r/vmagent: Rework as container deployment

Like the _blackbox-exporter_ role, the _vmagent_ role now deploys `vmagent` as a container. This simplifies the process considerably, eliminating the download/transfer step. While refactoring this role, I also changed how the trusted CA certificates are handled. Rather than copy files, the role now expects a `vmagent_ca_certs` variable. This variable is a mapping of certificate name (file name without extension) to PEM contents. This allows certificates to be defined using normal host/group variables.
2025-01-26 06:55:11 -06:00
parent dcf1e5adfc
commit 3e8ac36f88
7 changed files with 66 additions and 40 deletions
--- a/roles/vmagent/tasks/deploy.yml
+++ b/roles/vmagent/tasks/deploy.yml
@@ -1,13 +1,27 @@
- name: ensure victoria metrics user exists
-  user:
-    name: victoriametrics
-    system: true
-    home: /var/lib/victoria-metrics
-    createhome: false
-    shell: /sbin/nologin
+- name: ensure vmagent container image is present
+  podman_image:
+    name: '{{ vmagent_container_image_name }}'
+    tag: '{{ vmagent_container_image_tag }}'
    state: present
+    pull: '{{ vmagent_pull_image|d(false)|bool }}'
+  notify:
+  - restart vmagent
  tags:
-  - user
+  - container-image
+
+- name: ensure vmagent system container is configured
+  template:
+    src: vmagent.container.j2
+    dest: /etc/containers/systemd/vmagent.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart vmagent
+  tags:
+  - container
+  - systemd

 - name: ensure /etc/sysconfig directory exists
  file:
@@ -48,20 +62,21 @@

 - name: ensure additional ca certificates are installed
  copy:
-    src: '{{ item }}'
-    dest: /etc/victoria-metrics/{{ item | basename }}
+    content: '{{ item.1 }}'
+    dest: /etc/victoria-metrics/{{ item.0 }}.crt
    mode: u=rw,go=r
    owner: root
    group: root
-  with_fileglob:
-  - ca-certs/{{ inventory_hostname }}/*.crt
-  - ca-certs/*.crt
+  loop: '{{ vmagent_ca_certs|dictsort }}'
  notify:
  - reload vmagent
  tags:
  - cert
  - scrape-config

+- name: flush handlers
+  meta: flush_handlers
+
 - name: ensure vmagent starts at boot
  service:
    name: vmagent