Skip to content
Snippets Groups Projects
Verified Commit f5f5b4c7 authored by Kristian Klausen's avatar Kristian Klausen :tada:
Browse files

WireGuard the remaining Prometheus exporters 

WireGuard was setup to provide a internal network with confidentiality,
authenticity and integrity[1]. This migrate the remaining Prometheus
exporters to use the internal WireGuard network.

[1] 664deb67 ("WireGuard all hosts")

Fix #384
parent 168a0cfb
No related branches found
No related tags found
No related merge requests found
Pipeline #34069 passed
Stage: test
Hide whitespace changes
Inline Side-by-side
roles/prometheus/templates/prometheus.yml.j2
+ 4
4
View file @ f5f5b4c7
...@@ -53,7 +53,7 @@ scrape_configs: ...@@ -53,7 +53,7 @@ scrape_configs:
- job_name: 'node_exporter' - job_name: 'node_exporter'
static_configs: static_configs:
{% for host in groups['all'] %} {% for host in groups['all'] %}
- targets: ['{{ host }}:{{ prometheus_exporter_port }}'] - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_exporter_port }}']
labels: labels:
instance: "{{ host }}" instance: "{{ host }}"
{% endfor %} {% endfor %}
...@@ -83,7 +83,7 @@ scrape_configs: ...@@ -83,7 +83,7 @@ scrape_configs:
- job_name: 'gitlab_runner_exporter' - job_name: 'gitlab_runner_exporter'
static_configs: static_configs:
{% for host in groups['gitlab_runners'] %} {% for host in groups['gitlab_runners'] %}
- targets: ['{{ host }}:{{ gitlab_runner_exporter_port }}'] - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ gitlab_runner_exporter_port }}']
labels: labels:
instance: "{{ host }}" instance: "{{ host }}"
{% endfor %} {% endfor %}
...@@ -112,7 +112,7 @@ scrape_configs: ...@@ -112,7 +112,7 @@ scrape_configs:
- job_name: 'mysqld_exporter' - job_name: 'mysqld_exporter'
static_configs: static_configs:
{% for host in groups['mysql_servers'] %} {% for host in groups['mysql_servers'] %}
- targets: ['{{ host }}:{{ prometheus_mysqld_exporter_port }}'] - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_mysqld_exporter_port }}']
labels: labels:
instance: "{{ host }}" instance: "{{ host }}"
{% endfor %} {% endfor %}
...@@ -120,7 +120,7 @@ scrape_configs: ...@@ -120,7 +120,7 @@ scrape_configs:
- job_name: 'memcached_exporter' - job_name: 'memcached_exporter'
static_configs: static_configs:
{% for host in groups['memcached'] %} {% for host in groups['memcached'] %}
- targets: ['{{ host }}:{{ prometheus_memcached_exporter_port }}'] - targets: ['{{ hostvars[host]['wireguard_address'] }}:{{ prometheus_memcached_exporter_port }}']
labels: labels:
instance: "{{ host }}" instance: "{{ host }}"
{% endfor %} {% endfor %}
......
roles/prometheus_exporters/tasks/main.yml
+ 8
8
View file @ f5f5b4c7
...@@ -221,21 +221,21 @@ ...@@ -221,21 +221,21 @@
when: "'memcached' in group_names" when: "'memcached' in group_names"
- name: Open prometheus-node-exporter ipv4 port for monitoring.archlinux.org - name: Open prometheus-node-exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept" rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_exporter_port }} accept"
when: "'prometheus' not in group_names" when: "'prometheus' not in group_names"
- name: Open gitlab exporter ipv4 port for monitoring.archlinux.org - name: Open gitlab exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept" rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ gitlab_runner_exporter_port }} accept"
when: "'gitlab_runners' in group_names" when: "'gitlab_runners' in group_names"
- name: Open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org - name: Open prometheus mysqld exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept" rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_mysqld_exporter_port }} accept"
when: "'mysql_servers' in group_names" when: "'mysql_servers' in group_names"
- name: Open prometheus memcached exporter ipv4 port for monitoring.archlinux.org - name: Open prometheus memcached exporter ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: state=enabled permanent=true immediate=yes ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept" rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port={{ prometheus_memcached_exporter_port }} accept"
when: "'memcached' in group_names" when: "'memcached' in group_names"
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment