feat: add snmp-exporter

M0NsTeRRR · Jan 21, 2024 · 0a4bb0b · 0a4bb0b
1 parent b20369b
commit 0a4bb0b
Show file tree

Hide file tree

Showing 10 changed files with 303 additions and 57 deletions.
diff --git a/ansible/group_vars/dns/all.yml b/ansible/group_vars/dns/all.yml
@@ -17,86 +17,86 @@ powerdns_authoritative_records:
   - caa: "letsencrypt.org"
   - caa: "sectigo.com"
   - hostname: rr1.unicornafk.fr.
-    a: 
+    a:
       - 192.168.5.13
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:105::d
     rdns: true
   - hostname: rr2.unicornafk.fr.
-    a:  
+    a:
       - 192.168.5.17
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:105::11
     rdns: true
   - hostname: r1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.6.1
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:106::1
     sshfp:
       - algorithm: 1
         type: 2
         fingerprint: 28e4f34e715bcde2b6628f53397e40889f8a87894651ba79e01d7745bad11679
     rdns: true
   - hostname: r2.unicornafk.fr.
-    a:  
+    a:
       - 192.168.6.3
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:106::3
     sshfp:
       - algorithm: 4
         type: 2
         fingerprint: 33a3f4d1970bfa6bd85305adf23c437d8fd2b2b2b30aaaf9653d303733148dce
     rdns: true
   - hostname: dns1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.10.21
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:110::21
     rdns: true
   - hostname: dns2.unicornafk.fr.
-    a:  
+    a:
       - 192.168.10.22
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:110::22
     rdns: true
   - hostname: kubernetes.unicornafk.fr.
-    a:  
+    a:
       - 192.168.10.80
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:110::80
   - hostname: vault.unicornafk.fr.
-    a:  
+    a:
       - 192.168.10.102
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:110::102
     rdns: true
   - hostname: ap1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.20.51
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:120::51
     rdns: true
   - hostname: home-assistant.unicornafk.fr.
-    a:  
+    a:
       - 192.168.20.33
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:120::33
     rdns: true
   - hostname: sw1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.40.1
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:140::1
     sshfp:
       - algorithm: 1
         type: 2
         fingerprint: F537A260E2626BFEC959303F0F786F3BC986152E48A0E26C68499C0E79C27797
     rdns: true
   - hostname: sw2.unicornafk.fr.
-    a:  
+    a:
       - 192.168.40.2
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:140::2
     rdns: true
     sshfp:
@@ -113,124 +113,124 @@ powerdns_authoritative_records:
       - 2a0c:b641:02c0:140::12
       - 2a0c:b641:02c0:140::13
   - hostname: server1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.40.11
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:140::11
     sshfp:
       - algorithm: 4
         type: 2
         fingerprint: 4fe77c8ae1c13f6cccfc46184a7acb44ee7cb169b8c8dc3cd684a32502ff8a1a
   - hostname: server2.unicornafk.fr.
-    a:  
+    a:
       - 192.168.40.12
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:140::12
     sshfp:
       - algorithm: 4
         type: 2
         fingerprint: 04f32228d7ba8e7a1ccae96d2517824e65b674225d9424668b5d553e1f576859
     rdns: true
   - hostname: server3.unicornafk.fr.
-    a:  
+    a:
       - 192.168.40.13
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:140::13
     sshfp:
       - algorithm: 4
         type: 2
         fingerprint: 2e8775fb4f5fc9433cdecb1375ab75b0c6e48f69fa3c1c36de6e800761aecd1d
     rdns: true
   - hostname: nas.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.42
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:150::42
     rdns: true
   - hostname: grandstream.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.81
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:150::81
     rdns: true
   - hostname: samsung-tv.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.91
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:150::91
     rdns: true
   - hostname: nvidia-shield.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.92
-    aaaa:  
+    aaaa:
       - 2a0c:b641:02c0:150::92
     rdns: true
   - hostname: hs110-rack1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.101
     rdns: true
   - hostname: hs110-rack2.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.102
     rdns: true
   - hostname: hs110-chambre1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.103
     rdns: true
   - hostname: meross-tireuse.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.104
     rdns: true
   - hostname: meross-monsieur-cuisine.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.105
     rdns: true
   - hostname: xiaomi-bulb-chambre1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.111
     rdns: true
   - hostname: xiaomi-vaccum.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.112
     rdns: true
   - hostname: xiaomi-bulb-salon.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.113
     rdns: true
   - hostname: xiaomi-light-bar.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.114
     rdns: true
   - hostname: xiaomi-led-chambre1.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.115
     rdns: true
   - hostname: xiaomi-led-bar.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.116
     rdns: true
   - hostname: xiaomi-lamp-salon.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.117
     rdns: true
   - hostname: xiaomi-lamp-cuisine.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.118
     rdns: true
   - hostname: xiaomi-bulb-entree.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.119
     rdns: true
   - hostname: monitor01.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.120
-    aaaa:   
+    aaaa:
       - 2a0c:b641:02c0:150::120
     rdns: true
   - hostname: monitor02.unicornafk.fr.
-    a:  
+    a:
       - 192.168.50.121
-    aaaa:   
+    aaaa:
       - 2a0c:b641:02c0:150::121
     rdns: true
   # CNAME

diff --git a/ansible/group_vars/kubernetes_master/all.yml b/ansible/group_vars/kubernetes_master/all.yml
@@ -119,6 +119,11 @@ vault_policies:
       - path: secret/data/homelab/prod/as212510-net
         capabilities:
           - read
+  - name: snmp-exporter
+    rules:
+      - path: secret/data/homelab/prod/snmp-exporter
+        capabilities:
+          - read
 public_vault_datas:
   - path: pki/config/ca
     data:
@@ -205,6 +210,16 @@ public_vault_datas:
       bound_service_account_namespaces: as212510-net
       policies: as212510-net
       ttl: 1h
+  - path: auth/kubernetes/role/snmp-exporter
+    data:
+      bound_service_account_names: snmp-exporter-vault
+      bound_service_account_namespaces: snmp-exporter
+      policies: snmp-exporter
+      ttl: 1h
+  - path: secret/data/homelab/prod/snmp-exporter
+    data:
+      data:
+        snmp.yaml: "{{ snmp_exporter_config }}"
 vault_datas: "{{ public_vault_datas + secret_vault_datas }}"
 external_secrets_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"
 cert_manager_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}"

diff --git a/ansible/group_vars/kubernetes_master/snmp_exporter_secrets.example b/ansible/group_vars/kubernetes_master/snmp_exporter_secrets.example
@@ -0,0 +1,2 @@
+---
+snmp_exporter_config:
diff --git a/ansible/inventory.proxmox.example b/ansible/inventory.proxmox.example
@@ -6,7 +6,7 @@ password:
 validate_certs: true
 strict: true
 want_facts: true
-keyed_groups: 
+keyed_groups:
   - key: proxmox_tags_parsed
     separator: ""
 filters:

diff --git a/argocd/applicationset.yaml b/argocd/applicationset.yaml
@@ -39,6 +39,9 @@ spec:
       - appName: blackbox-exporter
         namespace: blackbox-exporter
         syncWave: "0"
+      - appName: snmp-exporter
+        namespace: snmp-exporter
+        syncWave: "0"
       - appName: as212510-net
         namespace: as212510-net
         syncWave: "0"

diff --git a/argocd/snmp-exporter/kustomization.yaml b/argocd/snmp-exporter/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: snmp-exporter
+
+resources:
+  - manifests/01_external_secret.yaml
+
+helmCharts:
+- name: prometheus-snmp-exporter
+  releaseName: snmp-exporter
+  namespace: snmp-exporter
+  repo: https://prometheus-community.github.io/helm-charts
+  version: 1.8.1
+  valuesFile: values.yaml
diff --git a/argocd/snmp-exporter/manifests/01_external_secret.yaml b/argocd/snmp-exporter/manifests/01_external_secret.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: snmp-exporter-vault
+  namespace: snmp-exporter
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: vault
+  namespace: snmp-exporter
+spec:
+  provider:
+    vault:
+      server: "https://vault.vault.svc:8200"
+      path: "secret"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "snmp-exporter"
+          serviceAccountRef:
+            name: "snmp-exporter-vault"
+      caProvider:
+        type: "ConfigMap"
+        # https://github.com/external-secrets/external-secrets/issues/1024
+        namespace: "snmp-exporter"
+        name: "homelab-ca"
+        key: "ca.crt"
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: snmp-exporter-vault
+  namespace: snmp-exporter
+spec:
+  refreshInterval: "1m"
+  target:
+    creationPolicy: "Owner"
+    deletionPolicy: "Retain"
+  secretStoreRef:
+    kind: SecretStore
+    name: vault
+  data:
+    - secretKey: snmp.yaml
+      remoteRef:
+        key: secret/data/homelab/prod/snmp-exporter
+        property: snmp.yaml