feat: add database generation to grafana

- ensure a database, user and credential is created for each grafana node
- ensure all databases for a region are included in a mariadb cluster
- refine params with stdlib types
This commit is contained in:
2024-06-16 00:41:02 +10:00
parent 0fe05bb896
commit 62cac63f11
9 changed files with 163 additions and 17 deletions
+25 -16
View File
@@ -1,13 +1,14 @@
# profiles::metrics::grafana
class profiles::metrics::grafana (
Integer $http_port = 8080,
Stdlib::Port $http_port = 8080,
String $app_mode = 'production',
Boolean $allow_sign_up = false,
Boolean $mysql_backend = true,
String $mysql_host = '127.0.0.1:3306',
String $mysql_user = 'grafana',
Sensitive $mysql_pass = 'grafana',
Sensitive $mysql_name = 'grafana',
String $mysql_name = 'grafana',
String $mysql_pass = fqdn_rand_string(16),
Stdlib::Host $mysql_host = '127.0.0.1',
Stdlib::Port $mysql_port = 3306,
) {
@@ -17,25 +18,27 @@ class profiles::metrics::grafana (
# when using mysql backend
if $mysql_backend {
# create a db for grafana
@@mysql::db { "mydb_${fqdn}":
user => $mysql_user,
password => $mysql_pass,
dbname => $mysql_name,
host => $fqdn,
grant => ['SELECT', 'UPDATE'],
#tag => $domain,
@@mysql_user { "${mysql_user}@${facts['networking']['fqdn']}":
ensure => present,
password_hash => mysql::password(fqdn_rand_string(16)),
tag => $facts['region'],
}
@@mysql_grant { "${mysql_user}@${facts['networking']['fqdn']}/${mysql_name}.*":
ensure => present,
table => "${mysql_name}.*",
user => "${mysql_user}@${facts['networking']['fqdn']}",
privileges => ['ALL'],
tag => $facts['region'],
}
$database_config = {
type => 'mysql',
host => $mysql_host,
host => "${mysql_host}:${mysql_port}",
name => $mysql_name,
user => $mysql_user,
password => $mysql_pass.unwrap,
}
$sensitive_database_config = Sensitive($database_config)
}
# build the grafana config hash
@@ -44,7 +47,7 @@ class profiles::metrics::grafana (
server => {
http_port => $http_port,
},
database => $sensitive_database_config,
database => $database_config,
users => {
allow_sign_up => $allow_sign_up,
},
@@ -55,4 +58,10 @@ class profiles::metrics::grafana (
cfg => $cfg,
}
# fix the package provided systemd service
systemd::unit_file { 'grafana-server.service':
content => template('profiles/metrics/grafana.service.erb'),
require => Package['grafana'],
before => Service['grafana'],
}
}
@@ -20,6 +20,7 @@ class profiles::puppet::puppetca (
# manage the crl file
if $is_puppetca {
# export the puppet crl.pem
@@file { '/etc/puppetlabs/puppet/ssl/crl.pem.latest':
ensure => file,
@@ -31,10 +32,12 @@ class profiles::puppet::puppetca (
unit => 'puppetserver.service',
}
}else{
# import the puppet crl.pem
File <<| tag == 'crl_pem_export' |>> {
require => Service['puppetserver'],
}
# copy latest to active location
file { '/etc/puppetlabs/puppet/ssl/crl.pem':
ensure => file,
@@ -43,6 +46,7 @@ class profiles::puppet::puppetca (
source => '/etc/puppetlabs/puppet/ssl/crl.pem.latest',
require => File['/etc/puppetlabs/puppet/ssl/crl.pem.latest'],
}
# copy the latest crl when restarting
systemd::manage_dropin { 'copy_crl.conf':
ensure => present,
@@ -31,6 +31,7 @@ class profiles::sql::galera_member (
String $package_name = 'mariadb-server',
Boolean $epel_needed = false,
Boolean $manage_repo = true,
Hash $databases = lookup('mysql::db'),
) {
# check that the master is named
@@ -209,6 +210,20 @@ class profiles::sql::galera_member (
override_options => $merged_overrides,
}
# import databases for this region
Mysql::Db <<| tag == $facts['region'] |>>
# create databases from hiera
$databases.each |$name, $data| {
mysql::db {$name:
* => $data,
}
}
# import users/grants for this region
Mysql_user <<| tag == $facts['region'] |>>
Mysql_grant <<| tag == $facts['region'] |>>
}else{
notice("${title} requires the servers_array to have 3 or more, currently it is ${length($servers_array)}.")
}
@@ -0,0 +1,49 @@
[Unit]
Description=Grafana instance
Documentation=http://docs.grafana.org
Wants=network-online.target
After=network-online.target
After=postgresql.service mariadb.service mysqld.service influxdb.service
[Service]
EnvironmentFile=/etc/sysconfig/grafana-server
User=grafana
Group=grafana
Type=notify
Restart=on-failure
WorkingDirectory=/usr/share/grafana
RuntimeDirectory=grafana
RuntimeDirectoryMode=0750
ExecStart=/usr/share/grafana/bin/grafana server \
--config=${CONF_FILE} \
--pidfile=${PID_FILE_DIR}/grafana-server.pid \
--packaging=rpm \
cfg:default.paths.logs=${LOG_DIR} \
cfg:default.paths.data=${DATA_DIR} \
cfg:default.paths.plugins=${PLUGINS_DIR} \
cfg:default.paths.provisioning=${PROVISIONING_CFG_DIR}
LimitNOFILE=10000
TimeoutStopSec=20
CapabilityBoundingSet=
DeviceAllow=
LockPersonality=true
MemoryDenyWriteExecute=false
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
UMask=0027
[Install]
WantedBy=multi-user.target