From 196bac9cf623dc55f94ec190bf41f89b898f2fd2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Pettersson?= Date: Tue, 22 Aug 2023 18:24:44 +0000 Subject: [PATCH] Add TLS configuration to systemd_exporter role This adds the systemd_exporter_tls_server_config variable, equivalent to the one in node_exporter and others, enabling the use of TLS for the systemd exporter. --- roles/systemd_exporter/README.md | 8 ++++++ roles/systemd_exporter/defaults/main.yml | 2 ++ .../systemd_exporter/meta/argument_specs.yml | 5 ++++ .../molecule/alternative/molecule.yml | 3 +++ .../molecule/alternative/prepare.yml | 23 +++++++++++++++++ roles/systemd_exporter/tasks/configure.yml | 17 +++++++++++++ roles/systemd_exporter/tasks/preflight.yml | 25 +++++++++++++++++++ .../systemd_exporter/templates/config.yaml.j2 | 6 +++++ .../templates/systemd_exporter.service.j2 | 3 +++ 9 files changed, 92 insertions(+) create mode 100644 roles/systemd_exporter/templates/config.yaml.j2 diff --git a/roles/systemd_exporter/README.md b/roles/systemd_exporter/README.md index 7ec88e55b..6f3a1e0df 100644 --- a/roles/systemd_exporter/README.md +++ b/roles/systemd_exporter/README.md @@ -27,6 +27,14 @@ Use it in a playbook as follows: - prometheus.prometheus.systemd_exporter ``` +### TLS config + +See node_exporter README for more extensive example: + + systemd_exporter_tls_server_config: + cert_file: /etc/systemd_exporter/tls.cert + key_file: /etc/systemd_exporter/tls.key + ## Local Testing The preferred way of locally testing the role is to use Docker and [molecule](https://github.com/ansible-community/molecule) (v3.x). You will have to install Docker on your system. See "Get started" for a Docker package suitable to for your system. Running your tests is as simple as executing `molecule test`. diff --git a/roles/systemd_exporter/defaults/main.yml b/roles/systemd_exporter/defaults/main.yml index 955737f70..444c4531c 100644 --- a/roles/systemd_exporter/defaults/main.yml +++ b/roles/systemd_exporter/defaults/main.yml @@ -7,6 +7,8 @@ systemd_exporter_checksums_url: "https://github.com/{{ _systemd_exporter_repo }} systemd_exporter_skip_install: false systemd_exporter_web_listen_address: "0.0.0.0:9558" +systemd_exporter_tls_server_config: {} + systemd_exporter_enable_restart_count: false systemd_exporter_enable_ip_accounting: false systemd_exporter_enable_file_descriptor_size: false diff --git a/roles/systemd_exporter/meta/argument_specs.yml b/roles/systemd_exporter/meta/argument_specs.yml index 2f89f3aae..834655b1d 100644 --- a/roles/systemd_exporter/meta/argument_specs.yml +++ b/roles/systemd_exporter/meta/argument_specs.yml @@ -29,6 +29,11 @@ argument_specs: systemd_exporter_web_listen_address: description: Address on which systemd exporter will listen" default: "0.0.0.0:9558" + systemd_exporter_tls_server_config: + description: + - "Configuration for TLS authentication." + - "Keys and values are the same as in L(Prometheus docs,https://prometheus.io/docs/prometheus/latest/configuration/https/)." + type: "dict" systemd_exporter_enable_restart_count: description: Enables service restart count metrics. This feature only works with systemd 235 and above" type: "bool" diff --git a/roles/systemd_exporter/molecule/alternative/molecule.yml b/roles/systemd_exporter/molecule/alternative/molecule.yml index 1b5c515cd..eeb196cc1 100644 --- a/roles/systemd_exporter/molecule/alternative/molecule.yml +++ b/roles/systemd_exporter/molecule/alternative/molecule.yml @@ -7,3 +7,6 @@ provisioner: systemd_exporter_web_listen_address: "127.0.0.1:9000" go_arch: amd64 systemd_exporter_version: 0.4.0 + systemd_exporter_tls_server_config: + cert_file: /etc/systemd_exporter/tls.cert + key_file: /etc/systemd_exporter/tls.key diff --git a/roles/systemd_exporter/molecule/alternative/prepare.yml b/roles/systemd_exporter/molecule/alternative/prepare.yml index fd4acb8e0..ddbed0ada 100644 --- a/roles/systemd_exporter/molecule/alternative/prepare.yml +++ b/roles/systemd_exporter/molecule/alternative/prepare.yml @@ -55,3 +55,26 @@ csr_path: "/tmp/tls.csr" privatekey_path: "/tmp/tls.key" provider: selfsigned + +- name: Run target preparation + hosts: all + any_errors_fatal: true + tasks: + - name: Create systemd_exporter cert dir + ansible.builtin.file: + path: "{{ systemd_exporter_tls_server_config.cert_file | dirname }}" + state: directory + owner: root + group: root + mode: u+rwX,g+rwX,o=rX + + - name: Copy cert and key + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode | default('0644') }}" + loop: + - src: "/tmp/tls.cert" + dest: "{{ systemd_exporter_tls_server_config.cert_file }}" + - src: "/tmp/tls.key" + dest: "{{ systemd_exporter_tls_server_config.key_file }}" diff --git a/roles/systemd_exporter/tasks/configure.yml b/roles/systemd_exporter/tasks/configure.yml index d1596ae95..58f5428e2 100644 --- a/roles/systemd_exporter/tasks/configure.yml +++ b/roles/systemd_exporter/tasks/configure.yml @@ -8,6 +8,23 @@ mode: 0644 notify: restart systemd_exporter +- name: Create systemd_exporter config directory + ansible.builtin.file: + path: "/etc/systemd_exporter" + state: directory + owner: root + group: root + mode: u+rwX,g+rwX,o=rX + +- name: Copy the systemd_exporter config file + ansible.builtin.template: + src: config.yaml.j2 + dest: /etc/systemd_exporter/config.yaml + owner: root + group: root + mode: 0644 + notify: restart systemd_exporter + - name: Allow systemd_exporter port in SELinux on RedHat OS family community.general.seport: ports: "{{ systemd_exporter_web_listen_address.split(':')[-1] }}" diff --git a/roles/systemd_exporter/tasks/preflight.yml b/roles/systemd_exporter/tasks/preflight.yml index d44218a2c..d0ed7e722 100644 --- a/roles/systemd_exporter/tasks/preflight.yml +++ b/roles/systemd_exporter/tasks/preflight.yml @@ -25,6 +25,31 @@ that: - "':' in systemd_exporter_web_listen_address" +- name: Assert that TLS config is correct + when: systemd_exporter_tls_server_config | length > 0 + block: + - name: Assert that TLS key and cert path are set + ansible.builtin.assert: + that: + - "systemd_exporter_tls_server_config.cert_file is defined" + - "systemd_exporter_tls_server_config.key_file is defined" + + - name: Check existence of TLS cert file + ansible.builtin.stat: + path: "{{ systemd_exporter_tls_server_config.cert_file }}" + register: __systemd_exporter_cert_file + + - name: Check existence of TLS key file + ansible.builtin.stat: + path: "{{ systemd_exporter_tls_server_config.key_file }}" + register: __systemd_exporter_key_file + + - name: Assert that TLS key and cert are present + ansible.builtin.assert: + that: + - "{{ __systemd_exporter_cert_file.stat.exists }}" + - "{{ __systemd_exporter_key_file.stat.exists }}" + - name: Assert that systemd version is >= 235 when enabling ip accounting or measuring restart count ansible.builtin.assert: that: diff --git a/roles/systemd_exporter/templates/config.yaml.j2 b/roles/systemd_exporter/templates/config.yaml.j2 new file mode 100644 index 000000000..2da5bcb15 --- /dev/null +++ b/roles/systemd_exporter/templates/config.yaml.j2 @@ -0,0 +1,6 @@ +--- +{{ ansible_managed | comment }} +{% if node_exporter_tls_server_config | length > 0 %} +tls_server_config: +{{ node_exporter_tls_server_config | to_nice_yaml | indent(2, true) }} +{% endif %} diff --git a/roles/systemd_exporter/templates/systemd_exporter.service.j2 b/roles/systemd_exporter/templates/systemd_exporter.service.j2 index 2cb7e588e..dc6c547a5 100644 --- a/roles/systemd_exporter/templates/systemd_exporter.service.j2 +++ b/roles/systemd_exporter/templates/systemd_exporter.service.j2 @@ -23,6 +23,9 @@ ExecStart={{ systemd_exporter_binary_install_dir }}/systemd_exporter \ {% endif %} {% if systemd_exporter_unit_exclude != "" %} --systemd.collector.unit-exclude={{ systemd_exporter_unit_exclude }} \ +{% endif %} +{% if systemd_exporter_tls_server_config | length > 0 %} + --web.config.file=/etc/systemd_exporter/config.yaml \ {% endif %} --web.listen-address={{ systemd_exporter_web_listen_address }}