Allow prometheus to use wireguard or direct external connections

author Tom Hughes <tom@compton.nu>

Wed, 16 Sep 2020 16:19:37 +0000 (17:19 +0100)

committer Tom Hughes <tom@compton.nu>

Wed, 16 Sep 2020 16:19:37 +0000 (17:19 +0100)
author Tom Hughes <tom@compton.nu>
Wed, 16 Sep 2020 16:19:37 +0000 (17:19 +0100)
committer Tom Hughes <tom@compton.nu>
Wed, 16 Sep 2020 16:19:37 +0000 (17:19 +0100)
diff --git a/cookbooks/networking/libraries/ipaddresses.rb b/cookbooks/networking/libraries/ipaddresses.rb

index 9fde5610be525b6a40bf91d8bb418e13f4e5e347..67c89d052192e6574df873751e3a44ea63b42d99 100644 (file)
--- a/cookbooks/networking/libraries/ipaddresses.rb
+++ b/cookbooks/networking/libraries/ipaddresses.rb
@@ -18,12 +18,12 @@ class Chef
        addresses
      end
  
-    def internal_ipaddress
-      ipaddresses(:role => :internal).first
+    def internal_ipaddress(options = {})
+      ipaddresses(options.merge(:role => :internal)).first
      end
  
-    def external_ipaddress
-      ipaddresses(:role => :external).first
+    def external_ipaddress(options = {})
+      ipaddresses(options.merge(:role => :external)).first
      end
    end
  end
diff --git a/cookbooks/prometheus/recipes/default.rb b/cookbooks/prometheus/recipes/default.rb

index 824af896cae5d1e943be68b7e2406fae9c03e5e3..ad0a95a0aa76ec9f2901ac19aceaf72d68242194 100644 (file)
--- a/cookbooks/prometheus/recipes/default.rb
+++ b/cookbooks/prometheus/recipes/default.rb
@@ -17,6 +17,27 @@
  # limitations under the License.
  #
  
+include_recipe "networking"
+
+if node.internal_ipaddress
+  node.default[:prometheus][:mode] = "internal"
+  node.default[:prometheus][:address] = node.internal_ipaddress
+elsif node[:networking][:wireguard][:enabled]
+  node.default[:prometheus][:mode] = "wireguard"
+  node.default[:prometheus][:address] = node[:networking][:wireguard][:address]
+
+  search(:node, "roles:prometheus") do |server|
+    node.default[:networking][:wireguard][:peers] << {
+      :public_key => server[:networking][:wireguard][:public_key],
+      :allowed_ips => server[:networking][:wireguard][:address],
+      :endpoint => "#{server.name}:51820"
+    }
+  end
+else
+  node.default[:prometheus][:mode] = "external"
+  node.default[:prometheus][:address] = node.external_ipaddress(:family => :inet)
+end
+
  prometheus_exporter "node" do
    port 9100
    package_options "--no-install-recommends"
diff --git a/cookbooks/prometheus/recipes/server.rb b/cookbooks/prometheus/recipes/server.rb

index 1e164cd1d3c751faf4d502034dc4e64a345a5532..e10e9e4ceef1eb18ecf08c61f3009dfeda0e4a85 100644 (file)
--- a/cookbooks/prometheus/recipes/server.rb
+++ b/cookbooks/prometheus/recipes/server.rb
@@ -19,14 +19,23 @@
  
  include_recipe "apache"
  include_recipe "apt"
+include_recipe "networking"
  
  passwords = data_bag_item("prometheus", "passwords")
  
  package "prometheus"
  
-clients = search(:node, "recipes:prometheus\\:\\:default").sort_by(&:name)
+jobs = {}
+
+search(:node, "recipes:prometheus\\:\\:default").sort_by(&:name).each do |client|
+  if client[:prometheus][:mode] == "wireguard"
+    node.default[:networking][:wireguard][:peers] << {
+      :public_key => client[:networking][:wireguard][:public_key],
+      :allowed_ips => client[:networking][:wireguard][:address],
+      :endpoint => "#{client.name}:51820"
+    }
+  end
  
-prometheus_jobs = clients.sort_by(&:name).each_with_object({}) do |client, jobs|
    client[:prometheus][:exporters].each do |name, address|
      jobs[name] ||= []
      jobs[name] << { :address => address, :name => client.name }
@@ -38,7 +47,7 @@ template "/etc/prometheus/prometheus.yml" do
    owner "root"
    group "root"
    mode "644"
-  variables :jobs => prometheus_jobs
+  variables :jobs => jobs
  end
  
  service "prometheus" do
diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb

index 8bbf1e5a4fb6fcbb8f24f11cb9f155948dff36d5..c75248f99f559311a123b92c5e11eeaba3d5e693 100644 (file)
--- a/cookbooks/prometheus/resources/exporter.rb
+++ b/cookbooks/prometheus/resources/exporter.rb
@@ -45,6 +45,15 @@ action :create do
      subscribes :restart, "template[#{defaults_name}]"
    end
  
+  firewall_rule "accept-prometheus-#{new_resource.name}" do
+    action :accept
+    source "osm"
+    dest "fw"
+    proto "tcp:syn"
+    dest_ports new_resource.port
+    only_if { node[:prometheus][:mode] == "external" }
+  end
+
    node.default[:prometheus][:exporters][new_resource.exporter] = listen_address
  end
  
@@ -68,7 +77,7 @@ action_class do
    end
  
    def listen_address
-    "#{node.internal_ipaddress}:#{new_resource.port}"
+    "#{node[:prometheus][:address]}:#{new_resource.port}"
    end
  
    def service_name
author	Tom Hughes <tom@compton.nu>
	Wed, 16 Sep 2020 16:19:37 +0000 (17:19 +0100)
committer	Tom Hughes <tom@compton.nu>
	Wed, 16 Sep 2020 16:19:37 +0000 (17:19 +0100)
cookbooks/networking/libraries/ipaddresses.rb		patch \| blob \| history
cookbooks/prometheus/recipes/default.rb		patch \| blob \| history
cookbooks/prometheus/recipes/server.rb		patch \| blob \| history
cookbooks/prometheus/resources/exporter.rb		patch \| blob \| history