unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
1e44577045
puppet-prod/site/profiles/manifests/metrics/grafana.pp
Ben Vincent 1e44577045
All checks were successful
Build / precommit (pull_request) Successful in 4m56s
Details
feat: add external grafana access 
- enable access to grafana through haproxy
- ensure grafana cert created from letsencrypt
- enable user access to grafana
2025-07-28 21:01:32 +10:00

135 lines
3.4 KiB
Puppet
Raw Blame History

# profiles::metrics::grafana
class profiles::metrics::grafana (
String $ldap_bind_pass,
Stdlib::Port $http_port = 8080,
String $app_mode = 'production',
Boolean $allow_sign_up = false,
Boolean $mysql_backend = false,
Boolean $pgsql_backend = false,
String $db_user = 'grafana',
String $db_name = 'grafana',
String $db_pass = fqdn_rand_string(16),
Stdlib::Host $db_host = '127.0.0.1',
Stdlib::Port $db_port = 5432,
) {
# set the fqdn
$fqdn = $::facts['networking']['fqdn']
# when using mysql backend
if $mysql_backend {
@@mysql_user { "${db_user}@${facts['networking']['fqdn']}":
ensure => present,
password_hash => mysql::password($db_pass),
tag => $facts['region'],
}
@@mysql_grant { "${db_user}@${facts['networking']['fqdn']}/${db_name}.*":
ensure => present,
table => "${db_name}.*",
user => "${db_user}@${facts['networking']['fqdn']}",
privileges => ['ALL'],
tag => $facts['region'],
}
$database_config = {
type => 'mysql',
host => "${db_host}:${db_port}",
name => $db_name,
user => $db_user,
password => $db_pass.unwrap,
}
}
# when using mysql backend
if $pgsql_backend {
include profiles::sql::postgresdb
$database_config = {
type => 'postgres',
host => "${db_host}:${db_port}",
name => $db_name,
user => $db_user,
password => $db_pass.unwrap,
}
}
# build the grafana config hash
$cfg = {
app_mode => $app_mode,
server => {
http_port => $http_port,
},
database => $database_config,
users => {
allow_sign_up => $allow_sign_up,
},
'auth.ldap' => {
enabled => 'true',
config_file => '/etc/grafana/ldap.toml',
},
}
# build the ldap config hash
$ldap_cfg = Sensitive({
servers => [
{ host => 'ldap.service.consul',
port => 389,
use_ssl => false,
search_filter => '(uid=%s)',
search_base_dns => [ 'dc=main,dc=unkin,dc=net' ],
bind_dn => 'cn=svc_grafana,ou=services,ou=users,dc=main,dc=unkin,dc=net',
bind_password => $ldap_bind_pass,
},
],
'servers.attributes' => {
name => 'givenName',
surname => 'sn',
username => 'uid',
member_of => 'memberOf',
email => 'mail',
},
'servers.group_mappings' => [
{
group_dn => 'ou=grafana_admin,ou=groups,dc=main,dc=unkin,dc=net',
org_role => 'Admin',
grafana_admin => true,
},
{
group_dn => 'ou=grafana_user,ou=groups,dc=main,dc=unkin,dc=net',
org_role => 'Viewer',
}
],
})
# deploy grafana
class { 'grafana':
cfg => $cfg,
ldap_cfg => $ldap_cfg,
}
# fix the package provided systemd service
systemd::unit_file { 'grafana-server.service':
content => template('profiles/metrics/grafana.service.erb'),
require => Package['grafana'],
before => Service['grafana'],
}
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_443":
service => 'be_grafana',
ports => [443],
options => [
"cookie ${facts['networking']['hostname']}",
'ssl',
'verify none',
'check',
'inter 2s',
'rise 3',
'fall 2',
]
}
}
Reference in New Issue View Git Blame Copy Permalink