infra/ansible-role-prometheus-agent
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
nd 2020-05-22 14:47:25 +02:00
commit e42f1f6b9a
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
7 changed files with 252 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

0
README.md Normal file
View file

10
defaults/main.yml Normal file
View file

@ -0,0 +1,10 @@
prometheus_agent:
tls:
mode: stunnel
manage: yes
pki: ~
args:
'web.listen-address': "[::1]:9100"
scrapers: {}
ansible_groups_as_labels: False
labels: {}

9
handlers/main.yml Normal file
View file

@ -0,0 +1,9 @@
- name: restart node-exporter
service:
name: prometheus-node-exporter
state: restarted
- name: restart stunnel
service:
name: stunnel4
state: restarted

73
tasks/main.yml Normal file
View file

@ -0,0 +1,73 @@
- name: install node-exporter
apt:
pkg: prometheus-node-exporter
- name: manage tls
when: prometheus_agent.tls.manage
block:
- set_fact:
inventory_certs: "{{ certificates.certs|d({}) }}"
prometheus_certs: |
{
'prometheus_agent': {
'san': ['{{ inventory_hostname }}'],
'backend': 'selfsigned'
}
}
- include_role:
name: certificates
vars:
certificates:
certs: "{{ {}|combine(prometheus_certs, inventory_certs, recursive=True) }}"
- name: copy node-exporter config
template:
src: node-exporter.j2
dest: /etc/default/prometheus-node-exporter
notify: restart node-exporter
- name: slurp up all scraper certs
loop: "{{ prometheus_agent.scrapers.keys()|list }}"
delegate_to: "{{ item }}"
slurp:
src: /etc/ssl/prometheus_scraper.crt
register: scrapercertfiles
- name: slurp up agent cert
slurp:
src: /etc/ssl/prometheus_agent.crt
register: agentcertfiles
- name: setup stunnel client
when: prometheus_agent.tls.mode == "stunnel"
block:
- name: install stunnel
apt:
pkg: stunnel
- name: copy scraper ssl certs
loop: "{{ scrapercertfiles.results }}"
copy:
content: "{{ item.content | b64decode }}"
dest: "/etc/ssl/scraper_{{ item.item }}.crt"
- name: copy stunnel config
template:
src: stunnel-client.conf.j2
dest: /etc/stunnel/prometheus-agent.conf
notify: restart stunnel
- name: copy agent certs to scrapers
loop: "{{ prometheus_agent.scrapers.keys()|list }}"
delegate_to: "{{ item }}"
copy:
content: "{{ agentcertfiles.content | b64decode }}"
dest: "/etc/prometheus/targetcerts/{{ inventory_hostname }}.crt"
- set_fact:
labels_ansible_groups: '{ {% for g in group_names %}"ansible_group_{{g}}": True{% if not loop.last %}, {% endif %}{% endfor %} }'
- set_fact:
merged_prometheus_labels: "{{ {}|combine((labels_ansible_groups if prometheus_agent.ansible_groups_as_labels else {}), prometheus_agent.labels) }}"
- name: setup scraper
loop: "{{ prometheus_agent.scrapers.keys()|list }}"
delegate_to: "{{ item }}"
template:
src: node-scraper.j2
dest: /etc/prometheus/conf.d/scrape_configs/{{ inventory_hostname }}.conf

130
templates/node-exporter.j2 Normal file
View file

@ -0,0 +1,130 @@
# Set the command-line arguments to pass to the server.
# Due to shell scaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too.
ARGS="{% for i in prometheus_agent.args %} --{{ i }}{% if prometheus_agent.args[i] and prometheus_agent.args[i] != {} %}='{{ prometheus_agent.args[i] }}'{% endif %} {% endfor %}"
#{{ prometheus_agent.args.keys()|list|join(' ') }}"
# Prometheus-node-exporter supports the following options:
#
# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"
# Regexp of devices to ignore for diskstats.
# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)"
# Regexp of mount points to ignore for filesystem
# collector.
# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"
# Regexp of filesystem types to ignore for
# filesystem collector.
# --collector.netdev.ignored-devices="^lo$"
# Regexp of net devices to ignore for netdev
# collector.
# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$"
# Regexp of fields to return for netstat
# collector.
# --collector.ntp.server="127.0.0.1"
# NTP server to use for ntp collector
# --collector.ntp.protocol-version=4
# NTP protocol version
# --collector.ntp.server-is-local
# Certify that collector.ntp.server address is the
# same local host as this collector.
# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query
# --collector.ntp.max-distance=3.46608s
# Max accumulated distance to the root
# --collector.ntp.local-offset-tolerance=1ms
# Offset between local clock and local ntpd time
# to tolerate
# --path.procfs="/proc" procfs mountpoint.
# --path.sysfs="/sys" sysfs mountpoint.
# --collector.qdisc.fixtures=""
# test fixtures to use for qdisc collector
# end-to-end testing
# --collector.runit.servicedir="/etc/service"
# Path to runit service directory.
# --collector.supervisord.url="http://localhost:9001/RPC2"
# XML RPC endpoint.
# --collector.systemd.unit-whitelist=".+"
# Regexp of systemd units to whitelist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)"
# Regexp of systemd units to blacklist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.private
# Establish a private, direct connection to
# systemd without dbus.
# --collector.textfile.directory="/var/lib/prometheus/node-exporter"
# Directory to read text files with metrics from.
# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*"
# Regexp of fields to return for vmstat collector.
# --collector.wifi.fixtures=""
# test fixtures to use for wifi collector metrics
# --collector.arp Enable the arp collector (default: enabled).
# --collector.bcache Enable the bcache collector (default: enabled).
# --collector.bonding Enable the bonding collector (default: enabled).
# --collector.buddyinfo Enable the buddyinfo collector (default:
# disabled).
# --collector.conntrack Enable the conntrack collector (default:
# enabled).
# --collector.cpu Enable the cpu collector (default: enabled).
# --collector.diskstats Enable the diskstats collector (default:
# enabled).
# --collector.drbd Enable the drbd collector (default: disabled).
# --collector.edac Enable the edac collector (default: enabled).
# --collector.entropy Enable the entropy collector (default: enabled).
# --collector.filefd Enable the filefd collector (default: enabled).
# --collector.filesystem Enable the filesystem collector (default:
# enabled).
# --collector.hwmon Enable the hwmon collector (default: enabled).
# --collector.infiniband Enable the infiniband collector (default:
# enabled).
# --collector.interrupts Enable the interrupts collector (default:
# disabled).
# --collector.ipvs Enable the ipvs collector (default: enabled).
# --collector.ksmd Enable the ksmd collector (default: disabled).
# --collector.loadavg Enable the loadavg collector (default: enabled).
# --collector.logind Enable the logind collector (default: disabled).
# --collector.mdadm Enable the mdadm collector (default: enabled).
# --collector.meminfo Enable the meminfo collector (default: enabled).
# --collector.meminfo_numa Enable the meminfo_numa collector (default:
# disabled).
# --collector.mountstats Enable the mountstats collector (default:
# disabled).
# --collector.netdev Enable the netdev collector (default: enabled).
# --collector.netstat Enable the netstat collector (default: enabled).
# --collector.nfs Enable the nfs collector (default: enabled).
# --collector.nfsd Enable the nfsd collector (default: enabled).
# --collector.ntp Enable the ntp collector (default: disabled).
# --collector.qdisc Enable the qdisc collector (default: disabled).
# --collector.runit Enable the runit collector (default: disabled).
# --collector.sockstat Enable the sockstat collector (default:
# enabled).
# --collector.stat Enable the stat collector (default: enabled).
# --collector.supervisord Enable the supervisord collector (default:
# disabled).
# --collector.systemd Enable the systemd collector (default: enabled).
# --collector.tcpstat Enable the tcpstat collector (default:
# disabled).
# --collector.textfile Enable the textfile collector (default:
# enabled).
# --collector.time Enable the time collector (default: enabled).
# --collector.uname Enable the uname collector (default: enabled).
# --collector.vmstat Enable the vmstat collector (default: enabled).
# --collector.wifi Enable the wifi collector (default: enabled).
# --collector.xfs Enable the xfs collector (default: enabled).
# --collector.zfs Enable the zfs collector (default: enabled).
# --collector.timex Enable the timex collector (default: enabled).
# --web.listen-address=":9100"
# Address on which to expose metrics and web
# interface.
# --web.telemetry-path="/metrics"
# Path under which to expose metrics.
# --log.level="info" Only log messages with the given severity or
# above. Valid levels: [debug, info, warn, error,
# fatal]
# --log.format="logger:stderr"
# Set the log target and format. Example:
# "logger:syslog?appname=bob&local=7" or
# "logger:stdout?json=true"

16
templates/node-scraper.j2 Normal file
View file

@ -0,0 +1,16 @@
- job_name: prometheus-agent {{ inventory_hostname }}
scheme: https
static_configs:
- targets:
- {{ inventory_hostname }}:{{ prometheus_agent.scrapers[item] }}
labels: {{ merged_prometheus_labels|to_json }}
tls_config:
ca_file: /etc/prometheus/targetcerts/{{ inventory_hostname }}.crt
cert_file: /etc/ssl/prometheus_scraper.crt
key_file: /etc/ssl/private/prometheus_scraper.key
relabel_configs:
- source_labels: [__address__]
regex: '([^:]+):\d+'
target_label: instance
- replacement: 'prometheus-agent'
target_label: job

14
templates/stunnel-client.conf.j2 Normal file
View file

@ -0,0 +1,14 @@
sslVersionMin = TLSv1.2
{% for i in prometheus_agent.scrapers %}
[scraper {{ i }}]
client = no
requireCert = yes
accept = {{ prometheus_agent.scrapers[i] }}
connect = {{ prometheus_agent.args['web.listen-address']|replace('[', '')|replace(']', '') }}
cert = /etc/ssl/prometheus_agent.crt
key = /etc/ssl/private/prometheus_agent.key
verifyPeer = yes
CAfile = /etc/ssl/scraper_{{ i }}.crt
{% endfor %}