From c9dbee214c22f6b5b69986ab84f7181ac19b5737 Mon Sep 17 00:00:00 2001 From: Kevin Velarde Date: Thu, 31 Oct 2024 23:12:31 -0600 Subject: [PATCH] Add tasks to open prometheus exporter ports in firewalld --- playbooks/prometheus_exporters.yml | 167 ++++++++++++++++-- .../vars/main/prometheus.yml} | 1 + roles/grafana/tasks/main.yml | 3 + roles/prometheus/tasks/main.yml | 2 +- roles/prometheus/templates/scrape_configs.j2 | 2 +- 5 files changed, 162 insertions(+), 13 deletions(-) rename roles/{prometheus/vars/main.yml => common_vars/vars/main/prometheus.yml} (86%) diff --git a/playbooks/prometheus_exporters.yml b/playbooks/prometheus_exporters.yml index 51e0c8d7..fa0965d2 100644 --- a/playbooks/prometheus_exporters.yml +++ b/playbooks/prometheus_exporters.yml @@ -4,6 +4,10 @@ - name: Install RabbitMQ exporter hosts: rabbitmq, rabbitmq_secondary become: true + roles: + # Pull in the common vars + - role: itential.deployer.common_vars + tags: always tasks: # RabbitMQ has builtin Prometheus support, just enable the plugin. # https://www.rabbitmq.com/docs/prometheus#rabbitmq-configuration @@ -12,7 +16,25 @@ cmd: rabbitmq-plugins enable rabbitmq_prometheus register: cmdoutput changed_when: cmdoutput.rc != 0 - tags: rabbitmq_prometheus_plugin_enable + tags: rabbitmq_exporter_install + + - name: Make custom configuration changes + tags: rabbitmq_exporter_custom_config + block: + - name: Gather service facts + ansible.builtin.service_facts: + + - name: Open Port on FirewallD Public Zone + ansible.posix.firewalld: + port: "{{ prometheus_rabbitmq_exporter_web_listen_port }}/tcp" + permanent: true + state: enabled + zone: public + immediate: true + when: + - ansible_facts.services["firewalld.service"] is defined + - ansible_facts.services["firewalld.service"].state == "running" + - ansible_facts.services["firewalld.service"].status == "enabled" - name: Install Redis exporter hosts: redis, redis_secondary @@ -20,12 +42,39 @@ roles: # Pull in the common vars - role: itential.deployer.common_vars - tags: redis_exporter_install + tags: always - role: prometheus.prometheus.redis_exporter vars: redis_exporter_user: admin tags: redis_exporter_install + tasks: + - name: Make custom configuration changes + tags: redis_exporter_custom_config + block: + - name: Gather service facts + ansible.builtin.service_facts: + + - name: Default the Redis exporter listen port + ansible.builtin.set_fact: + redis_exporter_listen_port: "{{ prometheus_redis_exporter_web_listen_port }}" + + - name: Set the Redis exporter listen port from inventory + ansible.builtin.set_fact: + redis_exporter_listen_port: "{{ hostvars[inventory_hostname].redis_exporter_web_listen_address.split(':') | last }}" + when: "'redis_exporter_web_listen_address' in hostvars[inventory_hostname]" + + - name: Open Port on FirewallD Public Zone + ansible.posix.firewalld: + port: "{{ redis_exporter_listen_port }}/tcp" + permanent: true + state: enabled + zone: public + immediate: true + when: + - ansible_facts.services["firewalld.service"] is defined + - ansible_facts.services["firewalld.service"].state == "running" + - ansible_facts.services["firewalld.service"].status == "enabled" - name: Install MongoDB exporter hosts: mongodb, mongodb_arbiter, mongodb_secondary @@ -33,32 +82,128 @@ roles: # Pull in the common vars - role: itential.deployer.common_vars - tags: mongodb_exporter_install + tags: always - role: prometheus.prometheus.mongodb_exporter vars: mongodb_exporter_collectors: all tags: mongodb_exporter_install tasks: - - name: Add the MongoDB password export to the systemd service file - ansible.builtin.lineinfile: - path: /etc/systemd/system/mongodb_exporter.service - insertafter: '^\[Service\]' - line: "export MONGODB_PASSWORD={{ mongo_user_admin_password }}" - when: mongo_auth | bool - notify: Restart mongodb_exporter - tags: mongodb_exporter_install + - name: Make custom configuration changes + tags: mongodb_exporter_custom_config + block: + - name: Add the MongoDB user to the systemd service file + ansible.builtin.lineinfile: + path: /etc/systemd/system/mongodb_exporter.service + insertafter: '^\[Service\]' + line: 'Environment="MONGODB_USER=admin"' + when: mongodb_auth | bool + notify: Restart mongodb_exporter + + - name: Add the MongoDB password to the systemd service file + ansible.builtin.lineinfile: + path: /etc/systemd/system/mongodb_exporter.service + insertafter: 'Environment="MONGODB_USER=admin"' + line: 'Environment="MONGODB_PASSWORD={{ mongo_user_admin_password }}"' + when: mongodb_auth | bool + notify: Restart mongodb_exporter + + - name: Gather service facts + ansible.builtin.service_facts: + + - name: Default the MongoDB exporter listen port + ansible.builtin.set_fact: + mongodb_exporter_listen_port: "{{ prometheus_mongodb_exporter_web_listen_port }}" + + - name: Set the MongoDB exporter listen port from inventory + ansible.builtin.set_fact: + mongodb_exporter_listen_port: "{{ hostvars[inventory_hostname].mongodb_exporter_web_listen_address.split(':') | last }}" + when: "'mongodb_exporter_web_listen_address' in hostvars[inventory_hostname]" + + - name: Open Port on FirewallD Public Zone + ansible.posix.firewalld: + port: "{{ mongodb_exporter_listen_port }}/tcp" + permanent: true + state: enabled + zone: public + immediate: true + when: + - ansible_facts.services["firewalld.service"] is defined + - ansible_facts.services["firewalld.service"].state == "running" + - ansible_facts.services["firewalld.service"].status == "enabled" - name: Install node exporter hosts: all,!prometheus,!grafana become: true roles: + # Pull in the common vars + - role: itential.deployer.common_vars + tags: always + - role: prometheus.prometheus.node_exporter tags: node_exporter_install + tasks: + - name: Make custom configuration changes + tags: node_exporter_custom_config + block: + - name: Gather service facts + ansible.builtin.service_facts: + + - name: Default the node exporter listen port + ansible.builtin.set_fact: + node_exporter_listen_port: "{{ prometheus_node_exporter_web_listen_port }}" + + - name: Set the node exporter listen port from inventory + ansible.builtin.set_fact: + node_exporter_listen_port: "{{ hostvars[inventory_hostname].node_exporter_web_listen_address.split(':') | last }}" + when: "'node_exporter_web_listen_address' in hostvars[inventory_hostname]" + + - name: Open Port on FirewallD Public Zone + ansible.posix.firewalld: + port: "{{ node_exporter_listen_port }}/tcp" + permanent: true + state: enabled + zone: public + immediate: true + when: + - ansible_facts.services["firewalld.service"] is defined + - ansible_facts.services["firewalld.service"].state == "running" + - ansible_facts.services["firewalld.service"].status == "enabled" - name: Install process exporter hosts: platform, gateway become: true roles: + # Pull in the common vars + - role: itential.deployer.common_vars + tags: always + - role: prometheus.prometheus.process_exporter tags: process_exporter_install + tasks: + - name: Make custom configuration changes + tags: process_exporter_custom_config + block: + - name: Gather service facts + ansible.builtin.service_facts: + + - name: Default the process exporter listen port + ansible.builtin.set_fact: + process_exporter_listen_port: "{{ prometheus_process_exporter_web_listen_port }}" + + - name: Set the process exporter listen port from inventory + ansible.builtin.set_fact: + process_exporter_listen_port: "{{ hostvars[inventory_hostname].process_exporter_web_listen_address.split(':') | last }}" + when: "'process_exporter_web_listen_address' in hostvars[inventory_hostname]" + + - name: Open Port on FirewallD Public Zone + ansible.posix.firewalld: + port: "{{ process_exporter_listen_port }}/tcp" + permanent: true + state: enabled + zone: public + immediate: true + when: + - ansible_facts.services["firewalld.service"] is defined + - ansible_facts.services["firewalld.service"].state == "running" + - ansible_facts.services["firewalld.service"].status == "enabled" diff --git a/roles/prometheus/vars/main.yml b/roles/common_vars/vars/main/prometheus.yml similarity index 86% rename from roles/prometheus/vars/main.yml rename to roles/common_vars/vars/main/prometheus.yml index a5854aa1..8d355dd4 100644 --- a/roles/prometheus/vars/main.yml +++ b/roles/common_vars/vars/main/prometheus.yml @@ -5,3 +5,4 @@ prometheus_process_exporter_web_listen_port: 9256 prometheus_node_exporter_web_listen_port: 9100 prometheus_redis_exporter_web_listen_port: 9121 prometheus_mongodb_exporter_web_listen_port: 9216 +prometheus_rabbitmq_exporter_web_listen_port: 15692 diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml index a4e39682..d10467b4 100644 --- a/roles/grafana/tasks/main.yml +++ b/roles/grafana/tasks/main.yml @@ -68,6 +68,9 @@ mode: "0644" when: "'rabbitmq' in groups" +- name: Gather service facts + ansible.builtin.service_facts: + - name: Open Port on FirewallD Public Zone ansible.posix.firewalld: port: "{{ grafana_port }}/tcp" diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index 05078fa5..8f76eba1 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -12,7 +12,7 @@ - name: Create Itential scrape config file ansible.builtin.template: src: scrape_configs.j2 - dest: "{{ prometheus_config_dir }}/scrapes/itential.yml" + dest: "{{ prometheus_config_dir }}/scrape_configs/itential.yml" owner: "{{ prometheus_system_user }}" group: "{{ prometheus_system_group }}" mode: "0644" diff --git a/roles/prometheus/templates/scrape_configs.j2 b/roles/prometheus/templates/scrape_configs.j2 index 3c43c0c4..ed18428f 100644 --- a/roles/prometheus/templates/scrape_configs.j2 +++ b/roles/prometheus/templates/scrape_configs.j2 @@ -85,7 +85,7 @@ {%- if 'rabbitmq' in groups -%} {% for host in groups['rabbitmq'] %} -{% set rabbitmq_exporter_web_listen_address = host + ":" + rabbitmq_default_mgt_console_port | string %} +{% set rabbitmq_exporter_web_listen_address = host + ":" + prometheus_rabbitmq_exporter_web_listen_port | string %} {{- rabbitmq_exporter_targets.append( rabbitmq_exporter_web_listen_address ) -}} {% if 'node_exporter_web_listen_address' in hostvars[host] %} {% set node_exporter_web_listen_address = hostvars[host].node_exporter_web_listen_address %}