diff --git a/site-modules/profile/manifests/thanos/gateway.pp b/site-modules/profile/manifests/thanos/gateway.pp index ccea5eaf..6c26481b 100644 --- a/site-modules/profile/manifests/thanos/gateway.pp +++ b/site-modules/profile/manifests/thanos/gateway.pp @@ -1,67 +1,72 @@ # Thanos gateway services (historical metrics access) class profile::thanos::gateway { include profile::thanos::base + include profile::thanos::tls_certificate + + $cert_paths = $::profile::thanos::tls_certificate::cert_paths $internal_ip = ip_for_network(lookup('internal_network')) $services = lookup('thanos::gateway::services') $azure_account = lookup('thanos::objstore::azure_account') $azure_account_key = lookup('thanos::objstore::azure_account_key') $config_dir = $::profile::thanos::base::config_dir $services.each | $dataset_name, $service | { $objstore_config = { "type" => "AZURE", "config" => { "storage_account" => $azure_account, "storage_account_key" => $azure_account_key, "container" => $service['azure-storage-container'], }, } $objstore_config_file = "${::profile::thanos::base::config_dir}/objstore-${dataset_name}.yml" file {$objstore_config_file: ensure => present, owner => 'root', group => 'prometheus', mode => '0640', content => inline_yaml($objstore_config), require => File[$::profile::thanos::base::config_dir], } $port_http = $service['port-http'] $http_address = "${internal_ip}:${port_http}" $port_grpc = $service['port-grpc'] $grpc_address = "${internal_ip}:${port_grpc}" + $grpc_target = "${swh_hostname['internal_fqdn']}:${port_grpc}" $service_name = "thanos-gateway@${dataset_name}" $unit_name = "${service_name}.service" ::systemd::dropin_file {"${service_name}/parameters.conf": ensure => present, unit => $unit_name, filename => 'parameters.conf', content => template('profile/thanos/gateway-parameters.conf.erb'), notify => Service[$service_name], } service {$service_name: ensure => 'running', enable => true, tag => 'thanos-gateway', } # gateway service grpc address pushed to query service configuration file to access # historical data - ::profile::thanos::export_query_endpoint {"thanos-gateway-${grpc_address}": - grpc_address => $grpc_address + ::profile::thanos::export_query_endpoint {"thanos-gateway-${grpc_target}": + grpc_address => $grpc_target } } + # Uses: $config_dir, $cert_paths systemd::unit_file {'thanos-gateway@.service': ensure => present, content => template('profile/thanos/gateway@.service.erb'), require => Class['profile::thanos::base'], } ~> Service <| tag == 'thanos-gateway' |> } diff --git a/site-modules/profile/manifests/thanos/prometheus_sidecar.pp b/site-modules/profile/manifests/thanos/prometheus_sidecar.pp index 42dacff3..6bf80510 100644 --- a/site-modules/profile/manifests/thanos/prometheus_sidecar.pp +++ b/site-modules/profile/manifests/thanos/prometheus_sidecar.pp @@ -1,66 +1,72 @@ # Thanos prometheus sidecar class profile::thanos::prometheus_sidecar { include profile::thanos::base + include profile::thanos::tls_certificate $service_name = 'thanos-sidecar' $unit_name = "${service_name}.service" $objstore_config = lookup('thanos::objstore::config') $objstore_config_file = "${::profile::thanos::base::config_dir}/objstore.yml" $port_http = lookup('thanos::sidecar::port_http') $port_grpc = lookup('thanos::sidecar::port_grpc') $internal_ip = ip_for_network(lookup('internal_network')) $grpc_address = "${internal_ip}:${port_grpc}" + $grpc_target = "${swh_hostname['internal_fqdn']}:${port_grpc}" + + $cert_paths = $::profile::thanos::tls_certificate::cert_paths $sidecar_arguments = { - tsdb => { + tsdb => { path => '/var/lib/prometheus/metrics2', }, - prometheus => { + prometheus => { # use the listen address for the prometheus server url => "http://${::profile::prometheus::server::target}/", }, - objstore => { + objstore => { 'config-file' => $objstore_config_file, }, - shipper => { + shipper => { 'upload-compacted' => true, }, - 'http-address' => "${internal_ip}:${port_http}", - 'grpc-address' => $grpc_address, + 'grpc-server-tls-cert' => $cert_paths['fullchain'], + 'grpc-server-tls-key' => $cert_paths['privkey'], + 'http-address' => "${internal_ip}:${port_http}", + 'grpc-address' => $grpc_address, } file {$objstore_config_file: ensure => present, owner => 'root', group => 'prometheus', mode => '0640', content => inline_yaml($objstore_config), require => File[$::profile::thanos::base::config_dir], } # Template uses: # $sidecar_arguments systemd::unit_file {$unit_name: ensure => present, content => template('profile/thanos/thanos-sidecar.service.erb'), require => Class['profile::thanos::base'], notify => Service[$service_name] } service {$service_name: ensure => 'running', enable => true, require => Service['prometheus'], } Class['profile::thanos::base'] ~> Service[$service_name] # Ensure prometheus is configured properly before starting the sidecar Exec['restart-prometheus'] -> Service[$service_name] ::profile::thanos::export_query_endpoint {"thanos-sidecar-${::fqdn}": - grpc_address => $grpc_address + grpc_address => $grpc_target } } diff --git a/site-modules/profile/manifests/thanos/query.pp b/site-modules/profile/manifests/thanos/query.pp index ecfb04e9..42dd951c 100644 --- a/site-modules/profile/manifests/thanos/query.pp +++ b/site-modules/profile/manifests/thanos/query.pp @@ -1,67 +1,69 @@ # Thanos query class profile::thanos::query { include profile::thanos::base $service_name = 'thanos-query' $unit_name = "${service_name}.service" $port_http = lookup('thanos::query::port_http') $non_puppet_managed_stores = lookup('thanos::query::non_puppet_managed::stores') $internal_ip = ip_for_network(lookup('internal_network')) $config_filepath = lookup('thanos::query::config_filepath') concat {$config_filepath: ensure => present, path => $config_filepath, owner => $user, group => 'prometheus', mode => '0640', ensure_newline => true, order => 'numeric', tag => 'thanos', require => File[$::profile::thanos::base::config_dir], notify => Service[$service_name], } concat::fragment { 'header': target => $config_filepath, content => "---\n- targets:\n", order => 0, tag => 'thanos', require => File[$config_dir], } $non_puppet_managed_stores.map | $store | { concat::fragment { $store: target => $config_filepath, content => " - ${store}\n", order => 1, tag => 'thanos', require => File[$config_dir], } } # Deal with collected resources Profile::Thanos::Query_endpoint <<| |>> $query_arguments = { - "http-address" => "${internal_ip}:${port_http}", - "store.sd-files" => $config_filepath, + "http-address" => "${internal_ip}:${port_http}", + "store.sd-files" => $config_filepath, + "grpc-client-tls-secure" => true, + "grpc-client-tls-ca" => '/etc/ssl/certs/ca-certificates.crt', } systemd::unit_file {$unit_name: ensure => present, content => template("profile/thanos/${unit_name}.erb"), require => Class['profile::thanos::base'], notify => Service[$service_name], } # Template uses: # $query_arguments service {$service_name: ensure => 'running', enable => true, } Class['profile::thanos::base'] ~> Service[$service_name] } diff --git a/site-modules/profile/manifests/thanos/tls_certificate.pp b/site-modules/profile/manifests/thanos/tls_certificate.pp new file mode 100644 index 00000000..be98d4ce --- /dev/null +++ b/site-modules/profile/manifests/thanos/tls_certificate.pp @@ -0,0 +1,10 @@ +# Thanos TLS certificate management +class profile::thanos::tls_certificate { + ::profile::letsencrypt::certificate {'thanos': + source_cert => $trusted['certname'], + privkey_owner => 'prometheus', + } + + $cert_paths = ::profile::letsencrypt::certificate_paths('thanos') + $ca_path = '/etc/ssl/certs/ca-certificates.crt' +} diff --git a/site-modules/profile/templates/thanos/gateway@.service.erb b/site-modules/profile/templates/thanos/gateway@.service.erb index 9d0198e3..7378beba 100644 --- a/site-modules/profile/templates/thanos/gateway@.service.erb +++ b/site-modules/profile/templates/thanos/gateway@.service.erb @@ -1,47 +1,48 @@ # File managed by puppet (class profile::thanos::gateway) # Manual changes will be overwritten [Unit] Description=Thanos gateway instance %i [Service] Environment=HTTP_ADDRESS= Environment=GRPC_ADDRESS= Restart=on-failure User=prometheus ExecStart=/opt/thanos/current/thanos store \ --data-dir $CACHE_DIRECTORY \ --objstore.config-file <%= @config_dir %>/objstore-%i.yml \ --http-address $HTTP_ADDRESS \ + --grpc-server-tls-cert=<%= @cert_paths['fullchain'] %> --grpc-server-tls-key=<%= @cert_paths['privkey'] %> \ --grpc-address $GRPC_ADDRESS ExecReload=/bin/kill -HUP $MAINPID TimeoutStopSec=20s SendSIGKILL=no CacheDirectory=thanos/gateway-%i # systemd hardening-options AmbientCapabilities= CapabilityBoundingSet= DeviceAllow=/dev/null rw DevicePolicy=strict LimitMEMLOCK=0 LimitNOFILE=8192 LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true PrivateTmp=true PrivateUsers=true ProtectControlGroups=true ProtectHome=true ProtectKernelModules=true ProtectKernelTunables=true ProtectSystem=full RemoveIPC=true RestrictNamespaces=true RestrictRealtime=true SystemCallArchitectures=native [Install] WantedBy=multi-user.target