From 7b8b6d263b12b0a8148a664f9c38cc477d5860ac Mon Sep 17 00:00:00 2001 From: Ludovic Ortega Date: Sun, 21 Jan 2024 21:27:24 +0000 Subject: [PATCH] feat: add snmp-exporter --- ansible/group_vars/dns/all.yml | 112 +++++++++--------- ansible/group_vars/kubernetes_master/all.yml | 15 +++ .../snmp_exporter_secrets.example | 2 + ansible/inventory.proxmox.example | 2 +- argocd/applicationset.yaml | 3 + argocd/snmp-exporter/kustomization.yaml | 14 +++ .../manifests/01_external_secret.yaml | 49 ++++++++ argocd/snmp-exporter/values.yaml | 35 ++++++ docs/guide/snmp-exporter/index.md | 25 ++++ docs/guide/snmp-exporter/snmp-generator.yml | 103 ++++++++++++++++ 10 files changed, 303 insertions(+), 57 deletions(-) create mode 100644 ansible/group_vars/kubernetes_master/snmp_exporter_secrets.example create mode 100644 argocd/snmp-exporter/kustomization.yaml create mode 100644 argocd/snmp-exporter/manifests/01_external_secret.yaml create mode 100644 argocd/snmp-exporter/values.yaml create mode 100644 docs/guide/snmp-exporter/index.md create mode 100644 docs/guide/snmp-exporter/snmp-generator.yml diff --git a/ansible/group_vars/dns/all.yml b/ansible/group_vars/dns/all.yml index 67626a3fa..8c882ed1e 100644 --- a/ansible/group_vars/dns/all.yml +++ b/ansible/group_vars/dns/all.yml @@ -17,21 +17,21 @@ powerdns_authoritative_records: - caa: "letsencrypt.org" - caa: "sectigo.com" - hostname: rr1.unicornafk.fr. - a: + a: - 192.168.5.13 - aaaa: + aaaa: - 2a0c:b641:02c0:105::d rdns: true - hostname: rr2.unicornafk.fr. - a: + a: - 192.168.5.17 - aaaa: + aaaa: - 2a0c:b641:02c0:105::11 rdns: true - hostname: r1.unicornafk.fr. - a: + a: - 192.168.6.1 - aaaa: + aaaa: - 2a0c:b641:02c0:106::1 sshfp: - algorithm: 1 @@ -39,9 +39,9 @@ powerdns_authoritative_records: fingerprint: 28e4f34e715bcde2b6628f53397e40889f8a87894651ba79e01d7745bad11679 rdns: true - hostname: r2.unicornafk.fr. - a: + a: - 192.168.6.3 - aaaa: + aaaa: - 2a0c:b641:02c0:106::3 sshfp: - algorithm: 4 @@ -49,44 +49,44 @@ powerdns_authoritative_records: fingerprint: 33a3f4d1970bfa6bd85305adf23c437d8fd2b2b2b30aaaf9653d303733148dce rdns: true - hostname: dns1.unicornafk.fr. - a: + a: - 192.168.10.21 - aaaa: + aaaa: - 2a0c:b641:02c0:110::21 rdns: true - hostname: dns2.unicornafk.fr. - a: + a: - 192.168.10.22 - aaaa: + aaaa: - 2a0c:b641:02c0:110::22 rdns: true - hostname: kubernetes.unicornafk.fr. - a: + a: - 192.168.10.80 - aaaa: + aaaa: - 2a0c:b641:02c0:110::80 - hostname: vault.unicornafk.fr. - a: + a: - 192.168.10.102 - aaaa: + aaaa: - 2a0c:b641:02c0:110::102 rdns: true - hostname: ap1.unicornafk.fr. - a: + a: - 192.168.20.51 - aaaa: + aaaa: - 2a0c:b641:02c0:120::51 rdns: true - hostname: home-assistant.unicornafk.fr. - a: + a: - 192.168.20.33 - aaaa: + aaaa: - 2a0c:b641:02c0:120::33 rdns: true - hostname: sw1.unicornafk.fr. - a: + a: - 192.168.40.1 - aaaa: + aaaa: - 2a0c:b641:02c0:140::1 sshfp: - algorithm: 1 @@ -94,9 +94,9 @@ powerdns_authoritative_records: fingerprint: F537A260E2626BFEC959303F0F786F3BC986152E48A0E26C68499C0E79C27797 rdns: true - hostname: sw2.unicornafk.fr. - a: + a: - 192.168.40.2 - aaaa: + aaaa: - 2a0c:b641:02c0:140::2 rdns: true sshfp: @@ -113,18 +113,18 @@ powerdns_authoritative_records: - 2a0c:b641:02c0:140::12 - 2a0c:b641:02c0:140::13 - hostname: server1.unicornafk.fr. - a: + a: - 192.168.40.11 - aaaa: + aaaa: - 2a0c:b641:02c0:140::11 sshfp: - algorithm: 4 type: 2 fingerprint: 4fe77c8ae1c13f6cccfc46184a7acb44ee7cb169b8c8dc3cd684a32502ff8a1a - hostname: server2.unicornafk.fr. - a: + a: - 192.168.40.12 - aaaa: + aaaa: - 2a0c:b641:02c0:140::12 sshfp: - algorithm: 4 @@ -132,9 +132,9 @@ powerdns_authoritative_records: fingerprint: 04f32228d7ba8e7a1ccae96d2517824e65b674225d9424668b5d553e1f576859 rdns: true - hostname: server3.unicornafk.fr. - a: + a: - 192.168.40.13 - aaaa: + aaaa: - 2a0c:b641:02c0:140::13 sshfp: - algorithm: 4 @@ -142,95 +142,95 @@ powerdns_authoritative_records: fingerprint: 2e8775fb4f5fc9433cdecb1375ab75b0c6e48f69fa3c1c36de6e800761aecd1d rdns: true - hostname: nas.unicornafk.fr. - a: + a: - 192.168.50.42 - aaaa: + aaaa: - 2a0c:b641:02c0:150::42 rdns: true - hostname: grandstream.unicornafk.fr. - a: + a: - 192.168.50.81 - aaaa: + aaaa: - 2a0c:b641:02c0:150::81 rdns: true - hostname: samsung-tv.unicornafk.fr. - a: + a: - 192.168.50.91 - aaaa: + aaaa: - 2a0c:b641:02c0:150::91 rdns: true - hostname: nvidia-shield.unicornafk.fr. - a: + a: - 192.168.50.92 - aaaa: + aaaa: - 2a0c:b641:02c0:150::92 rdns: true - hostname: hs110-rack1.unicornafk.fr. - a: + a: - 192.168.50.101 rdns: true - hostname: hs110-rack2.unicornafk.fr. - a: + a: - 192.168.50.102 rdns: true - hostname: hs110-chambre1.unicornafk.fr. - a: + a: - 192.168.50.103 rdns: true - hostname: meross-tireuse.unicornafk.fr. - a: + a: - 192.168.50.104 rdns: true - hostname: meross-monsieur-cuisine.unicornafk.fr. - a: + a: - 192.168.50.105 rdns: true - hostname: xiaomi-bulb-chambre1.unicornafk.fr. - a: + a: - 192.168.50.111 rdns: true - hostname: xiaomi-vaccum.unicornafk.fr. - a: + a: - 192.168.50.112 rdns: true - hostname: xiaomi-bulb-salon.unicornafk.fr. - a: + a: - 192.168.50.113 rdns: true - hostname: xiaomi-light-bar.unicornafk.fr. - a: + a: - 192.168.50.114 rdns: true - hostname: xiaomi-led-chambre1.unicornafk.fr. - a: + a: - 192.168.50.115 rdns: true - hostname: xiaomi-led-bar.unicornafk.fr. - a: + a: - 192.168.50.116 rdns: true - hostname: xiaomi-lamp-salon.unicornafk.fr. - a: + a: - 192.168.50.117 rdns: true - hostname: xiaomi-lamp-cuisine.unicornafk.fr. - a: + a: - 192.168.50.118 rdns: true - hostname: xiaomi-bulb-entree.unicornafk.fr. - a: + a: - 192.168.50.119 rdns: true - hostname: monitor01.unicornafk.fr. - a: + a: - 192.168.50.120 - aaaa: + aaaa: - 2a0c:b641:02c0:150::120 rdns: true - hostname: monitor02.unicornafk.fr. - a: + a: - 192.168.50.121 - aaaa: + aaaa: - 2a0c:b641:02c0:150::121 rdns: true # CNAME diff --git a/ansible/group_vars/kubernetes_master/all.yml b/ansible/group_vars/kubernetes_master/all.yml index f937f564e..64d5e010d 100644 --- a/ansible/group_vars/kubernetes_master/all.yml +++ b/ansible/group_vars/kubernetes_master/all.yml @@ -119,6 +119,11 @@ vault_policies: - path: secret/data/homelab/prod/as212510-net capabilities: - read + - name: snmp-exporter + rules: + - path: secret/data/homelab/prod/snmp-exporter + capabilities: + - read public_vault_datas: - path: pki/config/ca data: @@ -205,6 +210,16 @@ public_vault_datas: bound_service_account_namespaces: as212510-net policies: as212510-net ttl: 1h + - path: auth/kubernetes/role/snmp-exporter + data: + bound_service_account_names: snmp-exporter-vault + bound_service_account_namespaces: snmp-exporter + policies: snmp-exporter + ttl: 1h + - path: secret/data/homelab/prod/snmp-exporter + data: + data: + snmp.yaml: "{{ snmp_exporter_config }}" vault_datas: "{{ public_vault_datas + secret_vault_datas }}" external_secrets_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}" cert_manager_localhost_kubeconfig_path: "{{ kubernetes_localhost_kubeconfig_path }}" diff --git a/ansible/group_vars/kubernetes_master/snmp_exporter_secrets.example b/ansible/group_vars/kubernetes_master/snmp_exporter_secrets.example new file mode 100644 index 000000000..10c00bc9b --- /dev/null +++ b/ansible/group_vars/kubernetes_master/snmp_exporter_secrets.example @@ -0,0 +1,2 @@ +--- +snmp_exporter_config: diff --git a/ansible/inventory.proxmox.example b/ansible/inventory.proxmox.example index 099418f7e..a3bf41926 100644 --- a/ansible/inventory.proxmox.example +++ b/ansible/inventory.proxmox.example @@ -6,7 +6,7 @@ password: validate_certs: true strict: true want_facts: true -keyed_groups: +keyed_groups: - key: proxmox_tags_parsed separator: "" filters: diff --git a/argocd/applicationset.yaml b/argocd/applicationset.yaml index f6863426f..0fc515485 100644 --- a/argocd/applicationset.yaml +++ b/argocd/applicationset.yaml @@ -39,6 +39,9 @@ spec: - appName: blackbox-exporter namespace: blackbox-exporter syncWave: "0" + - appName: snmp-exporter + namespace: snmp-exporter + syncWave: "0" - appName: as212510-net namespace: as212510-net syncWave: "0" diff --git a/argocd/snmp-exporter/kustomization.yaml b/argocd/snmp-exporter/kustomization.yaml new file mode 100644 index 000000000..3e2ebcdd1 --- /dev/null +++ b/argocd/snmp-exporter/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: snmp-exporter + +resources: + - manifests/01_external_secret.yaml + +helmCharts: +- name: prometheus-snmp-exporter + releaseName: snmp-exporter + namespace: snmp-exporter + repo: https://prometheus-community.github.io/helm-charts + version: 1.8.1 + valuesFile: values.yaml diff --git a/argocd/snmp-exporter/manifests/01_external_secret.yaml b/argocd/snmp-exporter/manifests/01_external_secret.yaml new file mode 100644 index 000000000..976f694d1 --- /dev/null +++ b/argocd/snmp-exporter/manifests/01_external_secret.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: snmp-exporter-vault + namespace: snmp-exporter +--- +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault + namespace: snmp-exporter +spec: + provider: + vault: + server: "https://vault.vault.svc:8200" + path: "secret" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "snmp-exporter" + serviceAccountRef: + name: "snmp-exporter-vault" + caProvider: + type: "ConfigMap" + # https://github.com/external-secrets/external-secrets/issues/1024 + namespace: "snmp-exporter" + name: "homelab-ca" + key: "ca.crt" +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: snmp-exporter-vault + namespace: snmp-exporter +spec: + refreshInterval: "1m" + target: + creationPolicy: "Owner" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: CONFIG + remoteRef: + key: secret/data/homelab/prod/snmp-exporter + property: snmp.yaml diff --git a/argocd/snmp-exporter/values.yaml b/argocd/snmp-exporter/values.yaml new file mode 100644 index 000000000..73b957b96 --- /dev/null +++ b/argocd/snmp-exporter/values.yaml @@ -0,0 +1,35 @@ +image: + repository: prom/snmp-exporter + tag: v0.25.0 +service: + ipDualStack: + enabled: true +podAnnotations: + reloader.stakater.com/auto: "true" +serviceMonitor: + enabled: true +extraArgs: + - "--config.file=/run/secrets/snmp-exporter/snmp.yaml" +extraSecretMounts: + - name: snmp-exporter-vault + mountPath: /run/secrets/snmp-exporter + subPath: snmp.yaml + secretName: snmp-exporter-vault + readOnly: true +params: + - name: r1.unicornafk.fr + target: r1.unicornafk.fr + module: + - mikrotik + - name: sw1.unicornafk.fr + target: sw1.unicornafk.fr + module: + - brocade + - name: sw2.unicornafk.fr + target: sw2.unicornafk.fr + module: + - brocade + - name: nas.unicornafk.fr + target: nas.unicornafk.fr + module: + - qnap diff --git a/docs/guide/snmp-exporter/index.md b/docs/guide/snmp-exporter/index.md new file mode 100644 index 000000000..8db20989e --- /dev/null +++ b/docs/guide/snmp-exporter/index.md @@ -0,0 +1,25 @@ +# snmp-exporter + +[SNMP Exporter](https://github.com/prometheus/snmp_exporter) this exporter is the recommended way to expose SNMP data in a format which Prometheus can ingest. + +## How to generate snmp-exporter configuration ? + +SNMP v3 must be enabled and configured on all devices. + +Download the mib files : + +- [Mikrotik mib](https://mikrotik.com/download) +- [Brocade](https://support.ruckuswireless.com/software) +- Qnap : Go to Control Panel > Network & File Services > SNMP and Under SNMP MIB, click Download. + +Don't forget to change in the following configuration : + +- `` +- `` +- `` + +``` title="snmp-generator.yml" linenums="1" +--8<-- "docs/guide/snmp-exporter/snmp-generator.yml" +``` + +Follow instructions step from [snmp-exporter documentation](https://github.com/prometheus/snmp_exporter/tree/main/generator#snmp-exporter-config-generator) diff --git a/docs/guide/snmp-exporter/snmp-generator.yml b/docs/guide/snmp-exporter/snmp-generator.yml new file mode 100644 index 000000000..0348a7d88 --- /dev/null +++ b/docs/guide/snmp-exporter/snmp-generator.yml @@ -0,0 +1,103 @@ +--- +auths: + auth_name: + version: 3 + username: "" + security_level: authPriv + password: "" + auth_protocol: SHA + priv_protocol: DES + priv_password: "" +modules: + # Default IF-MIB interfaces table with ifIndex. + if_mib: + walk: + - 1.3.6.1.2.1.1.3 # sysUpTime + - 1.3.6.1.2.1.2 # interfaces + - 1.3.6.1.2.1.31.1.1 # ifXTable + lookups: + - source_indexes: [ifIndex] + lookup: ifAlias + - source_indexes: [ifIndex] + lookup: ifDescr + - source_indexes: [ifIndex] + lookup: 1.3.6.1.2.1.31.1.1.1.1 + overrides: + ifType: + type: EnumAsInfo + + # Mikrotik CCR2004-1g-12s+2xs + mikrotik: + walk: + - 1.3.6.1.2.1.1.3 # sysUpTime + - 1.3.6.1.2.1.2 # interfaces + - 1.3.6.1.2.1.31.1.1 # ifXTable + - 1.3.6.1.4.1.14988 # mikrotik + lookups: + - source_indexes: [ifIndex] + lookup: ifAlias + - source_indexes: [ifIndex] + lookup: ifDescr + - source_indexes: [ifIndex] + lookup: 1.3.6.1.2.1.31.1.1.1.1 + overrides: + ifType: + type: EnumAsInfo + + # Brocade ICX 6450-24P & ICX 7150-C12P + brocade: + walk: + - 1.3.6.1.2.1.1.3 # sysUpTime + - 1.3.6.1.2.1.2 # interfaces + - 1.3.6.1.2.1.31.1.1 # ifXTable + - 1.3.6.1.4.1.1991.1.1.2.1.11 # snAgImgVer + - 1.3.6.1.4.1.1991.1.1.1.2 # snChasPwr + - 1.3.6.1.4.1.1991.1.1.1.3 # snChasFan + - 1.3.6.1.4.1.1991.1.1.2.11 # snAgentCpu + - 1.3.6.1.4.1.1991.1.1.2.1.53 # snAgentMemUtil + - 1.3.6.1.4.1.1991.1.1.2.13 # snAgentTemp + lookups: + - source_indexes: [ifIndex] + lookup: ifAlias + - source_indexes: [ifIndex] + lookup: ifDescr + - source_indexes: [ifIndex] + lookup: 1.3.6.1.2.1.31.1.1.1.1 + overrides: + ifType: + type: EnumAsInfo + + # Qnap TS-219 PII + qnap: + walk: + - 1.3.6.1.2.1.1.3 # sysUpTime + - 1.3.6.1.2.1.2 # interfaces + - 1.3.6.1.2.1.31.1.1 # ifXTable + - 1.3.6.1.4.1.24681.1.2.1 #qnap + - 1.3.6.1.4.1.24681.1.2.2 #qnap + - 1.3.6.1.4.1.24681.1.2.3 #qnap + - 1.3.6.1.4.1.24681.1.2.4 #qnap + - 1.3.6.1.4.1.24681.1.2.5 #qnap + - 1.3.6.1.4.1.24681.1.2.6 #qnap + - 1.3.6.1.4.1.24681.1.2.10 #qnap + - 1.3.6.1.4.1.24681.1.2.11 #qnap + - 1.3.6.1.4.1.24681.1.2.12 #qnap + - 1.3.6.1.4.1.24681.1.2.13 #qnap + - 1.3.6.1.4.1.24681.1.2.14 #qnap + - 1.3.6.1.4.1.24681.1.2.15 #qnap + - 1.3.6.1.4.1.24681.1.2.16 #qnap + - 1.3.6.1.4.1.24681.1.2.17 #qnap + - 1.3.6.1.4.1.24681.1.3 #qnap + - 1.3.6.1.4.1.24681.1.4 #qnap + lookups: + - source_indexes: [ifIndex] + lookup: ifAlias + - source_indexes: [ifIndex] + lookup: ifDescr + - source_indexes: [ifIndex] + lookup: 1.3.6.1.2.1.31.1.1.1.1 + - source_indexes: [hdIndex] + lookup: hdDescr + overrides: + ifType: + type: EnumAsInfo \ No newline at end of file