diff --git a/data/common/sentry.yaml b/data/common/sentry.yaml index 9d3a7e1c..cc46e2e6 100644 --- a/data/common/sentry.yaml +++ b/data/common/sentry.yaml @@ -1,21 +1,25 @@ --- # sentry::secret_key in private-data sentry::postgres::host: db.internal.softwareheritage.org sentry::postgres::port: 5432 sentry::postgres::dbname: sentry sentry::postgres::user: sentry # sentry::postgres::password in private-data sentry::admin_email: sysop+sentry@softwareheritage.org sentry::mail::host: "%{lookup('smtp::relay_hostname')}" sentry::mail::from: sentry@softwareheritage.org sentry::backend::url: http://riverside.internal.softwareheritage.org:9000/ sentry::vhost::name: sentry.softwareheritage.org sentry::vhost::ssl_protocol: "%{hiera('apache::ssl_protocol')}" sentry::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}" sentry::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}" sentry::vhost::hsts_header: "%{hiera('apache::hsts_header')}" + +sentry::relay::id: "a3b8b08d-6c09-4065-b944-5d96b132d69f" +sentry::relay::public_key: "VmNbDVTyLBKeRaUwu-_cwuvj2ZhH6R0-JBCjC6Pehzs" +# sentry::relay::secret_key in private-data diff --git a/site-modules/profile/manifests/sentry.pp b/site-modules/profile/manifests/sentry.pp index 276a655b..dc21e719 100644 --- a/site-modules/profile/manifests/sentry.pp +++ b/site-modules/profile/manifests/sentry.pp @@ -1,127 +1,145 @@ # Deploy a Sentry instance class profile::sentry { include profile::docker include profile::docker_compose $onpremise_dir = '/var/lib/sentry-onpremise' $onpremise_repo = 'https://forge.softwareheritage.org/source/getsentry-onpremise.git' $onpremise_repo_branch = 'softwareheritage' vcsrepo {$onpremise_dir: ensure => latest, provider => 'git', source => $onpremise_repo, revision => $onpremise_repo_branch, notify => [ File_Line['sentry_environment_kafka'], Exec['run sentry-onpremise install.sh'], ], } -> file {$onpremise_dir: ensure => directory, owner => 'root', group => 'root', mode => '0700', } $requirements_file = "${onpremise_dir}/sentry/requirements.txt" $config_yml = "${onpremise_dir}/sentry/config.yml" $config_py = "${onpremise_dir}/sentry/sentry.conf.py" + $relay_credentials_json = "${onpremise_dir}/relay/credentials.json" file {$requirements_file: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/requirements.txt.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } # variables for config.yml $admin_email = lookup('sentry::admin_email') $secret_key = lookup('sentry::secret_key') $vhost_name = lookup('sentry::vhost::name') $mail_host = lookup('sentry::mail::host') $mail_from = lookup('sentry::mail::from') file {$config_yml: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/config.yml.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } ##### # variables for sentry.conf.py # postgresql $postgres_host = lookup('sentry::postgres::host') $postgres_port = lookup('sentry::postgres::port') $postgres_dbname = lookup('sentry::postgres::dbname') $postgres_user = lookup('sentry::postgres::user') $postgres_password = lookup('sentry::postgres::password') + + # relay + $relay_public_key = lookup('sentry::relay::public_key') + ##### file {$config_py: ensure => present, owner => 'root', group => 'root', mode => '0644', content => template('profile/sentry/sentry.conf.py.erb'), require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } + $relay_secret_key = lookup('sentry::relay::secret_key') + $relay_id = lookup('sentry::relay::id') + + file {$relay_credentials_json: + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => template('profile/sentry/relay_credentials.json.erb'), + require => Vcsrepo[$onpremise_dir], + notify => Exec['run sentry-onpremise install.sh'], + } + file_line {'sentry_environment_kafka': ensure => absent, path => "${onpremise_dir}/.env", match => '^DEFAULT_BROKERS=', match_for_absence => true, multiple => true, require => Vcsrepo[$onpremise_dir], notify => Exec['run sentry-onpremise install.sh'], } $onpremise_flag = "${onpremise_dir}-installed" $onpremise_log = "/var/log/sentry-onpremise-install.log" exec {'check sentry-onpremise install flag': command => 'true', unless => "bash -c '[[ \"$(cat ${onpremise_flag})\" = \"$(git rev-parse HEAD)\" ]]'", cwd => $onpremise_dir, path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'], notify => Exec['run sentry-onpremise install.sh'], } exec {'run sentry-onpremise install.sh': command => "rm -f ${onpremise_flag}; (./install.sh && git rev-parse HEAD > ${onpremise_flag}) | tee -a ${onpremise_log}", timeout => 0, provider => shell, cwd => $onpremise_dir, path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'], environment => ["CI=yes"], refreshonly => true, require => [ Class['profile::docker'], Package['docker-compose'], File[$requirements_file, $config_yml, $config_py], ], notify => Exec['start sentry-onpremise docker compose'], } exec {'start sentry-onpremise docker compose': command => 'docker-compose up -d', timeout => 0, cwd => $onpremise_dir, path => ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin:/bin'], refreshonly => true, require => [ Class['profile::docker'], Package['docker-compose'], File[$requirements_file, $config_yml, $config_py], ], } } diff --git a/site-modules/profile/templates/sentry/relay_credentials.json.erb b/site-modules/profile/templates/sentry/relay_credentials.json.erb new file mode 100644 index 00000000..cd57684b --- /dev/null +++ b/site-modules/profile/templates/sentry/relay_credentials.json.erb @@ -0,0 +1 @@ +{"secret_key":"<%= @relay_secret_key %>","public_key":"<%= @relay_public_key %>","id":"<%= @relay_id %>"} diff --git a/site-modules/profile/templates/sentry/sentry.conf.py.erb b/site-modules/profile/templates/sentry/sentry.conf.py.erb index cea2a783..47bf2ff0 100644 --- a/site-modules/profile/templates/sentry/sentry.conf.py.erb +++ b/site-modules/profile/templates/sentry/sentry.conf.py.erb @@ -1,239 +1,244 @@ # File managed by puppet (module profile::sentry), modifications will be lost! # This file is just Python, with a touch of Django which means # you can inherit and tweak settings to your hearts content. from sentry.conf.server import * # NOQA DATABASES = { "default": { "ENGINE": "sentry.db.postgres", "NAME": "<%= @postgres_dbname %>", "USER": "<%= @postgres_user %>", "PASSWORD": "<%= @postgres_password %>", "HOST": "<%= @postgres_host %>", "PORT": "<%= @postgres_port %>", } } # You should not change this setting after your database has been created # unless you have altered all schemas first SENTRY_USE_BIG_INTS = True # If you're expecting any kind of real traffic on Sentry, we highly recommend # configuring the CACHES and Redis settings ########### # General # ########### # Instruct Sentry that this install intends to be run by a single organization # and thus various UI optimizations should be enabled. SENTRY_SINGLE_ORGANIZATION = True SENTRY_OPTIONS["system.event-retention-days"] = int( env('SENTRY_EVENT_RETENTION_DAYS', '90') ) ######### # Redis # ######### # Generic Redis configuration used as defaults for various things including: # Buffers, Quotas, TSDB SENTRY_OPTIONS["redis.clusters"] = { "default": { "hosts": {0: {"host": "redis", "password": "", "port": "6379", "db": "0"}} } } ######### # Queue # ######### # See https://docs.getsentry.com/on-premise/server/queue/ for more # information on configuring your queue broker and workers. Sentry relies # on a Python framework called Celery to manage queues. rabbitmq_host = None if rabbitmq_host: BROKER_URL = "amqp://{username}:{password}@{host}/{vhost}".format( username="guest", password="guest", host=rabbitmq_host, vhost="/" ) else: BROKER_URL = "redis://:{password}@{host}:{port}/{db}".format( **SENTRY_OPTIONS["redis.clusters"]["default"]["hosts"][0] ) ######### # Cache # ######### # Sentry currently utilizes two separate mechanisms. While CACHES is not a # requirement, it will optimize several high throughput patterns. CACHES = { "default": { "BACKEND": "django.core.cache.backends.memcached.MemcachedCache", "LOCATION": ["memcached:11211"], "TIMEOUT": 3600, } } # A primary cache is required for things such as processing events SENTRY_CACHE = "sentry.cache.redis.RedisCache" DEFAULT_KAFKA_OPTIONS = { "bootstrap.servers": "kafka:9092", "message.max.bytes": 50000000, "socket.timeout.ms": 1000, } SENTRY_EVENTSTREAM = "sentry.eventstream.kafka.KafkaEventStream" SENTRY_EVENTSTREAM_OPTIONS = {"producer_configuration": DEFAULT_KAFKA_OPTIONS} KAFKA_CLUSTERS["default"] = DEFAULT_KAFKA_OPTIONS ############### # Rate Limits # ############### # Rate limits apply to notification handlers and are enforced per-project # automatically. SENTRY_RATELIMITER = "sentry.ratelimits.redis.RedisRateLimiter" ################## # Update Buffers # ################## # Buffers (combined with queueing) act as an intermediate layer between the # database and the storage API. They will greatly improve efficiency on large # numbers of the same events being sent to the API in a short amount of time. # (read: if you send any kind of real data to Sentry, you should enable buffers) SENTRY_BUFFER = "sentry.buffer.redis.RedisBuffer" ########## # Quotas # ########## # Quotas allow you to rate limit individual projects or the Sentry install as # a whole. SENTRY_QUOTAS = "sentry.quotas.redis.RedisQuota" ######## # TSDB # ######## # The TSDB is used for building charts as well as making things like per-rate # alerts possible. SENTRY_TSDB = "sentry.tsdb.redissnuba.RedisSnubaTSDB" ######### # SNUBA # ######### SENTRY_SEARCH = "sentry.search.snuba.EventsDatasetSnubaSearchBackend" SENTRY_SEARCH_OPTIONS = {} SENTRY_TAGSTORE_OPTIONS = {} ########### # Digests # ########### # The digest backend powers notification summaries. SENTRY_DIGESTS = "sentry.digests.backends.redis.RedisBackend" ############## # Web Server # ############## SENTRY_WEB_HOST = "0.0.0.0" SENTRY_WEB_PORT = 9000 SENTRY_WEB_OPTIONS = { # These ase for proper HTTP/1.1 support from uWSGI # Without these it doesn't do keep-alives causing # issues with Relay's direct requests. "http-keepalive": True, "http-chunked-input": True, # the number of web workers 'workers': 3, # Turn off memory reporting "memory-report": False, # Some stuff so uwsgi will cycle workers sensibly 'max-requests': 100000, 'max-requests-delta': 500, 'max-worker-lifetime': 86400, # Duplicate options from sentry default just so we don't get # bit by sentry changing a default value that we depend on. 'thunder-lock': True, 'log-x-forwarded-for': False, 'buffer-size': 32768, 'limit-post': 209715200, 'disable-logging': True, 'reload-on-rss': 600, 'ignore-sigpipe': True, 'ignore-write-errors': True, 'disable-write-exception': True, } ########### # SSL/TLS # ########### # If you're using a reverse SSL proxy, you should enable the X-Forwarded-Proto # header and enable the settings below SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True SOCIAL_AUTH_REDIRECT_IS_HTTPS = True # End of SSL/TLS settings ############ # Features # ############ SENTRY_FEATURES["projects:sample-events"] = False SENTRY_FEATURES.update( { feature: True for feature in ( "organizations:discover", "organizations:events", "organizations:global-views", "organizations:integrations-issue-basic", "organizations:integrations-issue-sync", "organizations:invite-members", "organizations:sso-basic", "organizations:sso-rippling", "organizations:sso-saml2", "projects:custom-inbound-filters", "projects:data-forwarding", "projects:discard-groups", "projects:plugins", "projects:rate-limits", "projects:servicehooks", ) } ) ###################### # GitHub Integration # ###################### GITHUB_EXTENDED_PERMISSIONS = ['repo'] ######################### # Bitbucket Integration # ######################## # BITBUCKET_CONSUMER_KEY = 'YOUR_BITBUCKET_CONSUMER_KEY' # BITBUCKET_CONSUMER_SECRET = 'YOUR_BITBUCKET_CONSUMER_SECRET' + +####################### +# Relay configuration # +####################### +SENTRY_RELAY_WHITELIST_PK = ['<%= @relay_public_key %>']