From f6ca32ca5c4f00504bdab3d7cbc255a4b3b26b99 Mon Sep 17 00:00:00 2001 From: Christoph Maser Date: Mon, 30 Dec 2024 14:48:28 +0100 Subject: [PATCH] add options to set tls parameters for mysql config used by mysqld_exporter fixes #604 --- REFERENCE.md | 43 ++++++++++++++++++++++----- data/defaults.yaml | 1 - manifests/mysqld_exporter.pp | 44 ++++++++++++++++++---------- spec/classes/mysqld_exporter_spec.rb | 18 ++++++++++++ templates/my.cnf.epp | 23 ++++----------- 5 files changed, 88 insertions(+), 41 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 4bab04992..5fa03c343 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -6950,6 +6950,9 @@ The following parameters are available in the `prometheus::mysqld_exporter` clas * [`proxy_type`](#-prometheus--mysqld_exporter--proxy_type) * [`web_config_file`](#-prometheus--mysqld_exporter--web_config_file) * [`web_config_content`](#-prometheus--mysqld_exporter--web_config_content) +* [`cnf_ssl_ca`](#-prometheus--mysqld_exporter--cnf_ssl_ca) +* [`cnf_ssl_cert`](#-prometheus--mysqld_exporter--cnf_ssl_cert) +* [`cnf_ssl_key`](#-prometheus--mysqld_exporter--cnf_ssl_key) * [`export_scrape_job`](#-prometheus--mysqld_exporter--export_scrape_job) * [`scrape_host`](#-prometheus--mysqld_exporter--scrape_host) * [`scrape_port`](#-prometheus--mysqld_exporter--scrape_port) @@ -7096,7 +7099,7 @@ Default value: `true` Data type: `Boolean` -Should puppet manage the service? (default true) +Should puppet manage the service? Default value: `true` @@ -7140,7 +7143,7 @@ Default value: `true` Data type: `Boolean` -Should puppet restart the service on configuration change? (default true) +Should puppet restart the service on configuration change? Default value: `true` @@ -7148,7 +7151,7 @@ Default value: `true` Data type: `Boolean` -Whether to enable the service from puppet (default true) +Whether to enable the service from puppet Default value: `true` @@ -7156,7 +7159,7 @@ Default value: `true` Data type: `Stdlib::Ensure::Service` -State ensured for the service (default 'running') +State ensured for the service Default value: `'running'` @@ -7164,7 +7167,9 @@ Default value: `'running'` Data type: `String[1]` -Name of the mysqld exporter service (default 'mysqld_exporter') +Name of the mysqld exporter service + +Default value: `'mysqld_exporter'` ##### `user` @@ -7184,7 +7189,7 @@ Default value: `'0.15.1'` Data type: `Optional[String[1]]` -Optional proxy server, with port number if needed. ie: https://example.com:8080 +proxy server, with port number if needed. ie: https://example.com:8080 Default value: `undef` @@ -7192,7 +7197,7 @@ Default value: `undef` Data type: `Optional[Enum['none', 'http', 'https', 'ftp']]` -Optional proxy server type (none|http|https|ftp) +proxy server type Default value: `undef` @@ -7212,6 +7217,30 @@ Unless empty the content of the web-config yaml which will handed over as option Default value: `{}` +##### `cnf_ssl_ca` + +Data type: `Optional[Stdlib::Absolutepath]` + +The path name of the Certificate Authority (CA) certificate file in PEM format. + +Default value: `undef` + +##### `cnf_ssl_cert` + +Data type: `Optional[Stdlib::Absolutepath]` + +The path name of the client SSL public key certificate file in PEM format. + +Default value: `undef` + +##### `cnf_ssl_key` + +Data type: `Optional[Stdlib::Absolutepath]` + +The path name of the client SSL private key file in PEM format. + +Default value: `undef` + ##### `export_scrape_job` Data type: `Boolean` diff --git a/data/defaults.yaml b/data/defaults.yaml index d8bc45044..524bfd529 100644 --- a/data/defaults.yaml +++ b/data/defaults.yaml @@ -148,7 +148,6 @@ prometheus::mysqld_exporter::extra_groups: [] prometheus::mysqld_exporter::group: 'mysqld-exporter' prometheus::mysqld_exporter::package_ensure: 'latest' prometheus::mysqld_exporter::package_name: 'mysqld_exporter' -prometheus::mysqld_exporter::service_name: 'mysqld_exporter' prometheus::mysqld_exporter::user: 'mysqld-exporter' prometheus::node_exporter::download_extension: 'tar.gz' prometheus::node_exporter::download_url_base: 'https://github.com/prometheus/node_exporter/releases' diff --git a/manifests/mysqld_exporter.pp b/manifests/mysqld_exporter.pp index 9879fa044..f533cdeda 100644 --- a/manifests/mysqld_exporter.pp +++ b/manifests/mysqld_exporter.pp @@ -37,7 +37,7 @@ # @param manage_group # Whether to create a group for or rely on external code for that # @param manage_service -# Should puppet manage the service? (default true) +# Should puppet manage the service? # @param manage_user # Whether to create user or rely on external code for that # @param os @@ -49,25 +49,31 @@ # @param purge_config_dir # Purge config files no longer generated by Puppet # @param restart_on_change -# Should puppet restart the service on configuration change? (default true) +# Should puppet restart the service on configuration change? # @param service_enable -# Whether to enable the service from puppet (default true) +# Whether to enable the service from puppet # @param service_ensure -# State ensured for the service (default 'running') +# State ensured for the service # @param service_name -# Name of the mysqld exporter service (default 'mysqld_exporter') +# Name of the mysqld exporter service # @param user # User which runs the service # @param version # The binary release version # @param proxy_server -# Optional proxy server, with port number if needed. ie: https://example.com:8080 +# proxy server, with port number if needed. ie: https://example.com:8080 # @param proxy_type -# Optional proxy server type (none|http|https|ftp) +# proxy server type # @param web_config_file # Path of file where the web-config will be saved to # @param web_config_content # Unless empty the content of the web-config yaml which will handed over as option to the exporter +# @param cnf_ssl_ca +# The path name of the Certificate Authority (CA) certificate file in PEM format. +# @param cnf_ssl_cert +# The path name of the client SSL public key certificate file in PEM format. +# @param cnf_ssl_key +# The path name of the client SSL private key file in PEM format. class prometheus::mysqld_exporter ( String $download_extension, Prometheus::Uri $download_url_base, @@ -75,10 +81,10 @@ String[1] $group, String[1] $package_ensure, String[1] $package_name, - String[1] $service_name, String[1] $user, # renovate: depName=prometheus/mysqld_exporter String[1] $version = '0.15.1', + String[1] $service_name = 'mysqld_exporter', Stdlib::Absolutepath $cnf_config_path = '/etc/mysqld_exporter-my.cnf', Stdlib::Host $cnf_host = localhost, Stdlib::Port $cnf_port = 3306, @@ -109,6 +115,9 @@ Optional[Enum['none', 'http', 'https', 'ftp']] $proxy_type = undef, Stdlib::Absolutepath $web_config_file = '/etc/mysqld_exporter_web-config.yml', Prometheus::Web_config $web_config_content = {}, + Optional[Stdlib::Absolutepath] $cnf_ssl_ca = undef, + Optional[Stdlib::Absolutepath] $cnf_ssl_cert = undef, + Optional[Stdlib::Absolutepath] $cnf_ssl_key = undef, ) inherits prometheus { #Please provide the download_url for versions < 0.9.0 $real_download_url = pick($download_url,"${download_url_base}/download/v${version}/${package_name}-${version}.${os}-${arch}.${download_extension}") @@ -117,6 +126,17 @@ default => undef, } + $_cnf_settings = { + 'user' => $cnf_user, + 'password' => $cnf_password, + 'port' => $cnf_port, + 'host' => $cnf_host, + 'socket' => $cnf_socket, + 'ssl-ca' => $cnf_ssl_ca, + 'ssl-cert' => $cnf_ssl_cert, + 'ssl-key' => $cnf_ssl_key, + }.filter |$k, $v| { $v != undef } + file { $cnf_config_path: ensure => file, mode => $config_mode, @@ -125,13 +145,7 @@ content => Sensitive( epp( 'prometheus/my.cnf.epp', - { - 'cnf_user' => $cnf_user, - 'cnf_password' => $cnf_password, - 'cnf_port' => $cnf_port, - 'cnf_host' => $cnf_host, - 'cnf_socket' => $cnf_socket, - }, + { 'settings' => $_cnf_settings } ) ), notify => $notify_service, diff --git a/spec/classes/mysqld_exporter_spec.rb b/spec/classes/mysqld_exporter_spec.rb index 2b6dea2d4..751a735e3 100644 --- a/spec/classes/mysqld_exporter_spec.rb +++ b/spec/classes/mysqld_exporter_spec.rb @@ -37,6 +37,24 @@ it do content = catalogue.resource('file', '/etc/mysqld_exporter-my.cnf').send(:parameters)[:content] expect(content).to include('secret') + expect(content).not_to include('ssl-ca') + end + end + + context 'with tls parameters for exporter' do + let(:params) do + { + cnf_ssl_ca: '/foo/bar/ca.pem', + cnf_ssl_cert: '/foo/bar/cert.pem', + cnf_ssl_key: '/foo/bar/key.pem' + } + end + + it do + content = catalogue.resource('file', '/etc/mysqld_exporter-my.cnf').send(:parameters)[:content] + expect(content).to include('ssl-ca = "/foo/bar/ca.pem"') + expect(content).to include('ssl-cert = "/foo/bar/cert.pem"') + expect(content).to include('ssl-key = "/foo/bar/key.pem"') end end diff --git a/templates/my.cnf.epp b/templates/my.cnf.epp index bdc4dc0a0..ade6f6358 100644 --- a/templates/my.cnf.epp +++ b/templates/my.cnf.epp @@ -1,23 +1,10 @@ <%- | - String $cnf_user, - Variant[Sensitive[String],String] $cnf_password, - Stdlib::Port $cnf_port, - Stdlib::Host $cnf_host, - Optional[Stdlib::Absolutepath] $cnf_socket = undef, + Hash[String[1],Variant[Sensitive[String],String,Integer]] $settings, | -%> + # THIS FILE IS MANAGED BY PUPPET [client] -user = <%= $cnf_user %> -<%- - $_cnf_password = $cnf_password ? { - Sensitive => $cnf_password.unwrap, - default => $cnf_password, - } --%> -password = <%= $_cnf_password %> -<% if $cnf_socket { -%> -socket = <%= $cnf_socket %> -<%- } else { -%> -host = <%= $cnf_host %> -port = <%= $cnf_port %> + +<% $settings.each |$key, $value| { -%> +<%= $key %> = "<%= $value %>" <% } -%>