zulip/puppet/kandra/manifests/profile/grafana.pp

# @summary Observability using Grafana
#
class kandra::profile::grafana inherits kandra::profile::base {

  include zulip::supervisor

  $version = $zulip::common::versions['grafana']['version']
  $dir = "/srv/zulip-grafana-${version}"
  $bin = "${dir}/bin/grafana-server"
  $data_dir = '/var/lib/grafana'

  zulip::external_dep { 'grafana':
    version        => $version,
    url            => "https://dl.grafana.com/oss/release/grafana-${version}.linux-${zulip::common::goarch}.tar.gz",
    tarball_prefix => "grafana-v${version}",
    bin            => [$bin],
    cleanup_after  => [Service[supervisor]],
  }

  group { 'grafana':
    ensure => present,
    gid    => '1070',
  }
  user { 'grafana':
    ensure     => present,
    uid        => '1070',
    gid        => '1070',
    shell      => '/bin/bash',
    home       => $data_dir,
    managehome => false,
  }
  file { $data_dir:
    ensure  => directory,
    owner   => 'grafana',
    group   => 'grafana',
    require => [ User[grafana], Group[grafana] ],
  }
  file { '/var/log/grafana':
    ensure => directory,
    owner  => 'grafana',
    group  => 'grafana',
  }

  kandra::teleport::application { 'monitoring': port => '3000' }
  kandra::firewall_allow { 'grafana': port => '3000' }
  file { "${zulip::common::supervisor_conf_dir}/grafana.conf":
    ensure  => file,
    require => [
      Package[supervisor],
      File[$bin],
      File[$data_dir],
      File['/var/log/grafana'],
    ],
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('kandra/supervisor/conf.d/grafana.conf.erb'),
    notify  => Service[supervisor],
  }

  $email_host = zulipconf('grafana', 'email_host', '')
  $email_from = zulipconf('grafana', 'email_from', '')
  $email_user = zulipsecret('secrets', 'grafana_email_user', '')
  $email_password = zulipsecret('secrets', 'grafana_email_password', '')
  file { '/etc/grafana':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  file { '/etc/grafana/grafana.ini':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('kandra/grafana.ini.template.erb'),
    notify  => Service[supervisor],
  }
}
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`# @summary Observability using Grafana`
			`#`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`class kandra::profile::grafana inherits kandra::profile::base {`
puppet: Allow profiles to override zulip_ops::profile::base. 2024-02-02 15:08:49 +01:00
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`include zulip::supervisor`

puppet: Centralize versions and sha256 hashes of external dependencies. This will make it easier to update versions of these dependencies. 2021-12-28 03:00:14 +01:00			`$version = $zulip::common::versions['grafana']['version']`
puppet: Move slash out of $dir by convention. 2021-12-28 02:08:41 +01:00			`$dir = "/srv/zulip-grafana-${version}"`
			`$bin = "${dir}/bin/grafana-server"`
puppet: Pull out grafana $data_dir. 2021-12-28 02:49:35 +01:00			`$data_dir = '/var/lib/grafana'`
puppet: Use zulip::external_dep for grafana, template config. Templating the config ensures that the service is restarted when it is upgraded. 2021-12-09 05:25:49 +01:00
			`zulip::external_dep { 'grafana':`
			`version => $version,`
puppet: Factor out $::architecture case statement for golang. 2022-02-11 20:37:31 +01:00			`url => "https://dl.grafana.com/oss/release/grafana-${version}.linux-${zulip::common::goarch}.tar.gz",`
puppet: Fix grafana tarball path. Grafana 10.2.1 and up package their tarball with a `grafana-v10.2.1` and not `grafana-10.2.1` as previously. 2024-01-25 21:36:51 +01:00			`tarball_prefix => "grafana-v${version}",`
puppet: Stop relying on "tidy" ordering, which ignores metaparams. The `tidy` parameter is buggy, and ignores all ordering metaparameters. This is fixed in Puppet 7[^1], but it's helpful to resolve it now. Specifically, this fixes bugs with tidy running too early, and deleting the old version of a package before its new version is installed or symlinked, leaving a race condition if anything tries to run the binary in this window. This is mostly not a problem for Supervisor-managed processes, since the binary is already running, and can continue to run if it is tidied out from under the running process. For stand-alone tools like wal-g, which are run frequently by PostgreSQL, this may cause issues if PostgreSQL tries to call them during a puppet run. Remove all complicated uses of tidy, and replace them with an `exec` which does the equivalent. We also generate `file` resources for binaries, making them easier (and clearer) to specify as dependencies. [^1]: https://puppet.atlassian.net/browse/PUP-10688 2024-04-15 20:11:08 +02:00			`bin => [$bin],`
			`cleanup_after => [Service[supervisor]],`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`}`

			`group { 'grafana':`
			`ensure => present,`
			`gid => '1070',`
			`}`
			`user { 'grafana':`
			`ensure => present,`
			`uid => '1070',`
			`gid => '1070',`
			`shell => '/bin/bash',`
puppet: Provide a constant homedir for grafana user. The homedir of a user cannot be changed if any processes are running as them, so having it change over time as upgrades happen will break puppet application, as the old grafana process under supervisor will effectively lock changes to the user's homedir. Unfortunately, that means that this change will thus fail to puppet-apply unless `supervisorctl stop grafana` is run first, but there's no way around that. 2021-12-28 02:50:36 +01:00			`home => $data_dir,`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`managehome => false,`
			`}`
puppet: Pull out grafana $data_dir. 2021-12-28 02:49:35 +01:00			`file { $data_dir:`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`ensure => directory,`
			`owner => 'grafana',`
			`group => 'grafana',`
			`require => [ User[grafana], Group[grafana] ],`
			`}`
			`file { '/var/log/grafana':`
			`ensure => directory,`
			`owner => 'grafana',`
			`group => 'grafana',`
			`}`

puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`kandra::teleport::application { 'monitoring': port => '3000' }`
			`kandra::firewall_allow { 'grafana': port => '3000' }`
puppet: Move zulip_ops supervisor config into /etc/supervisor/conf.d/zulip/. This is similar cleanup to 3ab9b31d2fb5, but only affects zulip_ops services; it serves to ensure that any of these services which are no longer enabled are automatically removed from supervisor. Note that this will cause a supervisor restart on all affected hosts, which will restart all supervisor services. 2021-06-11 22:37:36 +02:00			`file { "${zulip::common::supervisor_conf_dir}/grafana.conf":`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`ensure => file,`
			`require => [`
			`Package[supervisor],`
puppet: Stop relying on "tidy" ordering, which ignores metaparams. The `tidy` parameter is buggy, and ignores all ordering metaparameters. This is fixed in Puppet 7[^1], but it's helpful to resolve it now. Specifically, this fixes bugs with tidy running too early, and deleting the old version of a package before its new version is installed or symlinked, leaving a race condition if anything tries to run the binary in this window. This is mostly not a problem for Supervisor-managed processes, since the binary is already running, and can continue to run if it is tidied out from under the running process. For stand-alone tools like wal-g, which are run frequently by PostgreSQL, this may cause issues if PostgreSQL tries to call them during a puppet run. Remove all complicated uses of tidy, and replace them with an `exec` which does the equivalent. We also generate `file` resources for binaries, making them easier (and clearer) to specify as dependencies. [^1]: https://puppet.atlassian.net/browse/PUP-10688 2024-04-15 20:11:08 +02:00			`File[$bin],`
puppet: Pull out grafana $data_dir. 2021-12-28 02:49:35 +01:00			`File[$data_dir],`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`File['/var/log/grafana'],`
			`],`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0644',`
puppet: Rename puppet/zulip_ops to puppet/kandra. This makes for easier tab-completion, and also is a bit more explicit about the expected consumer. 2024-02-06 21:40:19 +01:00			`content => template('kandra/supervisor/conf.d/grafana.conf.erb'),`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`notify => Service[supervisor],`
			`}`

kandra: Template and insert email credentials. 2024-03-21 22:28:10 +01:00			`$email_host = zulipconf('grafana', 'email_host', '')`
			`$email_from = zulipconf('grafana', 'email_from', '')`
			`$email_user = zulipsecret('secrets', 'grafana_email_user', '')`
			`$email_password = zulipsecret('secrets', 'grafana_email_password', '')`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`file { '/etc/grafana':`
			`ensure => directory,`
			`owner => 'root',`
			`group => 'root',`
puppet: Match the `x` bits on directories to what puppet actually does. Puppet _always_ sets the `+x` bit on directories if they have the `r` bit set for that slot[^1]: > When specifying numeric permissions for directories, Puppet sets the > search permission wherever the read permission is set. As such, for instance, `0640` is actually applied as `0750`. Fix what we "want" to match what puppet is applying, by adding the `x` bit. In none of these cases did we actually intend the directory to not be executable. [1] https://www.puppet.com/docs/puppet/5.5/types/file.html#file-attribute-mode 2023-01-26 23:26:51 +01:00			`mode => '0755',`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`}`
			`file { '/etc/grafana/grafana.ini':`
kandra: Template and insert email credentials. 2024-03-21 22:28:10 +01:00			`ensure => file,`
			`owner => 'root',`
			`group => 'root',`
			`mode => '0644',`
			`content => template('kandra/grafana.ini.template.erb'),`
			`notify => Service[supervisor],`
puppet: Add grafana server. 2020-07-24 00:05:25 +02:00			`}`
			`}`