nomad
/
squid
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[squid] Add support for prometheus exporter

This commit is contained in:
Daniel Berteaud 2024-03-27 23:09:39 +01:00
parent 646f8006f2
commit ad1b762e44
11 changed files with 234 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
example/images/squid-exporter/Dockerfile Normal file
View File

@ -0,0 +1,25 @@
FROM danielberteaud/alpine:24.3-1
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
ARG EXPORTER_VERSION=1.11.0
ADD --chmod=755 --chown=root:root https://github.com/boynux/squid-exporter/releases/download/v${EXPORTER_VERSION}/squid-exporter-linux-amd64 /usr/local/bin/squid-exporter
ENV SQUID_EXPORTER_LISTEN=0.0.0.0:9301 \
SQUID_EXPORTER_METRICS_PATH=/metrics \
SQUID_HOSTNAME=127.0.0.1 \
SQUID_PORT=3128
RUN set -euxo pipefail &&\
addgroup --gid 9301 squid-exporter &&\
adduser --system \
--ingroup squid-exporter \
--disabled-password \
--uid 9301 \
--home /home/squid-exporter \
--shell /sbin/nologin \
squid-exporter
USER squid-exporter
EXPOSE 9301
CMD ["squid-exporter"]

22
example/prep.d/10-squid-rand-secrets Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
set -euo pipefail
# vim: syntax=sh
export LC_ALL=C
VAULT_KV_PATH=kv/service/squid
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
vault kv put ${VAULT_KV_PATH} \
manager_pwd="$(sh -c "${RAND_CMD}")" \
fi
for SECRET in manager_pwd; do
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
vault kv patch ${VAULT_KV_PATH} \
${SECRET}=$(sh -c "${RAND_CMD}")
fi
done

54
example/squid.nomad.hcl
View File

@ -5,6 +5,8 @@ job "squid" {
region = "global"
group "squid" {
network {
mode = "bridge"
@ -15,6 +17,16 @@ job "squid" {
service {
name = "squid"
port = 3128
meta {
alloc = "${NOMAD_ALLOC_INDEX}"
datacenter = "${NOMAD_DC}"
group = "${NOMAD_GROUP_NAME}"
job = "${NOMAD_JOB_NAME}"
namespace = "${NOMAD_NAMESPACE}"
node = "${node.unique.name}"
region = "${NOMAD_REGION}"
}
connect {
sidecar_service {
disable_default_tcp_check = true
@ -50,11 +62,23 @@ job "squid" {
readonly_rootfs = true
pids_limit = 100
volumes = [
"local/squid.conf:/etc/squid/squid.conf:ro",
"secrets/:/etc/squid/conf.d",
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
]
}
vault {
policies = ["squid"]
env = false
disable_file = true
change_mode = "noop"
}
env {
SQUID_LISTS_DIR = "/local/lists"
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
@ -85,6 +109,35 @@ _EOT
perms = 755
}
template {
data = <<_EOT
max_filedescriptors 8192
pid_filename none
http_port 3128
# Log on stdout
access_log stdio:/dev/stdout combined
# NCSA auth
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
auth_param basic children 2 startup=2 idle=1
auth_param basic credentialsttl 1 hours
# Allow squid manager
acl auth_squid_manager proxy_auth squid_manager
http_access allow manager localhost auth_squid_manager
# Deny cache manager to anyone else
http_access deny manager
# Include config fragment
include /etc/squid/conf.d/*.conf
_EOT
destination = "local/squid.conf"
}
template {
data = <<_EOT
#!/bin/sh
@ -110,6 +163,7 @@ _EOT
template {
data = <<_EOT
squid_manager:{{ with secret "kv/service/squid" }}{{ sprig_bcrypt .Data.data.manager_pwd }}{{ end }}
{{- range services }}
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
{{ .Name }}:{{ sprig_bcrypt .Name }}

3
example/vault/policies/squid.hcl Normal file
View File

@ -0,0 +1,3 @@
path "kv/data/service/squid" {
capabilities = ["read"]
}

25
images/squid-exporter/Dockerfile Normal file
View File

@ -0,0 +1,25 @@
FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
MAINTAINER [[ .docker.maintainer ]]
ARG EXPORTER_VERSION=[[ .squid.exporter.version ]]
ADD --chmod=755 --chown=root:root https://github.com/boynux/squid-exporter/releases/download/v${EXPORTER_VERSION}/squid-exporter-linux-amd64 /usr/local/bin/squid-exporter
ENV SQUID_EXPORTER_LISTEN=0.0.0.0:9301 \
SQUID_EXPORTER_METRICS_PATH=/metrics \
SQUID_HOSTNAME=127.0.0.1 \
SQUID_PORT=3128
RUN set -euxo pipefail &&\
addgroup --gid 9301 squid-exporter &&\
adduser --system \
--ingroup squid-exporter \
--disabled-password \
--uid 9301 \
--home /home/squid-exporter \
--shell /sbin/nologin \
squid-exporter
USER squid-exporter
EXPOSE 9301
CMD ["squid-exporter"]

5
prep.d/10-squid-rand-secrets Executable file
View File

@ -0,0 +1,5 @@
#!/bin/sh
set -euo pipefail
[[ template "common/vault.rand_secrets" merge .squid . ]]

53
squid.nomad.hcl
View File

@ -7,6 +7,9 @@ job "[[ .instance ]]" {
group "squid" {
network {
mode = "bridge"
[[- if conv.ToBool $c.prometheus.enabled ]]
port "metrics" {}
[[- end ]]
}
count = [[ $c.count ]]
@ -14,6 +17,7 @@ job "[[ .instance ]]" {
service {
name = "[[ .instance ]][[ .consul.suffix ]]"
port = 3128
[[ template "common/service_meta" $c ]]
[[ template "common/connect" $c ]]
}
@ -25,11 +29,15 @@ job "[[ .instance ]]" {
readonly_rootfs = true
pids_limit = 100
volumes = [
"local/squid.conf:/etc/squid/squid.conf:ro",
"secrets/:/etc/squid/conf.d",
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
]
}
[[ template "common/artifacts" $c ]]
[[ template "common/vault.policies" $c ]]
env {
SQUID_LISTS_DIR = "/local/lists"
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
@ -46,6 +54,13 @@ _EOT
perms = 755
}
template {
data =<<_EOT
[[ template "squid/squid.conf" $c ]]
_EOT
destination = "local/squid.conf"
}
template {
data =<<_EOT
[[ template "squid/reload.sh.tpl" $c ]]
@ -107,5 +122,43 @@ _EOT
[[ template "common/file_env" $c ]]
[[ template "common/resources" $c ]]
}
[[- if conv.ToBool $c.prometheus.enabled ]]
[[ template "common/task.metrics_proxy" $c ]]
[[- $c := merge $c.exporter $c ]]
task "exporter" {
driver = "[[ $c.nomad.driver ]]"
lifecycle {
hook = "poststart"
sidecar = true
}
config {
image = "[[ $c.image ]]"
readonly_rootfs = true
pids_limit = 20
}
[[ template "common/vault.policies" $c ]]
template {
data = <<_EOT
SQUID_EXPORTER_LISTEN=127.0.0.1:9301
SQUID_LOGIN=squid_manager
SQUID_PASSWORD='{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.manager_pwd }}{{ end }}'
_EOT
destination = "secrets/.squid-exporter.env"
perms = 400
env = true
}
[[ template "common/resources" $c ]]
}
[[- end ]]
}
}

1
templates/auth.tpl
View File

@ -1,3 +1,4 @@
squid_manager:{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ sprig_bcrypt .Data.data.manager_pwd }}{{ end }}
{{- range services }}
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
{{ .Name }}:{{ sprig_bcrypt .Name }}

22
templates/squid.conf Normal file
View File

@ -0,0 +1,22 @@
max_filedescriptors 8192
pid_filename none
http_port 3128
# Log on stdout
access_log stdio:/dev/stdout combined
# NCSA auth
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
auth_param basic children 2 startup=2 idle=1
auth_param basic credentialsttl 1 hours
# Allow squid manager
acl auth_squid_manager proxy_auth squid_manager
http_access allow manager localhost auth_squid_manager
# Deny cache manager to anyone else
http_access deny manager
# Include config fragment
include /etc/squid/conf.d/*.conf

21
variables.yml
View File

@ -16,6 +16,13 @@ squid:
cpu: 100
memory: 256
vault:
policies:
- '[[ .instance ]][[ .consul.suffix ]]'
rand_secrets:
- fields:
- manager_pwd
# Env variables passed to the container
# squid configuration can be passed with
#
@ -97,3 +104,17 @@ squid:
consul:
connect:
disable_default_tcp_check: true
prometheus:
enabled: '[[ .prometheus.available ]]'
metrics_url: http://127.0.0.1:9301/metrics
exporter:
version: 1.11.0
image: '[[ .docker.repo ]]squid-exporter:[[ .squid.exporter.version ]]-1'
resources:
cpu: 10
memory: 20
vault:
policies:
- '[[ .instance ]][[ .consul.suffix ]]'

3
vault/policies/squid.hcl Normal file
View File

@ -0,0 +1,3 @@
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
capabilities = ["read"]
}