feat: add database generation to grafana
- ensure a database, user and credential is created for each grafana node - ensure all databases for a region are included in a mariadb cluster - refine params with stdlib types
This commit is contained in:
@@ -1,13 +1,14 @@
|
||||
# profiles::metrics::grafana
|
||||
class profiles::metrics::grafana (
|
||||
Integer $http_port = 8080,
|
||||
Stdlib::Port $http_port = 8080,
|
||||
String $app_mode = 'production',
|
||||
Boolean $allow_sign_up = false,
|
||||
Boolean $mysql_backend = true,
|
||||
String $mysql_host = '127.0.0.1:3306',
|
||||
String $mysql_user = 'grafana',
|
||||
Sensitive $mysql_pass = 'grafana',
|
||||
Sensitive $mysql_name = 'grafana',
|
||||
String $mysql_name = 'grafana',
|
||||
String $mysql_pass = fqdn_rand_string(16),
|
||||
Stdlib::Host $mysql_host = '127.0.0.1',
|
||||
Stdlib::Port $mysql_port = 3306,
|
||||
|
||||
) {
|
||||
|
||||
@@ -17,25 +18,27 @@ class profiles::metrics::grafana (
|
||||
# when using mysql backend
|
||||
if $mysql_backend {
|
||||
|
||||
# create a db for grafana
|
||||
@@mysql::db { "mydb_${fqdn}":
|
||||
user => $mysql_user,
|
||||
password => $mysql_pass,
|
||||
dbname => $mysql_name,
|
||||
host => $fqdn,
|
||||
grant => ['SELECT', 'UPDATE'],
|
||||
#tag => $domain,
|
||||
@@mysql_user { "${mysql_user}@${facts['networking']['fqdn']}":
|
||||
ensure => present,
|
||||
password_hash => mysql::password(fqdn_rand_string(16)),
|
||||
tag => $facts['region'],
|
||||
}
|
||||
|
||||
@@mysql_grant { "${mysql_user}@${facts['networking']['fqdn']}/${mysql_name}.*":
|
||||
ensure => present,
|
||||
table => "${mysql_name}.*",
|
||||
user => "${mysql_user}@${facts['networking']['fqdn']}",
|
||||
privileges => ['ALL'],
|
||||
tag => $facts['region'],
|
||||
}
|
||||
|
||||
$database_config = {
|
||||
type => 'mysql',
|
||||
host => $mysql_host,
|
||||
host => "${mysql_host}:${mysql_port}",
|
||||
name => $mysql_name,
|
||||
user => $mysql_user,
|
||||
password => $mysql_pass.unwrap,
|
||||
}
|
||||
|
||||
$sensitive_database_config = Sensitive($database_config)
|
||||
}
|
||||
|
||||
# build the grafana config hash
|
||||
@@ -44,7 +47,7 @@ class profiles::metrics::grafana (
|
||||
server => {
|
||||
http_port => $http_port,
|
||||
},
|
||||
database => $sensitive_database_config,
|
||||
database => $database_config,
|
||||
users => {
|
||||
allow_sign_up => $allow_sign_up,
|
||||
},
|
||||
@@ -55,4 +58,10 @@ class profiles::metrics::grafana (
|
||||
cfg => $cfg,
|
||||
}
|
||||
|
||||
# fix the package provided systemd service
|
||||
systemd::unit_file { 'grafana-server.service':
|
||||
content => template('profiles/metrics/grafana.service.erb'),
|
||||
require => Package['grafana'],
|
||||
before => Service['grafana'],
|
||||
}
|
||||
}
|
||||
|
||||
@@ -20,6 +20,7 @@ class profiles::puppet::puppetca (
|
||||
|
||||
# manage the crl file
|
||||
if $is_puppetca {
|
||||
|
||||
# export the puppet crl.pem
|
||||
@@file { '/etc/puppetlabs/puppet/ssl/crl.pem.latest':
|
||||
ensure => file,
|
||||
@@ -31,10 +32,12 @@ class profiles::puppet::puppetca (
|
||||
unit => 'puppetserver.service',
|
||||
}
|
||||
}else{
|
||||
|
||||
# import the puppet crl.pem
|
||||
File <<| tag == 'crl_pem_export' |>> {
|
||||
require => Service['puppetserver'],
|
||||
}
|
||||
|
||||
# copy latest to active location
|
||||
file { '/etc/puppetlabs/puppet/ssl/crl.pem':
|
||||
ensure => file,
|
||||
@@ -43,6 +46,7 @@ class profiles::puppet::puppetca (
|
||||
source => '/etc/puppetlabs/puppet/ssl/crl.pem.latest',
|
||||
require => File['/etc/puppetlabs/puppet/ssl/crl.pem.latest'],
|
||||
}
|
||||
|
||||
# copy the latest crl when restarting
|
||||
systemd::manage_dropin { 'copy_crl.conf':
|
||||
ensure => present,
|
||||
|
||||
@@ -31,6 +31,7 @@ class profiles::sql::galera_member (
|
||||
String $package_name = 'mariadb-server',
|
||||
Boolean $epel_needed = false,
|
||||
Boolean $manage_repo = true,
|
||||
Hash $databases = lookup('mysql::db'),
|
||||
) {
|
||||
|
||||
# check that the master is named
|
||||
@@ -209,6 +210,20 @@ class profiles::sql::galera_member (
|
||||
override_options => $merged_overrides,
|
||||
}
|
||||
|
||||
# import databases for this region
|
||||
Mysql::Db <<| tag == $facts['region'] |>>
|
||||
|
||||
# create databases from hiera
|
||||
$databases.each |$name, $data| {
|
||||
mysql::db {$name:
|
||||
* => $data,
|
||||
}
|
||||
}
|
||||
|
||||
# import users/grants for this region
|
||||
Mysql_user <<| tag == $facts['region'] |>>
|
||||
Mysql_grant <<| tag == $facts['region'] |>>
|
||||
|
||||
}else{
|
||||
notice("${title} requires the servers_array to have 3 or more, currently it is ${length($servers_array)}.")
|
||||
}
|
||||
|
||||
@@ -0,0 +1,49 @@
|
||||
[Unit]
|
||||
Description=Grafana instance
|
||||
Documentation=http://docs.grafana.org
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
After=postgresql.service mariadb.service mysqld.service influxdb.service
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=/etc/sysconfig/grafana-server
|
||||
User=grafana
|
||||
Group=grafana
|
||||
Type=notify
|
||||
Restart=on-failure
|
||||
WorkingDirectory=/usr/share/grafana
|
||||
RuntimeDirectory=grafana
|
||||
RuntimeDirectoryMode=0750
|
||||
ExecStart=/usr/share/grafana/bin/grafana server \
|
||||
--config=${CONF_FILE} \
|
||||
--pidfile=${PID_FILE_DIR}/grafana-server.pid \
|
||||
--packaging=rpm \
|
||||
cfg:default.paths.logs=${LOG_DIR} \
|
||||
cfg:default.paths.data=${DATA_DIR} \
|
||||
cfg:default.paths.plugins=${PLUGINS_DIR} \
|
||||
cfg:default.paths.provisioning=${PROVISIONING_CFG_DIR}
|
||||
|
||||
LimitNOFILE=10000
|
||||
TimeoutStopSec=20
|
||||
CapabilityBoundingSet=
|
||||
DeviceAllow=
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=false
|
||||
NoNewPrivileges=true
|
||||
PrivateDevices=true
|
||||
PrivateTmp=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=full
|
||||
RemoveIPC=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
SystemCallArchitectures=native
|
||||
UMask=0027
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user