/main.yml index bd383d3..2a13fba 100644 --- a/roles/mash/playbook_base/defaults/main.yml +++ b/roles/mash/playbook_base/defaults/main.yml @@ -72,3 +72,12 @@ mash_playbook_traefik_labels_enabled: "{{ mash_playbook_reverse_proxy_type in [' # Controls the additional network that reverse-proxyable services will be connected to. mash_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}" + +# Controls whether various services should expose metrics publicly. +# If Prometheus is operating on the same machine, exposing metrics publicly is not necessary. +mash_playbook_metrics_exposure_enabled: false +mash_playbook_metrics_exposure_hostname: '' +mash_playbook_metrics_exposure_path_prefix: /metrics +mash_playbook_metrics_exposure_http_basic_auth_enabled: false +# See https://doc.traefik.io/traefik/middlewares/http/basicauth/#users +mash_playbook_metrics_exposure_http_basic_auth_users: '' diff --git a/roles/mash/playbook_base/tasks/validate_config.yml b/roles/mash/playbook_base/tasks/validate_config.yml index e91b952..2825e79 100644 --- a/roles/mash/playbook_base/tasks/validate_config.yml +++ b/roles/mash/playbook_base/tasks/validate_config.yml @@ -1,12 +1,14 @@ --- -- name: Fail if required mash playbook settings not defined +- name: Fail if required mash-playbook settings not defined ansible.builtin.fail: msg: >- - You need to define a required configuration setting (`{{ item }}`) for using this role. - when: "vars[item] == ''" + You need to define a required configuration setting (`{{ item.name }}`). + when: "item.when | bool and vars[item.name] == ''" with_items: - - mash_playbook_generic_secret_key + - {'name': 'mash_playbook_generic_secret_key', 'when': true} + - {'name': 'mash_playbook_generic_secret_key', 'when': true} + - {'name': 'mash_playbook_metrics_exposure_hostname', 'when': "{{ mash_playbook_metrics_exposure_enabled }}"} - name: Fail if mash_playbook_reverse_proxy_type is set incorrectly ansible.builtin.fail: diff --git a/templates/group_vars_mash_servers b/templates/group_vars_mash_servers index f1b311b..2dfd2c8 100644 --- a/templates/group_vars_mash_servers +++ b/templates/group_vars_mash_servers @@ -1187,6 +1187,12 @@ apisix_gateway_container_labels_traefik_docker_network: "{{ mash_playbook_revers apisix_gateway_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" apisix_gateway_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +apisix_gateway_container_labels_metrics_enabled: "{{ prometheus_enabled | default(false) or mash_playbook_metrics_exposure_enabled }}" +apisix_gateway_container_labels_metrics_hostname: "{{ mash_playbook_metrics_exposure_hostname }}" +apisix_gateway_container_labels_metrics_path_prefix: "{{ mash_playbook_metrics_exposure_path_prefix }}/{{ apisix_gateway_identifier }}" +apisix_gateway_container_labels_metrics_middleware_basic_auth_enabled: "{{ mash_playbook_metrics_exposure_http_basic_auth_enabled }}" +apisix_gateway_container_labels_metrics_middleware_basic_auth_users: "{{ mash_playbook_metrics_exposure_http_basic_auth_users }}" + # role-specific:etcd apisix_gateway_config_deployment_etcd_host: | {{ @@ -3763,7 +3769,7 @@ prometheus_postgres_exporter_systemd_required_services_list: | ######################################################################## # # -# /prometheus_node_exporter # +# /prometheus_postgres_exporter # # # ######################################################################## # /role-specific:prometheus_postgres_exporter @@ -3898,15 +3904,13 @@ prometheus_node_exporter_enabled: false prometheus_node_exporter_identifier: "{{ mash_playbook_service_identifier_prefix }}prometheus-node-exporter" +prometheus_node_exporter_path_prefix: "{{ mash_playbook_metrics_exposure_path_prefix }}/{{ prometheus_node_exporter_identifier }}" + prometheus_node_exporter_base_path: "{{ mash_playbook_base_path }}/{{ mash_playbook_service_base_directory_name_prefix }}prometheus-node-exporter" prometheus_node_exporter_uid: "{{ mash_playbook_uid }}" prometheus_node_exporter_gid: "{{ mash_playbook_gid }}" -prometheus_node_exporter_basicauth_enabled: "{{ prometheus_node_exporter_container_labels_traefik_enabled }}" -prometheus_node_exporter_basicauth_user: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'node.user', rounds=655555) | to_uuid }}" -prometheus_node_exporter_basicauth_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'node.password', rounds=655555) | to_uuid }}" - prometheus_node_exporter_container_additional_networks: | {{ ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) @@ -3918,6 +3922,9 @@ prometheus_node_exporter_container_labels_traefik_docker_network: "{{ mash_playb prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}" prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}" +prometheus_node_exporter_container_labels_metrics_middleware_basic_auth_enabled: "{{ mash_playbook_metrics_exposure_http_basic_auth_enabled }}" +prometheus_node_exporter_container_labels_metrics_middleware_basic_auth_users: "{{ mash_playbook_metrics_exposure_http_basic_auth_users }}" + prometheus_node_exporter_process_extra_arguments: - "--collector.disable-defaults" - "--collector.cpu" @@ -3925,6 +3932,7 @@ prometheus_node_exporter_process_extra_arguments: - "--collector.meminfo" - "--collector.systemd" - "--collector.uname" + prometheus_node_exporter_container_extra_arguments: - "--security-opt apparmor=unconfined" - "--mount type=bind,src=/var/run/dbus/system_bus_socket,dst=/var/run/dbus/system_bus_socket,ro,bind-propagation=rslave"