promtail: Role/Playbook to deploy Promtail

Promtail is the log sending client for Grafana Loki. For traditional Linux systems, an RPM package is available from upstream, making installation fairly simple. Configuration is stored in a YAML file, so again, it's straightforward to configure via Ansible variables. Really, the only interesting step is adding the _promtail_ user, which is created by the RPM package, to the _systemd-journal_ group, so that Promtail can read the systemd journal files.
2024-02-22 19:23:31 -06:00
parent 226a9e05fa
commit 19009bde1a
9 changed files with 170 additions and 0 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -83,3 +83,20 @@ firemon_networks:
 - 172.24.16.0/20
 - 172.28.33.0/24
 - 10.64.11.0/24
+
+promtail_clients:
+- url: https://loki.pyrocufflink.blue/loki/api/v1/push
+  tls_config:
+    ca_file: /etc/promtail/ca.crt
+promtail_ca: |
+  -----BEGIN CERTIFICATE-----
+  MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
+  BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
+  SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
+  MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
+  RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
+  T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
+  A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
+  0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
+  DaY+6wQ=
+  -----END CERTIFICATE-----
--- a/promtail.yml
+++ b/promtail.yml
@@ -0,0 +1,3 @@
+- hosts: '!kubelet'
+  roles:
+  - promtail
--- a/roles/promtail/defaults/main.yml
+++ b/roles/promtail/defaults/main.yml
@@ -0,0 +1,24 @@
+promtail_positions_file: /tmp/positions.yaml
+
+promtail_clients:
+  - url: http://localhost:3100/loki/api/v1/push
+
+promtail_scrape_configs:
+- '{{ promtail_default_scrape.journal }}'
+
+promtail_ca: ''
+
+promtail_config:
+  server:
+    http_listen_port: 9080
+    grpc_listen_port: 0
+
+  positions:
+    filename: >-
+      {{ promtail_positions_file }}
+
+  clients: >-
+    {{ promtail_clients }}
+
+  scrape_configs: >-
+    {{ promtail_scrape_configs }}
--- a/roles/promtail/files/grafana-promtail.repo
+++ b/roles/promtail/files/grafana-promtail.repo
@@ -0,0 +1,8 @@
+[grafana-promtail]
+name=grafana-promtail
+baseurl=https://rpm.grafana.com
+repo_gpgcheck=1
+enabled=1
+gpgcheck=1
+gpgkey=https://rpm.grafana.com/gpg.key
+includepkgs=promtail
--- a/roles/promtail/handlers/main.yml
+++ b/roles/promtail/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: reload promtail
+  service:
+    name: promtail
+    state: restarted
--- a/roles/promtail/tasks/deploy.yml
+++ b/roles/promtail/tasks/deploy.yml
@@ -0,0 +1,64 @@
+- name: ensure promtail user is a member of systemd-journal group
+  user:
+    name: promtail
+    system: true
+    groups: systemd-journal
+    append: true
+    shell: /bin/false
+    state: present
+  tags:
+  - user
+
+- name: ensure promtail is configured
+  copy:
+    content: |
+      {{ promtail_config | to_nice_yaml(indent=2) }}
+    dest: /etc/promtail/config.yml
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload promtail
+  tags:
+  - config
+
+- name: ensure promtail ca certificate is set
+  copy:
+    content: |-
+      {{ promtail_ca }}
+    dest: /etc/promtail/ca.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload promtail
+  tags:
+  - config
+  - cert
+
+- name: ensure promtail service starts at boot
+  service:
+    name: promtail
+    enabled: true
+  tags:
+  - service
+
+- name: ensure promtail is running
+  service:
+    name: promtail
+    state: started
+  tags:
+  - service
+
+- name: ensure promtail http port is open in the firewall
+  firewalld:
+    port: >-
+      {{ promtail_config.server.http_listen_port }}/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+  when: >-
+    promtail_config.server.http_listen_port|d(0) > 0
+    and host_uses_firewalld|d(true)
+  tags:
+  - firewall
--- a/roles/promtail/tasks/install.yml
+++ b/roles/promtail/tasks/install.yml
@@ -0,0 +1,14 @@
+- name: ensure grafana-promtail yum repository is configured
+  copy:
+    src: grafana-promtail.repo
+    dest: /etc/yum.repos.d/grafana-promtail.repo
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - repo
+
+- name: ensure promtail is installed
+  package:
+    name: promtail
+    state: present
--- a/roles/promtail/tasks/main.yml
+++ b/roles/promtail/tasks/main.yml
@@ -0,0 +1,7 @@
+- block:
+  - import_tasks: install.yml
+    tags:
+    - install
+  - import_tasks: deploy.yml
+  tags:
+  - promtail
--- a/roles/promtail/vars/main.yml
+++ b/roles/promtail/vars/main.yml
@@ -0,0 +1,29 @@
+promtail_default_scrape:
+  journal:
+    job_name: journal
+    journal:
+      json: false
+      labels:
+        job: systemd-journal
+    relabel_configs:
+      - source_labels:
+          - __journal__hostname
+        target_label: hostname
+      - source_labels:
+          - __journal__systemd_unit
+        target_label: unit
+      - source_labels:
+          - __journal_syslog_identifier
+        target_label: syslog_identifier
+      - source_labels:
+          - __journal_priority
+        target_label: priority
+      - source_labels:
+          - __journal_message_id
+        target_label: message_id
+      - source_labels:
+          - __journal__comm
+        target_label: command
+      - source_labels:
+          - __journal__transport
+        target_label: transport