Deploy prometheus Exporter Exporter using ansible.
Exporter exporter is a Prometheus exporter providing a reverse proxy for others Prometheus exporters, allowing to open only one port, it also provide TLS communication and Bearer Authentication.
It's a lightweight and simple alternative to NGINX/Apache reverse proxy, especially when the monitored server is not a web server...
More informations on Exporter Exporter Readme page
Role forked and largely inspired by Cloudalchemy Node Exporter Ansible role
Role is supposed to work with Debian, Suse, RedHat, Fedora, (See Ansible Galaxy meta), but it was only tested on Ubuntu Bionic (18.04).
TODO:
(Probably never done, PR accepted)
- More control in preflight file
- Support of config.dirs
- Managment of Bearer token file
- Unit test
- Publish on Ansible Galaxy
- Ansible >= 2.7 (It might work on previous versions, but we cannot guarantee it)
- gnu-tar on Mac deployer host (
brew install gnu-tar
)
All variables which can be overridden are stored in defaults/main.yml file as well as in table below.
Name | Default Value | Description |
---|---|---|
prometheus_proxy_version |
0.3.0 | Used to install Exporter exporter package. Also accepts latest as parameter. |
prometheus_proxy_group |
"exp-exp" | System group used to run exporter_exporter (used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_user |
"exp-exp" | System user used to run exporter_exporter (used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_system_additional_groups |
"" | Additional system group of user used to run exporter_exporter (example: ssl-cert to allow reading certificate, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_listen_address |
"0.0.0.0:9999" | Address on which node exporter will listen (HTTP), leave empty and provide prometheus_proxy_web_tls_listen_address for HTTPS connection only (used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_config_file |
"/etc/expexp.yaml" | File containing exporter_exporter configuration, managed with this role throught prometheus_proxy_configuration variable (used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_bearer_token |
"" | Token to provide to Bearer authentication (mutually exclusive with prometheus_proxy_web_bearer_token_file variable, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_bearer_token_file |
"" | File containing Bearer token for authentication (mutually exclusive with prometheus_proxy_web_bearer_token variable, managment of the file not provided by this role, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_proxy_path |
"" | URL to listen on for proxy HTTP requests. (default "/proxy" in exporter_exporter if not provided, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_telemetry_path |
"" | URL to listen on for metrics of exporter_exporter itself. (default "/metrics" in exporter_exporter if not provided, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_tls_ca |
"" | Full path of file containing CA certificate (ie: Prometheur server cert if self-signed certificate are used, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_tls_cert |
"" | Full path of file containing certificate used by exporter_exporter (ie: Node certificate, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_tls_key |
"" | Full path of file containing key used by exporter_exporter (ie: Node key, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_tls_listen_address |
"" | Address on which node exporter will listen for TLS connections (HTTPS), optionnal, 0.0.0.0:9998 is usualy used (used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_web_tls_verify |
"" | Disable client verification (?, used to launch exporter_exporter binary in systemd service unit file) |
prometheus_proxy_configuration |
"" | YAML configuration set in prometheus_proxy_config_file example provided in Exporter Exporter Readme |
Exporter_exporter configuration can be breaked in multiple files in a directory provided to exporter_exporter throught config.dirs and config.skip-dirs, but this role does not support (yet) this.
This role can deploy node, server certificate and node key, following variables are use for this deployment :
Name | Default Value | Description |
---|---|---|
prometheus_proxy_ca_file |
"" | Local path to the file containing CA certificate / server certificate (ie: files/prometheus_server.crt) |
prometheus_proxy_cert_file |
"" | Local path to the file containing node certificate (ie: files/prometheus_node.crt) |
prometheus_proxy_key_file |
"" | Local path to the file containing node key (ie: files/prometheus_server.key) Best practice is to encrypt this file with ansible-vault |
prometheus_proxy_certs_path |
"" | Distant path (on monitored nodes) where this role will copy the 2 certificates, must be the same in prometheus_proxy_web_tls_ca and prometheus_proxy_web_tls_cert variables (ie: /etc/ssl/certs/) |
prometheus_proxy_cert_owner |
"" | Certificates file owner (ie: root) |
prometheus_proxy_cert_group |
"" | Certificates file group (ie: exp-exp) |
prometheus_proxy_cert_mode |
"" | Certificate file mode (ie: 0640) |
prometheus_proxy_key_path |
"" | Distant path (on monitored nodes) where this role will copy the node key, must be the same in prometheus_proxy_web_tls_key variable (ie: /etc/ssl/private/) |
prometheus_proxy_key_owner |
"" | Key file owner (ie: root) |
prometheus_proxy_key_group |
"" | Key file group (ie: exp-exp) |
prometheus_proxy_key_mode |
"" | Key file mode (ie: 0640) |
Creation of those certificates and key is not part of this role.
Use it in a playbook as follows:
- hosts: all
roles:
- umanit.prometheus_exporter_exporter
vars:
prometheus_proxy_configuration:
modules:
node:
method: http
http:
port: 9100
This project is licensed under MIT License. See LICENSE for more details.