[squid] Add support for prometheus exporter
This commit is contained in:
parent
646f8006f2
commit
ad1b762e44
|
@ -0,0 +1,25 @@
|
|||
FROM danielberteaud/alpine:24.3-1
|
||||
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||
|
||||
ARG EXPORTER_VERSION=1.11.0
|
||||
|
||||
ADD --chmod=755 --chown=root:root https://github.com/boynux/squid-exporter/releases/download/v${EXPORTER_VERSION}/squid-exporter-linux-amd64 /usr/local/bin/squid-exporter
|
||||
|
||||
ENV SQUID_EXPORTER_LISTEN=0.0.0.0:9301 \
|
||||
SQUID_EXPORTER_METRICS_PATH=/metrics \
|
||||
SQUID_HOSTNAME=127.0.0.1 \
|
||||
SQUID_PORT=3128
|
||||
|
||||
RUN set -euxo pipefail &&\
|
||||
addgroup --gid 9301 squid-exporter &&\
|
||||
adduser --system \
|
||||
--ingroup squid-exporter \
|
||||
--disabled-password \
|
||||
--uid 9301 \
|
||||
--home /home/squid-exporter \
|
||||
--shell /sbin/nologin \
|
||||
squid-exporter
|
||||
|
||||
USER squid-exporter
|
||||
EXPOSE 9301
|
||||
CMD ["squid-exporter"]
|
|
@ -0,0 +1,22 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# vim: syntax=sh
|
||||
|
||||
export LC_ALL=C
|
||||
VAULT_KV_PATH=kv/service/squid
|
||||
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||
vault kv put ${VAULT_KV_PATH} \
|
||||
manager_pwd="$(sh -c "${RAND_CMD}")" \
|
||||
|
||||
fi
|
||||
for SECRET in manager_pwd; do
|
||||
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||
vault kv patch ${VAULT_KV_PATH} \
|
||||
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||
fi
|
||||
done
|
||||
|
||||
|
|
@ -5,6 +5,8 @@ job "squid" {
|
|||
region = "global"
|
||||
|
||||
|
||||
|
||||
|
||||
group "squid" {
|
||||
network {
|
||||
mode = "bridge"
|
||||
|
@ -15,6 +17,16 @@ job "squid" {
|
|||
service {
|
||||
name = "squid"
|
||||
port = 3128
|
||||
meta {
|
||||
alloc = "${NOMAD_ALLOC_INDEX}"
|
||||
datacenter = "${NOMAD_DC}"
|
||||
group = "${NOMAD_GROUP_NAME}"
|
||||
job = "${NOMAD_JOB_NAME}"
|
||||
namespace = "${NOMAD_NAMESPACE}"
|
||||
node = "${node.unique.name}"
|
||||
region = "${NOMAD_REGION}"
|
||||
}
|
||||
|
||||
connect {
|
||||
sidecar_service {
|
||||
disable_default_tcp_check = true
|
||||
|
@ -50,11 +62,23 @@ job "squid" {
|
|||
readonly_rootfs = true
|
||||
pids_limit = 100
|
||||
volumes = [
|
||||
"local/squid.conf:/etc/squid/squid.conf:ro",
|
||||
"secrets/:/etc/squid/conf.d",
|
||||
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
vault {
|
||||
policies = ["squid"]
|
||||
env = false
|
||||
disable_file = true
|
||||
change_mode = "noop"
|
||||
}
|
||||
|
||||
|
||||
env {
|
||||
SQUID_LISTS_DIR = "/local/lists"
|
||||
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
||||
|
@ -85,6 +109,35 @@ _EOT
|
|||
perms = 755
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
max_filedescriptors 8192
|
||||
pid_filename none
|
||||
http_port 3128
|
||||
|
||||
# Log on stdout
|
||||
access_log stdio:/dev/stdout combined
|
||||
|
||||
# NCSA auth
|
||||
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
|
||||
auth_param basic children 2 startup=2 idle=1
|
||||
auth_param basic credentialsttl 1 hours
|
||||
|
||||
# Allow squid manager
|
||||
acl auth_squid_manager proxy_auth squid_manager
|
||||
http_access allow manager localhost auth_squid_manager
|
||||
# Deny cache manager to anyone else
|
||||
http_access deny manager
|
||||
|
||||
# Include config fragment
|
||||
include /etc/squid/conf.d/*.conf
|
||||
|
||||
|
||||
|
||||
_EOT
|
||||
destination = "local/squid.conf"
|
||||
}
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
#!/bin/sh
|
||||
|
@ -110,6 +163,7 @@ _EOT
|
|||
|
||||
template {
|
||||
data = <<_EOT
|
||||
squid_manager:{{ with secret "kv/service/squid" }}{{ sprig_bcrypt .Data.data.manager_pwd }}{{ end }}
|
||||
{{- range services }}
|
||||
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
||||
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
path "kv/data/service/squid" {
|
||||
capabilities = ["read"]
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
|
||||
MAINTAINER [[ .docker.maintainer ]]
|
||||
|
||||
ARG EXPORTER_VERSION=[[ .squid.exporter.version ]]
|
||||
|
||||
ADD --chmod=755 --chown=root:root https://github.com/boynux/squid-exporter/releases/download/v${EXPORTER_VERSION}/squid-exporter-linux-amd64 /usr/local/bin/squid-exporter
|
||||
|
||||
ENV SQUID_EXPORTER_LISTEN=0.0.0.0:9301 \
|
||||
SQUID_EXPORTER_METRICS_PATH=/metrics \
|
||||
SQUID_HOSTNAME=127.0.0.1 \
|
||||
SQUID_PORT=3128
|
||||
|
||||
RUN set -euxo pipefail &&\
|
||||
addgroup --gid 9301 squid-exporter &&\
|
||||
adduser --system \
|
||||
--ingroup squid-exporter \
|
||||
--disabled-password \
|
||||
--uid 9301 \
|
||||
--home /home/squid-exporter \
|
||||
--shell /sbin/nologin \
|
||||
squid-exporter
|
||||
|
||||
USER squid-exporter
|
||||
EXPOSE 9301
|
||||
CMD ["squid-exporter"]
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
[[ template "common/vault.rand_secrets" merge .squid . ]]
|
|
@ -7,6 +7,9 @@ job "[[ .instance ]]" {
|
|||
group "squid" {
|
||||
network {
|
||||
mode = "bridge"
|
||||
[[- if conv.ToBool $c.prometheus.enabled ]]
|
||||
port "metrics" {}
|
||||
[[- end ]]
|
||||
}
|
||||
|
||||
count = [[ $c.count ]]
|
||||
|
@ -14,6 +17,7 @@ job "[[ .instance ]]" {
|
|||
service {
|
||||
name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||
port = 3128
|
||||
[[ template "common/service_meta" $c ]]
|
||||
[[ template "common/connect" $c ]]
|
||||
}
|
||||
|
||||
|
@ -25,11 +29,15 @@ job "[[ .instance ]]" {
|
|||
readonly_rootfs = true
|
||||
pids_limit = 100
|
||||
volumes = [
|
||||
"local/squid.conf:/etc/squid/squid.conf:ro",
|
||||
"secrets/:/etc/squid/conf.d",
|
||||
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
||||
]
|
||||
}
|
||||
|
||||
[[ template "common/artifacts" $c ]]
|
||||
[[ template "common/vault.policies" $c ]]
|
||||
|
||||
env {
|
||||
SQUID_LISTS_DIR = "/local/lists"
|
||||
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
||||
|
@ -46,6 +54,13 @@ _EOT
|
|||
perms = 755
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "squid/squid.conf" $c ]]
|
||||
_EOT
|
||||
destination = "local/squid.conf"
|
||||
}
|
||||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "squid/reload.sh.tpl" $c ]]
|
||||
|
@ -107,5 +122,43 @@ _EOT
|
|||
[[ template "common/file_env" $c ]]
|
||||
[[ template "common/resources" $c ]]
|
||||
}
|
||||
|
||||
[[- if conv.ToBool $c.prometheus.enabled ]]
|
||||
|
||||
[[ template "common/task.metrics_proxy" $c ]]
|
||||
|
||||
[[- $c := merge $c.exporter $c ]]
|
||||
|
||||
task "exporter" {
|
||||
driver = "[[ $c.nomad.driver ]]"
|
||||
|
||||
lifecycle {
|
||||
hook = "poststart"
|
||||
sidecar = true
|
||||
}
|
||||
|
||||
config {
|
||||
image = "[[ $c.image ]]"
|
||||
readonly_rootfs = true
|
||||
pids_limit = 20
|
||||
}
|
||||
|
||||
[[ template "common/vault.policies" $c ]]
|
||||
|
||||
template {
|
||||
data = <<_EOT
|
||||
SQUID_EXPORTER_LISTEN=127.0.0.1:9301
|
||||
SQUID_LOGIN=squid_manager
|
||||
SQUID_PASSWORD='{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.manager_pwd }}{{ end }}'
|
||||
_EOT
|
||||
destination = "secrets/.squid-exporter.env"
|
||||
perms = 400
|
||||
env = true
|
||||
}
|
||||
|
||||
[[ template "common/resources" $c ]]
|
||||
}
|
||||
|
||||
[[- end ]]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
squid_manager:{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ sprig_bcrypt .Data.data.manager_pwd }}{{ end }}
|
||||
{{- range services }}
|
||||
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
||||
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
max_filedescriptors 8192
|
||||
pid_filename none
|
||||
http_port 3128
|
||||
|
||||
# Log on stdout
|
||||
access_log stdio:/dev/stdout combined
|
||||
|
||||
# NCSA auth
|
||||
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
|
||||
auth_param basic children 2 startup=2 idle=1
|
||||
auth_param basic credentialsttl 1 hours
|
||||
|
||||
# Allow squid manager
|
||||
acl auth_squid_manager proxy_auth squid_manager
|
||||
http_access allow manager localhost auth_squid_manager
|
||||
# Deny cache manager to anyone else
|
||||
http_access deny manager
|
||||
|
||||
# Include config fragment
|
||||
include /etc/squid/conf.d/*.conf
|
||||
|
||||
|
|
@ -16,6 +16,13 @@ squid:
|
|||
cpu: 100
|
||||
memory: 256
|
||||
|
||||
vault:
|
||||
policies:
|
||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||
rand_secrets:
|
||||
- fields:
|
||||
- manager_pwd
|
||||
|
||||
# Env variables passed to the container
|
||||
# squid configuration can be passed with
|
||||
#
|
||||
|
@ -97,3 +104,17 @@ squid:
|
|||
consul:
|
||||
connect:
|
||||
disable_default_tcp_check: true
|
||||
|
||||
prometheus:
|
||||
enabled: '[[ .prometheus.available ]]'
|
||||
metrics_url: http://127.0.0.1:9301/metrics
|
||||
|
||||
exporter:
|
||||
version: 1.11.0
|
||||
image: '[[ .docker.repo ]]squid-exporter:[[ .squid.exporter.version ]]-1'
|
||||
resources:
|
||||
cpu: 10
|
||||
memory: 20
|
||||
vault:
|
||||
policies:
|
||||
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||
capabilities = ["read"]
|
||||
}
|
Loading…
Reference in New Issue