commit e42f1f6b9a28228c3c4d5c08b16c1c068e9b6d3b Author: nd Date: Fri May 22 14:47:25 2020 +0200 Initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..1ddc36b --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,10 @@ +prometheus_agent: + tls: + mode: stunnel + manage: yes + pki: ~ + args: + 'web.listen-address': "[::1]:9100" + scrapers: {} + ansible_groups_as_labels: False + labels: {} diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..b9c213a --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,9 @@ +- name: restart node-exporter + service: + name: prometheus-node-exporter + state: restarted + +- name: restart stunnel + service: + name: stunnel4 + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..eec3d69 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,73 @@ +- name: install node-exporter + apt: + pkg: prometheus-node-exporter + +- name: manage tls + when: prometheus_agent.tls.manage + block: + - set_fact: + inventory_certs: "{{ certificates.certs|d({}) }}" + prometheus_certs: | + { + 'prometheus_agent': { + 'san': ['{{ inventory_hostname }}'], + 'backend': 'selfsigned' + } + } + - include_role: + name: certificates + vars: + certificates: + certs: "{{ {}|combine(prometheus_certs, inventory_certs, recursive=True) }}" + +- name: copy node-exporter config + template: + src: node-exporter.j2 + dest: /etc/default/prometheus-node-exporter + notify: restart node-exporter + +- name: slurp up all scraper certs + loop: "{{ prometheus_agent.scrapers.keys()|list }}" + delegate_to: "{{ item }}" + slurp: + src: /etc/ssl/prometheus_scraper.crt + register: scrapercertfiles + +- name: slurp up agent cert + slurp: + src: /etc/ssl/prometheus_agent.crt + register: agentcertfiles + +- name: setup stunnel client + when: prometheus_agent.tls.mode == "stunnel" + block: + - name: install stunnel + apt: + pkg: stunnel + - name: copy scraper ssl certs + loop: "{{ scrapercertfiles.results }}" + copy: + content: "{{ item.content | b64decode }}" + dest: "/etc/ssl/scraper_{{ item.item }}.crt" + - name: copy stunnel config + template: + src: stunnel-client.conf.j2 + dest: /etc/stunnel/prometheus-agent.conf + notify: restart stunnel + - name: copy agent certs to scrapers + loop: "{{ prometheus_agent.scrapers.keys()|list }}" + delegate_to: "{{ item }}" + copy: + content: "{{ agentcertfiles.content | b64decode }}" + dest: "/etc/prometheus/targetcerts/{{ inventory_hostname }}.crt" + +- set_fact: + labels_ansible_groups: '{ {% for g in group_names %}"ansible_group_{{g}}": True{% if not loop.last %}, {% endif %}{% endfor %} }' +- set_fact: + merged_prometheus_labels: "{{ {}|combine((labels_ansible_groups if prometheus_agent.ansible_groups_as_labels else {}), prometheus_agent.labels) }}" +- name: setup scraper + loop: "{{ prometheus_agent.scrapers.keys()|list }}" + delegate_to: "{{ item }}" + template: + src: node-scraper.j2 + dest: /etc/prometheus/conf.d/scrape_configs/{{ inventory_hostname }}.conf diff --git a/templates/node-exporter.j2 b/templates/node-exporter.j2 new file mode 100644 index 0000000..1e50db8 --- /dev/null +++ b/templates/node-exporter.j2 @@ -0,0 +1,130 @@ +# Set the command-line arguments to pass to the server. +# Due to shell scaping, to pass backslashes for regexes, you need to double +# them (\\d for \d). If running under systemd, you need to double them again +# (\\\\d to mean \d), and escape newlines too. +ARGS="{% for i in prometheus_agent.args %} --{{ i }}{% if prometheus_agent.args[i] and prometheus_agent.args[i] != {} %}='{{ prometheus_agent.args[i] }}'{% endif %} {% endfor %}" + +#{{ prometheus_agent.args.keys()|list|join(' ') }}" + +# Prometheus-node-exporter supports the following options: +# +# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$" +# Regexp of devices to ignore for diskstats. +# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)" +# Regexp of mount points to ignore for filesystem +# collector. +# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$" +# Regexp of filesystem types to ignore for +# filesystem collector. +# --collector.netdev.ignored-devices="^lo$" +# Regexp of net devices to ignore for netdev +# collector. +# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$" +# Regexp of fields to return for netstat +# collector. +# --collector.ntp.server="127.0.0.1" +# NTP server to use for ntp collector +# --collector.ntp.protocol-version=4 +# NTP protocol version +# --collector.ntp.server-is-local +# Certify that collector.ntp.server address is the +# same local host as this collector. +# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query +# --collector.ntp.max-distance=3.46608s +# Max accumulated distance to the root +# --collector.ntp.local-offset-tolerance=1ms +# Offset between local clock and local ntpd time +# to tolerate +# --path.procfs="/proc" procfs mountpoint. +# --path.sysfs="/sys" sysfs mountpoint. +# --collector.qdisc.fixtures="" +# test fixtures to use for qdisc collector +# end-to-end testing +# --collector.runit.servicedir="/etc/service" +# Path to runit service directory. +# --collector.supervisord.url="http://localhost:9001/RPC2" +# XML RPC endpoint. +# --collector.systemd.unit-whitelist=".+" +# Regexp of systemd units to whitelist. Units must +# both match whitelist and not match blacklist to +# be included. +# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)" +# Regexp of systemd units to blacklist. Units must +# both match whitelist and not match blacklist to +# be included. +# --collector.systemd.private +# Establish a private, direct connection to +# systemd without dbus. +# --collector.textfile.directory="/var/lib/prometheus/node-exporter" +# Directory to read text files with metrics from. +# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*" +# Regexp of fields to return for vmstat collector. +# --collector.wifi.fixtures="" +# test fixtures to use for wifi collector metrics +# --collector.arp Enable the arp collector (default: enabled). +# --collector.bcache Enable the bcache collector (default: enabled). +# --collector.bonding Enable the bonding collector (default: enabled). +# --collector.buddyinfo Enable the buddyinfo collector (default: +# disabled). +# --collector.conntrack Enable the conntrack collector (default: +# enabled). +# --collector.cpu Enable the cpu collector (default: enabled). +# --collector.diskstats Enable the diskstats collector (default: +# enabled). +# --collector.drbd Enable the drbd collector (default: disabled). +# --collector.edac Enable the edac collector (default: enabled). +# --collector.entropy Enable the entropy collector (default: enabled). +# --collector.filefd Enable the filefd collector (default: enabled). +# --collector.filesystem Enable the filesystem collector (default: +# enabled). +# --collector.hwmon Enable the hwmon collector (default: enabled). +# --collector.infiniband Enable the infiniband collector (default: +# enabled). +# --collector.interrupts Enable the interrupts collector (default: +# disabled). +# --collector.ipvs Enable the ipvs collector (default: enabled). +# --collector.ksmd Enable the ksmd collector (default: disabled). +# --collector.loadavg Enable the loadavg collector (default: enabled). +# --collector.logind Enable the logind collector (default: disabled). +# --collector.mdadm Enable the mdadm collector (default: enabled). +# --collector.meminfo Enable the meminfo collector (default: enabled). +# --collector.meminfo_numa Enable the meminfo_numa collector (default: +# disabled). +# --collector.mountstats Enable the mountstats collector (default: +# disabled). +# --collector.netdev Enable the netdev collector (default: enabled). +# --collector.netstat Enable the netstat collector (default: enabled). +# --collector.nfs Enable the nfs collector (default: enabled). +# --collector.nfsd Enable the nfsd collector (default: enabled). +# --collector.ntp Enable the ntp collector (default: disabled). +# --collector.qdisc Enable the qdisc collector (default: disabled). +# --collector.runit Enable the runit collector (default: disabled). +# --collector.sockstat Enable the sockstat collector (default: +# enabled). +# --collector.stat Enable the stat collector (default: enabled). +# --collector.supervisord Enable the supervisord collector (default: +# disabled). +# --collector.systemd Enable the systemd collector (default: enabled). +# --collector.tcpstat Enable the tcpstat collector (default: +# disabled). +# --collector.textfile Enable the textfile collector (default: +# enabled). +# --collector.time Enable the time collector (default: enabled). +# --collector.uname Enable the uname collector (default: enabled). +# --collector.vmstat Enable the vmstat collector (default: enabled). +# --collector.wifi Enable the wifi collector (default: enabled). +# --collector.xfs Enable the xfs collector (default: enabled). +# --collector.zfs Enable the zfs collector (default: enabled). +# --collector.timex Enable the timex collector (default: enabled). +# --web.listen-address=":9100" +# Address on which to expose metrics and web +# interface. +# --web.telemetry-path="/metrics" +# Path under which to expose metrics. +# --log.level="info" Only log messages with the given severity or +# above. Valid levels: [debug, info, warn, error, +# fatal] +# --log.format="logger:stderr" +# Set the log target and format. Example: +# "logger:syslog?appname=bob&local=7" or +# "logger:stdout?json=true" diff --git a/templates/node-scraper.j2 b/templates/node-scraper.j2 new file mode 100644 index 0000000..c799ed2 --- /dev/null +++ b/templates/node-scraper.j2 @@ -0,0 +1,16 @@ +- job_name: prometheus-agent {{ inventory_hostname }} + scheme: https + static_configs: + - targets: + - {{ inventory_hostname }}:{{ prometheus_agent.scrapers[item] }} + labels: {{ merged_prometheus_labels|to_json }} + tls_config: + ca_file: /etc/prometheus/targetcerts/{{ inventory_hostname }}.crt + cert_file: /etc/ssl/prometheus_scraper.crt + key_file: /etc/ssl/private/prometheus_scraper.key + relabel_configs: + - source_labels: [__address__] + regex: '([^:]+):\d+' + target_label: instance + - replacement: 'prometheus-agent' + target_label: job diff --git a/templates/stunnel-client.conf.j2 b/templates/stunnel-client.conf.j2 new file mode 100644 index 0000000..4312e19 --- /dev/null +++ b/templates/stunnel-client.conf.j2 @@ -0,0 +1,14 @@ +sslVersionMin = TLSv1.2 + +{% for i in prometheus_agent.scrapers %} +[scraper {{ i }}] +client = no +requireCert = yes +accept = {{ prometheus_agent.scrapers[i] }} +connect = {{ prometheus_agent.args['web.listen-address']|replace('[', '')|replace(']', '') }} +cert = /etc/ssl/prometheus_agent.crt +key = /etc/ssl/private/prometheus_agent.key +verifyPeer = yes +CAfile = /etc/ssl/scraper_{{ i }}.crt + +{% endfor %}