[squid] Add support for prometheus exporter
This commit is contained in:
parent
646f8006f2
commit
ad1b762e44
|
@ -0,0 +1,25 @@
|
||||||
|
FROM danielberteaud/alpine:24.3-1
|
||||||
|
MAINTAINER Daniel Berteaud <dbd@ehtrace.com>
|
||||||
|
|
||||||
|
ARG EXPORTER_VERSION=1.11.0
|
||||||
|
|
||||||
|
ADD --chmod=755 --chown=root:root https://github.com/boynux/squid-exporter/releases/download/v${EXPORTER_VERSION}/squid-exporter-linux-amd64 /usr/local/bin/squid-exporter
|
||||||
|
|
||||||
|
ENV SQUID_EXPORTER_LISTEN=0.0.0.0:9301 \
|
||||||
|
SQUID_EXPORTER_METRICS_PATH=/metrics \
|
||||||
|
SQUID_HOSTNAME=127.0.0.1 \
|
||||||
|
SQUID_PORT=3128
|
||||||
|
|
||||||
|
RUN set -euxo pipefail &&\
|
||||||
|
addgroup --gid 9301 squid-exporter &&\
|
||||||
|
adduser --system \
|
||||||
|
--ingroup squid-exporter \
|
||||||
|
--disabled-password \
|
||||||
|
--uid 9301 \
|
||||||
|
--home /home/squid-exporter \
|
||||||
|
--shell /sbin/nologin \
|
||||||
|
squid-exporter
|
||||||
|
|
||||||
|
USER squid-exporter
|
||||||
|
EXPOSE 9301
|
||||||
|
CMD ["squid-exporter"]
|
|
@ -0,0 +1,22 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
# vim: syntax=sh
|
||||||
|
|
||||||
|
export LC_ALL=C
|
||||||
|
VAULT_KV_PATH=kv/service/squid
|
||||||
|
RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
|
||||||
|
if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
|
||||||
|
vault kv put ${VAULT_KV_PATH} \
|
||||||
|
manager_pwd="$(sh -c "${RAND_CMD}")" \
|
||||||
|
|
||||||
|
fi
|
||||||
|
for SECRET in manager_pwd; do
|
||||||
|
if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
|
||||||
|
vault kv patch ${VAULT_KV_PATH} \
|
||||||
|
${SECRET}=$(sh -c "${RAND_CMD}")
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,8 @@ job "squid" {
|
||||||
region = "global"
|
region = "global"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
group "squid" {
|
group "squid" {
|
||||||
network {
|
network {
|
||||||
mode = "bridge"
|
mode = "bridge"
|
||||||
|
@ -15,6 +17,16 @@ job "squid" {
|
||||||
service {
|
service {
|
||||||
name = "squid"
|
name = "squid"
|
||||||
port = 3128
|
port = 3128
|
||||||
|
meta {
|
||||||
|
alloc = "${NOMAD_ALLOC_INDEX}"
|
||||||
|
datacenter = "${NOMAD_DC}"
|
||||||
|
group = "${NOMAD_GROUP_NAME}"
|
||||||
|
job = "${NOMAD_JOB_NAME}"
|
||||||
|
namespace = "${NOMAD_NAMESPACE}"
|
||||||
|
node = "${node.unique.name}"
|
||||||
|
region = "${NOMAD_REGION}"
|
||||||
|
}
|
||||||
|
|
||||||
connect {
|
connect {
|
||||||
sidecar_service {
|
sidecar_service {
|
||||||
disable_default_tcp_check = true
|
disable_default_tcp_check = true
|
||||||
|
@ -50,11 +62,23 @@ job "squid" {
|
||||||
readonly_rootfs = true
|
readonly_rootfs = true
|
||||||
pids_limit = 100
|
pids_limit = 100
|
||||||
volumes = [
|
volumes = [
|
||||||
|
"local/squid.conf:/etc/squid/squid.conf:ro",
|
||||||
"secrets/:/etc/squid/conf.d",
|
"secrets/:/etc/squid/conf.d",
|
||||||
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
vault {
|
||||||
|
policies = ["squid"]
|
||||||
|
env = false
|
||||||
|
disable_file = true
|
||||||
|
change_mode = "noop"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
env {
|
env {
|
||||||
SQUID_LISTS_DIR = "/local/lists"
|
SQUID_LISTS_DIR = "/local/lists"
|
||||||
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
||||||
|
@ -85,6 +109,35 @@ _EOT
|
||||||
perms = 755
|
perms = 755
|
||||||
}
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<_EOT
|
||||||
|
max_filedescriptors 8192
|
||||||
|
pid_filename none
|
||||||
|
http_port 3128
|
||||||
|
|
||||||
|
# Log on stdout
|
||||||
|
access_log stdio:/dev/stdout combined
|
||||||
|
|
||||||
|
# NCSA auth
|
||||||
|
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
|
||||||
|
auth_param basic children 2 startup=2 idle=1
|
||||||
|
auth_param basic credentialsttl 1 hours
|
||||||
|
|
||||||
|
# Allow squid manager
|
||||||
|
acl auth_squid_manager proxy_auth squid_manager
|
||||||
|
http_access allow manager localhost auth_squid_manager
|
||||||
|
# Deny cache manager to anyone else
|
||||||
|
http_access deny manager
|
||||||
|
|
||||||
|
# Include config fragment
|
||||||
|
include /etc/squid/conf.d/*.conf
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
_EOT
|
||||||
|
destination = "local/squid.conf"
|
||||||
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
@ -110,6 +163,7 @@ _EOT
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data = <<_EOT
|
data = <<_EOT
|
||||||
|
squid_manager:{{ with secret "kv/service/squid" }}{{ sprig_bcrypt .Data.data.manager_pwd }}{{ end }}
|
||||||
{{- range services }}
|
{{- range services }}
|
||||||
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
||||||
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
path "kv/data/service/squid" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
|
||||||
|
MAINTAINER [[ .docker.maintainer ]]
|
||||||
|
|
||||||
|
ARG EXPORTER_VERSION=[[ .squid.exporter.version ]]
|
||||||
|
|
||||||
|
ADD --chmod=755 --chown=root:root https://github.com/boynux/squid-exporter/releases/download/v${EXPORTER_VERSION}/squid-exporter-linux-amd64 /usr/local/bin/squid-exporter
|
||||||
|
|
||||||
|
ENV SQUID_EXPORTER_LISTEN=0.0.0.0:9301 \
|
||||||
|
SQUID_EXPORTER_METRICS_PATH=/metrics \
|
||||||
|
SQUID_HOSTNAME=127.0.0.1 \
|
||||||
|
SQUID_PORT=3128
|
||||||
|
|
||||||
|
RUN set -euxo pipefail &&\
|
||||||
|
addgroup --gid 9301 squid-exporter &&\
|
||||||
|
adduser --system \
|
||||||
|
--ingroup squid-exporter \
|
||||||
|
--disabled-password \
|
||||||
|
--uid 9301 \
|
||||||
|
--home /home/squid-exporter \
|
||||||
|
--shell /sbin/nologin \
|
||||||
|
squid-exporter
|
||||||
|
|
||||||
|
USER squid-exporter
|
||||||
|
EXPOSE 9301
|
||||||
|
CMD ["squid-exporter"]
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
[[ template "common/vault.rand_secrets" merge .squid . ]]
|
|
@ -7,6 +7,9 @@ job "[[ .instance ]]" {
|
||||||
group "squid" {
|
group "squid" {
|
||||||
network {
|
network {
|
||||||
mode = "bridge"
|
mode = "bridge"
|
||||||
|
[[- if conv.ToBool $c.prometheus.enabled ]]
|
||||||
|
port "metrics" {}
|
||||||
|
[[- end ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
count = [[ $c.count ]]
|
count = [[ $c.count ]]
|
||||||
|
@ -14,6 +17,7 @@ job "[[ .instance ]]" {
|
||||||
service {
|
service {
|
||||||
name = "[[ .instance ]][[ .consul.suffix ]]"
|
name = "[[ .instance ]][[ .consul.suffix ]]"
|
||||||
port = 3128
|
port = 3128
|
||||||
|
[[ template "common/service_meta" $c ]]
|
||||||
[[ template "common/connect" $c ]]
|
[[ template "common/connect" $c ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,11 +29,15 @@ job "[[ .instance ]]" {
|
||||||
readonly_rootfs = true
|
readonly_rootfs = true
|
||||||
pids_limit = 100
|
pids_limit = 100
|
||||||
volumes = [
|
volumes = [
|
||||||
|
"local/squid.conf:/etc/squid/squid.conf:ro",
|
||||||
"secrets/:/etc/squid/conf.d",
|
"secrets/:/etc/squid/conf.d",
|
||||||
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
"local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[[ template "common/artifacts" $c ]]
|
||||||
|
[[ template "common/vault.policies" $c ]]
|
||||||
|
|
||||||
env {
|
env {
|
||||||
SQUID_LISTS_DIR = "/local/lists"
|
SQUID_LISTS_DIR = "/local/lists"
|
||||||
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
|
||||||
|
@ -46,6 +54,13 @@ _EOT
|
||||||
perms = 755
|
perms = 755
|
||||||
}
|
}
|
||||||
|
|
||||||
|
template {
|
||||||
|
data =<<_EOT
|
||||||
|
[[ template "squid/squid.conf" $c ]]
|
||||||
|
_EOT
|
||||||
|
destination = "local/squid.conf"
|
||||||
|
}
|
||||||
|
|
||||||
template {
|
template {
|
||||||
data =<<_EOT
|
data =<<_EOT
|
||||||
[[ template "squid/reload.sh.tpl" $c ]]
|
[[ template "squid/reload.sh.tpl" $c ]]
|
||||||
|
@ -107,5 +122,43 @@ _EOT
|
||||||
[[ template "common/file_env" $c ]]
|
[[ template "common/file_env" $c ]]
|
||||||
[[ template "common/resources" $c ]]
|
[[ template "common/resources" $c ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[[- if conv.ToBool $c.prometheus.enabled ]]
|
||||||
|
|
||||||
|
[[ template "common/task.metrics_proxy" $c ]]
|
||||||
|
|
||||||
|
[[- $c := merge $c.exporter $c ]]
|
||||||
|
|
||||||
|
task "exporter" {
|
||||||
|
driver = "[[ $c.nomad.driver ]]"
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
hook = "poststart"
|
||||||
|
sidecar = true
|
||||||
|
}
|
||||||
|
|
||||||
|
config {
|
||||||
|
image = "[[ $c.image ]]"
|
||||||
|
readonly_rootfs = true
|
||||||
|
pids_limit = 20
|
||||||
|
}
|
||||||
|
|
||||||
|
[[ template "common/vault.policies" $c ]]
|
||||||
|
|
||||||
|
template {
|
||||||
|
data = <<_EOT
|
||||||
|
SQUID_EXPORTER_LISTEN=127.0.0.1:9301
|
||||||
|
SQUID_LOGIN=squid_manager
|
||||||
|
SQUID_PASSWORD='{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.manager_pwd }}{{ end }}'
|
||||||
|
_EOT
|
||||||
|
destination = "secrets/.squid-exporter.env"
|
||||||
|
perms = 400
|
||||||
|
env = true
|
||||||
|
}
|
||||||
|
|
||||||
|
[[ template "common/resources" $c ]]
|
||||||
|
}
|
||||||
|
|
||||||
|
[[- end ]]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
squid_manager:{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ sprig_bcrypt .Data.data.manager_pwd }}{{ end }}
|
||||||
{{- range services }}
|
{{- range services }}
|
||||||
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
{{- if not (.Name | regexMatch ".*sidecar\\-proxy$") }}
|
||||||
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
{{ .Name }}:{{ sprig_bcrypt .Name }}
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
max_filedescriptors 8192
|
||||||
|
pid_filename none
|
||||||
|
http_port 3128
|
||||||
|
|
||||||
|
# Log on stdout
|
||||||
|
access_log stdio:/dev/stdout combined
|
||||||
|
|
||||||
|
# NCSA auth
|
||||||
|
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/auth
|
||||||
|
auth_param basic children 2 startup=2 idle=1
|
||||||
|
auth_param basic credentialsttl 1 hours
|
||||||
|
|
||||||
|
# Allow squid manager
|
||||||
|
acl auth_squid_manager proxy_auth squid_manager
|
||||||
|
http_access allow manager localhost auth_squid_manager
|
||||||
|
# Deny cache manager to anyone else
|
||||||
|
http_access deny manager
|
||||||
|
|
||||||
|
# Include config fragment
|
||||||
|
include /etc/squid/conf.d/*.conf
|
||||||
|
|
||||||
|
|
|
@ -16,6 +16,13 @@ squid:
|
||||||
cpu: 100
|
cpu: 100
|
||||||
memory: 256
|
memory: 256
|
||||||
|
|
||||||
|
vault:
|
||||||
|
policies:
|
||||||
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
|
rand_secrets:
|
||||||
|
- fields:
|
||||||
|
- manager_pwd
|
||||||
|
|
||||||
# Env variables passed to the container
|
# Env variables passed to the container
|
||||||
# squid configuration can be passed with
|
# squid configuration can be passed with
|
||||||
#
|
#
|
||||||
|
@ -97,3 +104,17 @@ squid:
|
||||||
consul:
|
consul:
|
||||||
connect:
|
connect:
|
||||||
disable_default_tcp_check: true
|
disable_default_tcp_check: true
|
||||||
|
|
||||||
|
prometheus:
|
||||||
|
enabled: '[[ .prometheus.available ]]'
|
||||||
|
metrics_url: http://127.0.0.1:9301/metrics
|
||||||
|
|
||||||
|
exporter:
|
||||||
|
version: 1.11.0
|
||||||
|
image: '[[ .docker.repo ]]squid-exporter:[[ .squid.exporter.version ]]-1'
|
||||||
|
resources:
|
||||||
|
cpu: 10
|
||||||
|
memory: 20
|
||||||
|
vault:
|
||||||
|
policies:
|
||||||
|
- '[[ .instance ]][[ .consul.suffix ]]'
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
Loading…
Reference in New Issue