From: Tom Hughes Date: Wed, 16 Sep 2020 16:19:37 +0000 (+0100) Subject: Allow prometheus to use wireguard or direct external connections X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/acd1a016748bd3f8b47b370b9a7c15cbf44162f1?hp=c30bf38a3bc31371fd5a9da3ebc383bd6236b4d3 Allow prometheus to use wireguard or direct external connections --- diff --git a/cookbooks/networking/libraries/ipaddresses.rb b/cookbooks/networking/libraries/ipaddresses.rb index 9fde5610b..67c89d052 100644 --- a/cookbooks/networking/libraries/ipaddresses.rb +++ b/cookbooks/networking/libraries/ipaddresses.rb @@ -18,12 +18,12 @@ class Chef addresses end - def internal_ipaddress - ipaddresses(:role => :internal).first + def internal_ipaddress(options = {}) + ipaddresses(options.merge(:role => :internal)).first end - def external_ipaddress - ipaddresses(:role => :external).first + def external_ipaddress(options = {}) + ipaddresses(options.merge(:role => :external)).first end end end diff --git a/cookbooks/prometheus/recipes/default.rb b/cookbooks/prometheus/recipes/default.rb index 824af896c..ad0a95a0a 100644 --- a/cookbooks/prometheus/recipes/default.rb +++ b/cookbooks/prometheus/recipes/default.rb @@ -17,6 +17,27 @@ # limitations under the License. # +include_recipe "networking" + +if node.internal_ipaddress + node.default[:prometheus][:mode] = "internal" + node.default[:prometheus][:address] = node.internal_ipaddress +elsif node[:networking][:wireguard][:enabled] + node.default[:prometheus][:mode] = "wireguard" + node.default[:prometheus][:address] = node[:networking][:wireguard][:address] + + search(:node, "roles:prometheus") do |server| + node.default[:networking][:wireguard][:peers] << { + :public_key => server[:networking][:wireguard][:public_key], + :allowed_ips => server[:networking][:wireguard][:address], + :endpoint => "#{server.name}:51820" + } + end +else + node.default[:prometheus][:mode] = "external" + node.default[:prometheus][:address] = node.external_ipaddress(:family => :inet) +end + prometheus_exporter "node" do port 9100 package_options "--no-install-recommends" diff --git a/cookbooks/prometheus/recipes/server.rb b/cookbooks/prometheus/recipes/server.rb index 1e164cd1d..e10e9e4ce 100644 --- a/cookbooks/prometheus/recipes/server.rb +++ b/cookbooks/prometheus/recipes/server.rb @@ -19,14 +19,23 @@ include_recipe "apache" include_recipe "apt" +include_recipe "networking" passwords = data_bag_item("prometheus", "passwords") package "prometheus" -clients = search(:node, "recipes:prometheus\\:\\:default").sort_by(&:name) +jobs = {} + +search(:node, "recipes:prometheus\\:\\:default").sort_by(&:name).each do |client| + if client[:prometheus][:mode] == "wireguard" + node.default[:networking][:wireguard][:peers] << { + :public_key => client[:networking][:wireguard][:public_key], + :allowed_ips => client[:networking][:wireguard][:address], + :endpoint => "#{client.name}:51820" + } + end -prometheus_jobs = clients.sort_by(&:name).each_with_object({}) do |client, jobs| client[:prometheus][:exporters].each do |name, address| jobs[name] ||= [] jobs[name] << { :address => address, :name => client.name } @@ -38,7 +47,7 @@ template "/etc/prometheus/prometheus.yml" do owner "root" group "root" mode "644" - variables :jobs => prometheus_jobs + variables :jobs => jobs end service "prometheus" do diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb index 8bbf1e5a4..c75248f99 100644 --- a/cookbooks/prometheus/resources/exporter.rb +++ b/cookbooks/prometheus/resources/exporter.rb @@ -45,6 +45,15 @@ action :create do subscribes :restart, "template[#{defaults_name}]" end + firewall_rule "accept-prometheus-#{new_resource.name}" do + action :accept + source "osm" + dest "fw" + proto "tcp:syn" + dest_ports new_resource.port + only_if { node[:prometheus][:mode] == "external" } + end + node.default[:prometheus][:exporters][new_resource.exporter] = listen_address end @@ -68,7 +77,7 @@ action_class do end def listen_address - "#{node.internal_ipaddress}:#{new_resource.port}" + "#{node[:prometheus][:address]}:#{new_resource.port}" end def service_name