# limitations under the License.
#
+unified_mode true
+
default_action :create
property :exporter, :kind_of => String, :name_property => true
+property :address, :kind_of => String
property :port, :kind_of => Integer, :required => [:create]
property :listen_switch, :kind_of => String, :default => "web.listen-address"
property :listen_type, :kind_of => String, :default => "address"
-property :user, :kind_of => String, :default => "root"
+property :user, :kind_of => String
+property :group, :kind_of => String
property :command, :kind_of => String
property :options, :kind_of => [String, Array]
property :environment, :kind_of => Hash, :default => {}
+property :protect_proc, String
+property :proc_subset, String
+property :capability_bounding_set, [String, Array]
+property :ambient_capabilities, [String, Array]
+property :private_devices, [true, false]
+property :private_users, [true, false]
+property :protect_clock, [true, false]
+property :restrict_address_families, [String, Array]
+property :remove_ipc, [true, false]
+property :system_call_filter, [String, Array]
property :service, :kind_of => String
+property :labels, :kind_of => Hash, :default => {}
+property :scrape_interval, :kind_of => String
+property :scrape_timeout, :kind_of => String
+property :metric_relabel, :kind_of => Array
+property :register_target, :kind_of => [TrueClass, FalseClass], :default => true
+property :ssh, [true, false]
action :create do
+ if new_resource.ssh && new_resource.user.nil?
+ keys = data_bag_item("prometheus", "keys")
+
+ directory "/var/lib/private/prometheus/#{new_resource.exporter}-exporter" do
+ mode "700"
+ recursive true
+ end
+
+ file "/var/lib/private/prometheus/#{new_resource.exporter}-exporter/id_rsa" do
+ content keys["ssh"].join("\n")
+ mode "400"
+ end
+
+ cookbook_file "/var/lib/private/prometheus/#{new_resource.exporter}-exporter/id_rsa.pub" do
+ mode "644"
+ end
+ end
+
systemd_service service_name do
+ after "network-online.target"
+ wants "network-online.target"
description "Prometheus #{new_resource.exporter} exporter"
type "simple"
user new_resource.user
+ dynamic_user new_resource.user.nil?
+ group new_resource.group
environment new_resource.environment
exec_start "#{executable_path} #{new_resource.command} #{executable_options}"
- private_tmp true
- protect_system "strict"
- protect_home true
- no_new_privileges true
+ sandbox :enable_network => true
+ state_directory "prometheus/#{new_resource.exporter}-exporter" if new_resource.ssh && new_resource.user.nil?
+ protect_proc new_resource.protect_proc if new_resource.property_is_set?(:protect_proc)
+ proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+ capability_bounding_set new_resource.capability_bounding_set if new_resource.property_is_set?(:capability_bounding_set)
+ ambient_capabilities new_resource.ambient_capabilities if new_resource.property_is_set?(:ambient_capabilities)
+ private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+ private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
+ protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
+ restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
+ remove_ipc new_resource.remove_ipc if new_resource.property_is_set?(:remove_ipc)
+ system_call_filter new_resource.system_call_filter if new_resource.property_is_set?(:system_call_filter)
end
service service_name do
firewall_rule "accept-prometheus-#{new_resource.exporter}" do
action :accept
- source "osm"
- dest "fw"
- proto "tcp:syn"
+ context :incoming
+ protocol :tcp
+ source :osm
dest_ports new_resource.port
only_if { node[:prometheus][:mode] == "external" }
end
- node.default[:prometheus][:exporters][new_resource.exporter] = listen_address
+ node.default[:prometheus][:addresses][new_resource.exporter] = listen_address
+
+ if new_resource.register_target
+ node.default[:prometheus][:exporters][new_resource.port] = {
+ :name => new_resource.exporter,
+ :address => listen_address,
+ :labels => new_resource.labels,
+ :scrape_interval => new_resource.scrape_interval,
+ :scrape_timeout => new_resource.scrape_timeout,
+ :metric_relabel => new_resource.metric_relabel
+ }
+ end
end
action :delete do
action :restart do
service service_name do
action :restart
+ only_if { service_exists? }
end
end
end
end
+ def service_exists?
+ ::File.exist?("/etc/systemd/system/#{service_name}.service")
+ end
+
def executable_path
- "/opt/prometheus/exporters/#{new_resource.exporter}/#{new_resource.exporter}_exporter"
+ if ::File.exist?("#{executable_directory}/#{executable_name}_#{executable_architecture}")
+ "#{executable_directory}/#{executable_name}_#{executable_architecture}"
+ else
+ "#{executable_directory}/#{executable_name}"
+ end
+ end
+
+ def executable_directory
+ "/opt/prometheus-exporters/exporters/#{new_resource.exporter}"
+ end
+
+ def executable_name
+ "#{new_resource.exporter}_exporter"
+ end
+
+ def executable_architecture
+ node[:kernel][:machine]
end
def executable_options
end
def listen_address
- if node[:prometheus][:mode] == "wireguard"
+ if new_resource.address
+ "#{new_resource.address}:#{new_resource.port}"
+ elsif node[:prometheus][:mode] == "wireguard"
"[#{node[:prometheus][:address]}]:#{new_resource.port}"
else
"#{node[:prometheus][:address]}:#{new_resource.port}"
end
def after_created
- subscribes :restart, "git[/opt/prometheus]"
+ subscribes :restart, "git[/opt/prometheus-exporters]"
end