feat: add dns to monitoring

M0NsTeRRR · Jan 29, 2024 · 1ec0de9 · 1ec0de9
1 parent 20716f7
commit 1ec0de9
Show file tree

Hide file tree

Showing 6 changed files with 159 additions and 1 deletion.
diff --git a/ansible/group_vars/kubernetes_master/all.yml b/ansible/group_vars/kubernetes_master/all.yml
@@ -124,6 +124,11 @@ vault_policies:
       - path: secret/data/homelab/prod/prometheus-pve-exporter
         capabilities:
           - read
+  - name: grafana-agent
+    rules:
+      - path: secret/data/homelab/prod/grafana-agent
+        capabilities:
+          - read
   - name: as212510-net
     rules:
       - path: secret/data/homelab/prod/as212510-net
@@ -221,6 +226,12 @@ public_vault_datas:
       bound_service_account_namespaces: prometheus-pve-exporter
       policies: prometheus-pve-exporter
       ttl: 1h
+  - path: auth/kubernetes/role/grafana-agent
+    data:
+      bound_service_account_names: grafana-agent-vault
+      bound_service_account_namespaces: grafana-agent
+      policies: grafana-agent
+      ttl: 1h
   - path: auth/kubernetes/role/as212510-net
     data:
       bound_service_account_names: as212510-net-vault

diff --git a/ansible/group_vars/kubernetes_master/secrets.example b/ansible/group_vars/kubernetes_master/secrets.example
@@ -51,6 +51,15 @@ secret_vault_datas:
       data:
         PVE_USER:
         PVE_PASSWORD:
+  - path: secret/data/homelab/prod/grafana-agent
+    data:
+      data:
+        PDNS_AUTH_USERNAME: "supervision"
+        PDNS_AUTH_PASSWORD: "{{ powerdns_authoritative_webserver_password }}"
+        PDNS_REC_USERNAME: "supervision"
+        PDNS_REC_PASSWORD: "{{ powerdns_recursor_webserver_password }}"
+        DNSDIST_USERNAME: ""
+        DNSDIST_PASSWORD: "{{ dnsdist_webserver_password }}"
   - path: secret/data/homelab/prod/as212510-net
     data:
       data:

diff --git a/argocd/grafana-agent/kustomization.yaml b/argocd/grafana-agent/kustomization.yaml
@@ -3,7 +3,8 @@ kind: Kustomization
 namespace: grafana-agent
 
 resources:
-  - manifests/01_configmap.yaml
+  - manifests/01_external_secret.yaml
+  - manifests/02_configmap.yaml
 
 helmCharts:
 - name: grafana-agent

diff --git a/argocd/grafana-agent/manifests/01_external_secret.yaml b/argocd/grafana-agent/manifests/01_external_secret.yaml
@@ -0,0 +1,66 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: grafana-agent-vault
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "https://vault.vault.svc:8200"
+      path: "secret"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "grafana-agent"
+          serviceAccountRef:
+            name: "grafana-agent-vault"
+      caProvider:
+        type: "ConfigMap"
+        # https://github.com/external-secrets/external-secrets/issues/1024
+        namespace: "grafana-agent"
+        name: "homelab-ca"
+        key: "ca.crt"
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: grafana-agent-vault
+spec:
+  refreshInterval: "1m"
+  target:
+    creationPolicy: "Owner"
+    deletionPolicy: "Retain"
+  secretStoreRef:
+    kind: SecretStore
+    name: vault
+  data:
+    - secretKey: PDNS_AUTH_USERNAME
+      remoteRef:
+        key: secret/data/homelab/prod/grafana-agent
+        property: PDNS_AUTH_USERNAME
+    - secretKey: PDNS_AUTH_PASSWORD
+      remoteRef:
+        key: secret/data/homelab/prod/grafana-agent
+        property: PDNS_AUTH_PASSWORD
+    - secretKey: PDNS_REC_USERNAME
+      remoteRef:
+        key: secret/data/homelab/prod/grafana-agent
+        property: PDNS_REC_USERNAME
+    - secretKey: PDNS_REC_PASSWORD
+      remoteRef:
+        key: secret/data/homelab/prod/grafana-agent
+        property: PDNS_REC_PASSWORD
+    - secretKey: DNSDIST_USERNAME
+      remoteRef:
+        key: secret/data/homelab/prod/grafana-agent
+        property: DNSDIST_USERNAME
+    - secretKey: DNSDIST_PASSWORD
+      remoteRef:
+        key: secret/data/homelab/prod/grafana-agent
+        property: DNSDIST_PASSWORD
diff --git a/...grafana-agent/manifests/01_configmap.yaml → ...grafana-agent/manifests/02_configmap.yaml b/...grafana-agent/manifests/01_configmap.yaml → ...grafana-agent/manifests/02_configmap.yaml
@@ -10,6 +10,12 @@ data:
       format = "logfmt"
     }
 
+    // Kubernetes secrets
+    remote.kubernetes.secret "credentials" {
+      namespace = "grafana-agent"
+      name = "grafana-agent-vault"
+    }
+
     // remote write
     prometheus.remote_write "default" {
       endpoint {
@@ -125,6 +131,60 @@ data:
       scrape_timeout  = "5s"
     }
 
+    prometheus.scrape "pdns_auth" {
+      targets = [
+        {"__scheme__" = "https", "__address__" = "dns1.unicornafk.fr:9443", "instance" = "dns1.unicornafk.fr"},
+        {"__scheme__" = "https", "__address__" = "dns2.unicornafk.fr:9443", "instance" = "dns2.unicornafk.fr"},
+      ]
+      metrics_path    = "/auth/metrics"
+      forward_to = [prometheus.remote_write.default.receiver]
+      basic_auth {
+        username = nonsensitive(remote.kubernetes.secret.credentials.data["PDNS_AUTH_USERNAME"])
+        password = remote.kubernetes.secret.credentials.data["PDNS_AUTH_PASSWORD"]
+      }
+      clustering {
+        enabled = true
+      }
+      scrape_interval = "30s"
+      scrape_timeout  = "5s"
+    }
+
+    prometheus.scrape "pdns_rec" {
+      targets = [
+        {"__scheme__" = "https", "__address__" = "dns1.unicornafk.fr:9443", "instance" = "dns1.unicornafk.fr"},
+        {"__scheme__" = "https", "__address__" = "dns2.unicornafk.fr:9443", "instance" = "dns2.unicornafk.fr"},
+      ]
+      metrics_path    = "/rec/metrics"
+      forward_to = [prometheus.remote_write.default.receiver]
+      basic_auth {
+        username = nonsensitive(remote.kubernetes.secret.credentials.data["PDNS_REC_USERNAME"])
+        password = remote.kubernetes.secret.credentials.data["PDNS_REC_PASSWORD"]
+      }
+      clustering {
+        enabled = true
+      }
+      scrape_interval = "30s"
+      scrape_timeout  = "5s"
+    }
+
+    prometheus.scrape "dnsdist" {
+      targets = [
+        {"__scheme__" = "https", "__address__" = "dns1.unicornafk.fr:9443", "instance" = "dns1.unicornafk.fr"},
+        {"__scheme__" = "https", "__address__" = "dns2.unicornafk.fr:9443", "instance" = "dns2.unicornafk.fr"},
+      ]
+      metrics_path    = "/dnsdist/metrics"
+      forward_to = [prometheus.remote_write.default.receiver]
+      basic_auth {
+        username = nonsensitive(remote.kubernetes.secret.credentials.data["DNSDIST_USERNAME"])
+        password = remote.kubernetes.secret.credentials.data["DNSDIST_PASSWORD"]
+      }
+      clustering {
+        enabled = true
+      }
+      scrape_interval = "30s"
+      scrape_timeout  = "5s"
+    }
+
     prometheus.scrape "blackbox_ingresses" {
       targets    = discovery.relabel.ingresses.output
       forward_to = [prometheus.remote_write.default.receiver]

diff --git a/argocd/grafana-agent/values.yaml b/argocd/grafana-agent/values.yaml
@@ -5,12 +5,23 @@ agent:
     create: false
     name: grafana-agent-config
     key: config
+  mounts:
+    extra:
+      - name: ca-certs
+        mountPath: /etc/ssl/certs/homelab.crt
+        subPath: ca.crt
+        readOnly: true
   clustering:
     enabled: true
 crds:
   create: false
 controller:
   extraAnnotations:
     reloader.stakater.com/auto: "true"
+  volumes:
+    extra:
+      - name: ca-certs
+        configMap:
+          name: homelab-ca
 configReloader:
   enabled: false