diff --git a/data/common/common.yaml b/data/common/common.yaml --- a/data/common/common.yaml +++ b/data/common/common.yaml @@ -3242,6 +3242,8 @@ thanos::sidecar::port_http: "%{lookup('thanos::port::http')}" thanos::sidecar::port_grpc: "%{lookup('thanos::port::grpc')}" thanos::query::port_http: "%{lookup('thanos::port::http')}" +thanos::gateway::port_http: 19192 +thanos::gateway::port_grpc: 19093 thanos::tenant: "%{::subnet}" thanos::replica: "0" diff --git a/site-modules/profile/manifests/thanos/base.pp b/site-modules/profile/manifests/thanos/base.pp --- a/site-modules/profile/manifests/thanos/base.pp +++ b/site-modules/profile/manifests/thanos/base.pp @@ -12,9 +12,11 @@ $install_dir = "${install_basepath}/${version}" $archive_path = "${install_basepath}/${version}.tar.gz" - $current_symlink = "${install_basepath}/current" + $config_dir = '/etc/thanos' + $config_filepath = "${config_dir}/query-sd.yaml" + file { [$install_basepath, $install_dir]: ensure => 'directory', owner => $user, @@ -41,4 +43,12 @@ ensure => 'link', target => $install_dir, } + + file {$config_dir: + ensure => directory, + owner => 'root', + group => 'prometheus', + mode => '0750', + } + } diff --git a/site-modules/profile/manifests/thanos/gateway.pp b/site-modules/profile/manifests/thanos/gateway.pp new file mode 100644 --- /dev/null +++ b/site-modules/profile/manifests/thanos/gateway.pp @@ -0,0 +1,53 @@ +# Thanos gateway services (historical metrics access) +class profile::thanos::gateway { + include profile::thanos::base + + $service_name = 'thanos-gateway' + $unit_name = "${service_name}.service" + $port_http = lookup('thanos::gateway::port_http') + $port_grpc = lookup('thanos::gateway::port_grpc') + $internal_ip = ip_for_network(lookup('internal_network')) + $grpc_address = "${internal_ip}:${port_grpc}" + + $objstore_config = lookup('thanos::objstore::config') + $objstore_config_file = "${::profile::thanos::base::config_dir}/objstore.yml" + $config_filepath = $::profile::thanos::base::config_filepath + + file {$objstore_config_file: + ensure => present, + owner => 'root', + group => 'prometheus', + mode => '0640', + content => inline_yaml($objstore_config), + require => File[$::profile::thanos::base::config_dir], + } + + $gateway_arguments = { + 'data-dir' => '/var/lib/prometheus/metrics2', + objstore => { + 'config-file' => $objstore_config_file, + }, + 'http-address' => "${internal_ip}:${port_http}", + 'grpc-address' => $grpc_address, + } + + # Template uses: + # $gateway_arguments + systemd::unit_file {$unit_name: + ensure => present, + content => template('profile/thanos/gateway.service.erb'), + require => Class['profile::thanos::base'], + notify => Service[$service_name] + } + + service {$service_name: + ensure => 'running', + enable => true, + } + + # gateway service grpc address pushed to query service configuration file to access + # historical data + ::profile::thanos::export_query_endpoint {"thanos-gateway-${::fqdn}": + grpc_address => $grpc_address + } +} diff --git a/site-modules/profile/manifests/thanos/prometheus_sidecar.pp b/site-modules/profile/manifests/thanos/prometheus_sidecar.pp --- a/site-modules/profile/manifests/thanos/prometheus_sidecar.pp +++ b/site-modules/profile/manifests/thanos/prometheus_sidecar.pp @@ -1,4 +1,4 @@ -# Thanos prometheus sidecar +# Thanos prometheus sidecar service class profile::thanos::prometheus_sidecar { include profile::thanos::base @@ -6,9 +6,7 @@ $unit_name = "${service_name}.service" $objstore_config = lookup('thanos::objstore::config') - - $config_dir = '/etc/thanos' - $objstore_config_file = "${config_dir}/objstore.yml" + $objstore_config_file = "${::profile::thanos::base::config_dir}/objstore.yml" $port_http = lookup('thanos::sidecar::port_http') $port_grpc = lookup('thanos::sidecar::port_grpc') @@ -18,7 +16,7 @@ $sidecar_arguments = { tsdb => { - path => '/var/lib/prometheus/metrics2', + path => '/var/lib/prometheus/metrics2' }, prometheus => { # use the listen address for the prometheus server @@ -34,20 +32,13 @@ 'grpc-address' => $grpc_address, } - file {$config_dir: - ensure => directory, - owner => 'root', - group => 'prometheus', - mode => '0750', - require => Package['prometheus'], - } - file {$objstore_config_file: ensure => present, owner => 'root', group => 'prometheus', mode => '0640', content => inline_yaml($objstore_config), + require => File[$::profile::thanos::base::config_dir], } # Template uses: diff --git a/site-modules/profile/manifests/thanos/query.pp b/site-modules/profile/manifests/thanos/query.pp --- a/site-modules/profile/manifests/thanos/query.pp +++ b/site-modules/profile/manifests/thanos/query.pp @@ -6,18 +6,12 @@ $unit_name = "${service_name}.service" $port_http = lookup('thanos::query::port_http') + $non_puppet_managed_stores = lookup('thanos::query::non_puppet_managed::stores') $internal_ip = ip_for_network(lookup('internal_network')) - $config_dir = "/etc/thanos" - $config_filepath = "${config_dir}/sd.yaml" - - file { $config_dir: - ensure => 'directory', - owner => $::profile::thanos::user, - group => $::profile::thanos::group, - mode => '0644', - } + $config_dir = $::profile::thanos::base::config_dir + $config_filepath = $::profile::thanos::base::config_filepath concat::fragment { 'header': target => $config_filepath, @@ -27,7 +21,7 @@ require => File[$config_dir], } - $non_puppet_managed_stores.map | $store | { + $non_puppet_managed_stores.each | $store | { concat::fragment { $store: target => $config_filepath, content => " - ${store}\n", @@ -37,10 +31,6 @@ } } - # Deal with collected resources - Concat <<| tag == 'thanos' |>> ~> Service[$service_name] - Concat::Fragment <<| tag == 'thanos' |>> ~> Service[$service_name] - $query_arguments = { "http-address" => "${internal_ip}:${port_http}", "store.sd-files" => $config_filepath, @@ -61,4 +51,7 @@ } Class['profile::thanos::base'] ~> Service[$service_name] + # Deal with collected resources + Concat <<| tag == 'thanos' |>> ~> Service[$service_name] + Concat::Fragment <<| tag == 'thanos' |>> ~> Service[$service_name] } diff --git a/site-modules/profile/templates/thanos/gateway.service.erb b/site-modules/profile/templates/thanos/gateway.service.erb new file mode 100644 --- /dev/null +++ b/site-modules/profile/templates/thanos/gateway.service.erb @@ -0,0 +1,39 @@ +# File managed by puppet (class profile::thanos::gateway) +# Manual changes will be overwritten + +[Unit] +Description=Thanos gateway + +[Service] +Restart=on-failure +User=prometheus +ExecStart=/opt/thanos/current/thanos store <%= scope.call_function('flatten_to_argument_list', [@gateway_arguments]).join(" \\\n ") %> +ExecReload=/bin/kill -HUP $MAINPID +TimeoutStopSec=20s +SendSIGKILL=no + +# systemd hardening-options +AmbientCapabilities= +CapabilityBoundingSet= +DeviceAllow=/dev/null rw +DevicePolicy=strict +LimitMEMLOCK=0 +LimitNOFILE=8192 +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target diff --git a/site-modules/role/manifests/swh_thanos.pp b/site-modules/role/manifests/swh_thanos.pp --- a/site-modules/role/manifests/swh_thanos.pp +++ b/site-modules/role/manifests/swh_thanos.pp @@ -1,4 +1,5 @@ # Thanos role class role::swh_thanos inherits role::swh_server { include profile::thanos::query + include profile::thanos::gateway }