From 3f6da9781bd358594ee3dfb32380bc823b26ea60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Pettersson?= Date: Tue, 22 Aug 2023 18:24:44 +0000 Subject: [PATCH 1/5] Add TLS configuration to systemd_exporter role MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This adds the systemd_exporter_tls_server_config variable, equivalent to the one in node_exporter and others, enabling the use of TLS for the systemd exporter. Signed-off-by: Håvard Pettersson --- roles/systemd_exporter/README.md | 8 ++++++ roles/systemd_exporter/defaults/main.yml | 2 ++ .../systemd_exporter/meta/argument_specs.yml | 5 ++++ .../molecule/alternative/molecule.yml | 3 +++ .../molecule/alternative/prepare.yml | 23 +++++++++++++++++ roles/systemd_exporter/tasks/configure.yml | 17 +++++++++++++ roles/systemd_exporter/tasks/preflight.yml | 25 +++++++++++++++++++ .../systemd_exporter/templates/config.yaml.j2 | 6 +++++ .../templates/systemd_exporter.service.j2 | 3 +++ 9 files changed, 92 insertions(+) create mode 100644 roles/systemd_exporter/templates/config.yaml.j2 diff --git a/roles/systemd_exporter/README.md b/roles/systemd_exporter/README.md index 7ec88e55b..6f3a1e0df 100644 --- a/roles/systemd_exporter/README.md +++ b/roles/systemd_exporter/README.md @@ -27,6 +27,14 @@ Use it in a playbook as follows: - prometheus.prometheus.systemd_exporter ``` +### TLS config + +See node_exporter README for more extensive example: + + systemd_exporter_tls_server_config: + cert_file: /etc/systemd_exporter/tls.cert + key_file: /etc/systemd_exporter/tls.key + ## Local Testing The preferred way of locally testing the role is to use Docker and [molecule](https://github.com/ansible-community/molecule) (v3.x). You will have to install Docker on your system. See "Get started" for a Docker package suitable to for your system. Running your tests is as simple as executing `molecule test`. diff --git a/roles/systemd_exporter/defaults/main.yml b/roles/systemd_exporter/defaults/main.yml index 955737f70..444c4531c 100644 --- a/roles/systemd_exporter/defaults/main.yml +++ b/roles/systemd_exporter/defaults/main.yml @@ -7,6 +7,8 @@ systemd_exporter_checksums_url: "https://github.com/{{ _systemd_exporter_repo }} systemd_exporter_skip_install: false systemd_exporter_web_listen_address: "0.0.0.0:9558" +systemd_exporter_tls_server_config: {} + systemd_exporter_enable_restart_count: false systemd_exporter_enable_ip_accounting: false systemd_exporter_enable_file_descriptor_size: false diff --git a/roles/systemd_exporter/meta/argument_specs.yml b/roles/systemd_exporter/meta/argument_specs.yml index 2f89f3aae..834655b1d 100644 --- a/roles/systemd_exporter/meta/argument_specs.yml +++ b/roles/systemd_exporter/meta/argument_specs.yml @@ -29,6 +29,11 @@ argument_specs: systemd_exporter_web_listen_address: description: Address on which systemd exporter will listen" default: "0.0.0.0:9558" + systemd_exporter_tls_server_config: + description: + - "Configuration for TLS authentication." + - "Keys and values are the same as in L(Prometheus docs,https://prometheus.io/docs/prometheus/latest/configuration/https/)." + type: "dict" systemd_exporter_enable_restart_count: description: Enables service restart count metrics. This feature only works with systemd 235 and above" type: "bool" diff --git a/roles/systemd_exporter/molecule/alternative/molecule.yml b/roles/systemd_exporter/molecule/alternative/molecule.yml index 1b5c515cd..eeb196cc1 100644 --- a/roles/systemd_exporter/molecule/alternative/molecule.yml +++ b/roles/systemd_exporter/molecule/alternative/molecule.yml @@ -7,3 +7,6 @@ provisioner: systemd_exporter_web_listen_address: "127.0.0.1:9000" go_arch: amd64 systemd_exporter_version: 0.4.0 + systemd_exporter_tls_server_config: + cert_file: /etc/systemd_exporter/tls.cert + key_file: /etc/systemd_exporter/tls.key diff --git a/roles/systemd_exporter/molecule/alternative/prepare.yml b/roles/systemd_exporter/molecule/alternative/prepare.yml index fd4acb8e0..ddbed0ada 100644 --- a/roles/systemd_exporter/molecule/alternative/prepare.yml +++ b/roles/systemd_exporter/molecule/alternative/prepare.yml @@ -55,3 +55,26 @@ csr_path: "/tmp/tls.csr" privatekey_path: "/tmp/tls.key" provider: selfsigned + +- name: Run target preparation + hosts: all + any_errors_fatal: true + tasks: + - name: Create systemd_exporter cert dir + ansible.builtin.file: + path: "{{ systemd_exporter_tls_server_config.cert_file | dirname }}" + state: directory + owner: root + group: root + mode: u+rwX,g+rwX,o=rX + + - name: Copy cert and key + ansible.builtin.copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode | default('0644') }}" + loop: + - src: "/tmp/tls.cert" + dest: "{{ systemd_exporter_tls_server_config.cert_file }}" + - src: "/tmp/tls.key" + dest: "{{ systemd_exporter_tls_server_config.key_file }}" diff --git a/roles/systemd_exporter/tasks/configure.yml b/roles/systemd_exporter/tasks/configure.yml index d1596ae95..58f5428e2 100644 --- a/roles/systemd_exporter/tasks/configure.yml +++ b/roles/systemd_exporter/tasks/configure.yml @@ -8,6 +8,23 @@ mode: 0644 notify: restart systemd_exporter +- name: Create systemd_exporter config directory + ansible.builtin.file: + path: "/etc/systemd_exporter" + state: directory + owner: root + group: root + mode: u+rwX,g+rwX,o=rX + +- name: Copy the systemd_exporter config file + ansible.builtin.template: + src: config.yaml.j2 + dest: /etc/systemd_exporter/config.yaml + owner: root + group: root + mode: 0644 + notify: restart systemd_exporter + - name: Allow systemd_exporter port in SELinux on RedHat OS family community.general.seport: ports: "{{ systemd_exporter_web_listen_address.split(':')[-1] }}" diff --git a/roles/systemd_exporter/tasks/preflight.yml b/roles/systemd_exporter/tasks/preflight.yml index d44218a2c..d0ed7e722 100644 --- a/roles/systemd_exporter/tasks/preflight.yml +++ b/roles/systemd_exporter/tasks/preflight.yml @@ -25,6 +25,31 @@ that: - "':' in systemd_exporter_web_listen_address" +- name: Assert that TLS config is correct + when: systemd_exporter_tls_server_config | length > 0 + block: + - name: Assert that TLS key and cert path are set + ansible.builtin.assert: + that: + - "systemd_exporter_tls_server_config.cert_file is defined" + - "systemd_exporter_tls_server_config.key_file is defined" + + - name: Check existence of TLS cert file + ansible.builtin.stat: + path: "{{ systemd_exporter_tls_server_config.cert_file }}" + register: __systemd_exporter_cert_file + + - name: Check existence of TLS key file + ansible.builtin.stat: + path: "{{ systemd_exporter_tls_server_config.key_file }}" + register: __systemd_exporter_key_file + + - name: Assert that TLS key and cert are present + ansible.builtin.assert: + that: + - "{{ __systemd_exporter_cert_file.stat.exists }}" + - "{{ __systemd_exporter_key_file.stat.exists }}" + - name: Assert that systemd version is >= 235 when enabling ip accounting or measuring restart count ansible.builtin.assert: that: diff --git a/roles/systemd_exporter/templates/config.yaml.j2 b/roles/systemd_exporter/templates/config.yaml.j2 new file mode 100644 index 000000000..2da5bcb15 --- /dev/null +++ b/roles/systemd_exporter/templates/config.yaml.j2 @@ -0,0 +1,6 @@ +--- +{{ ansible_managed | comment }} +{% if node_exporter_tls_server_config | length > 0 %} +tls_server_config: +{{ node_exporter_tls_server_config | to_nice_yaml | indent(2, true) }} +{% endif %} diff --git a/roles/systemd_exporter/templates/systemd_exporter.service.j2 b/roles/systemd_exporter/templates/systemd_exporter.service.j2 index 2cb7e588e..dc6c547a5 100644 --- a/roles/systemd_exporter/templates/systemd_exporter.service.j2 +++ b/roles/systemd_exporter/templates/systemd_exporter.service.j2 @@ -23,6 +23,9 @@ ExecStart={{ systemd_exporter_binary_install_dir }}/systemd_exporter \ {% endif %} {% if systemd_exporter_unit_exclude != "" %} --systemd.collector.unit-exclude={{ systemd_exporter_unit_exclude }} \ +{% endif %} +{% if systemd_exporter_tls_server_config | length > 0 %} + --web.config.file=/etc/systemd_exporter/config.yaml \ {% endif %} --web.listen-address={{ systemd_exporter_web_listen_address }} From cd913f0083a62c6f478084f4d27737ecbd1ce19b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Pettersson?= Date: Thu, 24 Aug 2023 16:40:52 +0000 Subject: [PATCH 2/5] Fix wrong variable in template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Håvard Pettersson --- roles/systemd_exporter/templates/config.yaml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/systemd_exporter/templates/config.yaml.j2 b/roles/systemd_exporter/templates/config.yaml.j2 index 2da5bcb15..682b16ce8 100644 --- a/roles/systemd_exporter/templates/config.yaml.j2 +++ b/roles/systemd_exporter/templates/config.yaml.j2 @@ -1,6 +1,6 @@ --- {{ ansible_managed | comment }} -{% if node_exporter_tls_server_config | length > 0 %} +{% if systemd_exporter_tls_server_config | length > 0 %} tls_server_config: -{{ node_exporter_tls_server_config | to_nice_yaml | indent(2, true) }} +{{ systemd_exporter_tls_server_config | to_nice_yaml | indent(2, true) }} {% endif %} From e22e04f6d491d250a83fb14eeb201ef047ea199f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Pettersson?= Date: Fri, 25 Aug 2023 05:33:29 +0000 Subject: [PATCH 3/5] Bump systemd_exporter version in tests. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Håvard Pettersson --- roles/systemd_exporter/README.md | 2 +- roles/systemd_exporter/molecule/alternative/molecule.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/systemd_exporter/README.md b/roles/systemd_exporter/README.md index 6f3a1e0df..15ce615d5 100644 --- a/roles/systemd_exporter/README.md +++ b/roles/systemd_exporter/README.md @@ -29,7 +29,7 @@ Use it in a playbook as follows: ### TLS config -See node_exporter README for more extensive example: +See node_exporter README for more extensive example. Requires systemd_exporter >= 0.5.0. systemd_exporter_tls_server_config: cert_file: /etc/systemd_exporter/tls.cert diff --git a/roles/systemd_exporter/molecule/alternative/molecule.yml b/roles/systemd_exporter/molecule/alternative/molecule.yml index eeb196cc1..2da4db18c 100644 --- a/roles/systemd_exporter/molecule/alternative/molecule.yml +++ b/roles/systemd_exporter/molecule/alternative/molecule.yml @@ -6,7 +6,7 @@ provisioner: systemd_exporter_binary_local_dir: "/tmp/systemd_exporter-linux-amd64" systemd_exporter_web_listen_address: "127.0.0.1:9000" go_arch: amd64 - systemd_exporter_version: 0.4.0 + systemd_exporter_version: 0.5.0 systemd_exporter_tls_server_config: cert_file: /etc/systemd_exporter/tls.cert key_file: /etc/systemd_exporter/tls.key From 9c415697aa17ccd4737af99c6f48251938bc33ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A5vard=20Pettersson?= Date: Sat, 26 Aug 2023 08:21:05 +0000 Subject: [PATCH 4/5] Add a version check for TLS config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Håvard Pettersson --- roles/systemd_exporter/tasks/preflight.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/systemd_exporter/tasks/preflight.yml b/roles/systemd_exporter/tasks/preflight.yml index d0ed7e722..e407c976f 100644 --- a/roles/systemd_exporter/tasks/preflight.yml +++ b/roles/systemd_exporter/tasks/preflight.yml @@ -28,6 +28,11 @@ - name: Assert that TLS config is correct when: systemd_exporter_tls_server_config | length > 0 block: + - name: Assert that systemd_exporter version supports TLS config + ansible.builtin.assert: + that: + - "systemd_exporter_version is version('0.5.0', '>=')" + - name: Assert that TLS key and cert path are set ansible.builtin.assert: that: From 617447897cfef0bcd3f9396df52d674bc21a67f6 Mon Sep 17 00:00:00 2001 From: gardar Date: Tue, 29 Aug 2023 14:25:39 +0000 Subject: [PATCH 5/5] fix: missing newline at end of file Signed-off-by: gardar --- roles/systemd_exporter/molecule/alternative/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/systemd_exporter/molecule/alternative/molecule.yml b/roles/systemd_exporter/molecule/alternative/molecule.yml index 807abcda7..17c10dfff 100644 --- a/roles/systemd_exporter/molecule/alternative/molecule.yml +++ b/roles/systemd_exporter/molecule/alternative/molecule.yml @@ -10,4 +10,4 @@ provisioner: systemd_exporter_tls_server_config: cert_file: /etc/systemd_exporter/tls.cert key_file: /etc/systemd_exporter/tls.key - systemd_exporter_enable_file_descriptor_size: true \ No newline at end of file + systemd_exporter_enable_file_descriptor_size: true