14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
# File 'modules/profile/manifests/thanos/rule.pp', line 14
class profile::thanos::rule (
Hash[Stdlib::Fqdn, Hash] $thanos_rule_hosts = lookup('profile::thanos::rule_hosts'),
Array $query_hosts = lookup('profile::thanos::frontends'),
Hash[String, String] $objstore_account = lookup('profile::thanos::objstore_account'),
String $objstore_password = lookup('profile::thanos::objstore_password'),
Array[Stdlib::Host] $alertmanagers = lookup('alertmanagers'),
String $public_domain = lookup('public_domain'),
) {
$http_port = 17902
$grpc_port = 17901
class { 'thanos::rule':
alertmanagers => $alertmanagers,
# /etc/thanos-rule paths are reserved for puppet-deployed files, whereas /srv paths
# will receive automatically-deployed alerts.
rule_files => ['/etc/thanos-rule/rules/*.yaml',
'/etc/thanos-rule/alerts/*.yaml',
'/srv/alerts-thanos/*.yaml',
'/etc/pyrra/output-rules/*.yaml'],
rule_hosts => $thanos_rule_hosts,
use_objstore => true,
objstore_account => $objstore_account,
objstore_password => $objstore_password,
http_port => $http_port,
grpc_port => $grpc_port,
query_url => "https://thanos.${public_domain}",
}
if $::fqdn in $thanos_rule_hosts {
# placeholder class to be able to fetch thanos-rule hosts
# as Prometheus job targets
class { 'thanos::rule::prometheus': }
prometheus::pint::source { 'thanos-query-frontend':
port => 16902,
url_path => '',
all_alerts => true,
}
# promql/rate needs to read Prometheus config via
# /api/v1/status/config which Thanos doesn't expose or proxy
prometheus::pint::config { 'disable-checks':
content => @(CONFIG)
checks {
disabled = ["promql/rate"]
}
|- CONFIG
}
} else {
class { 'prometheus::pint':
ensure => absent,
}
}
# Allow grpc access from query hosts
$query_hosts_ferm = join($query_hosts, ' ')
ferm::service { 'thanos_rule_query':
proto => 'tcp',
port => $grpc_port,
srange => "(@resolve((${query_hosts_ferm})) @resolve((${query_hosts_ferm}), AAAA))",
}
# Allow http access to reverse-proxy /rule
ferm::service { 'thanos_rule_web':
proto => 'tcp',
port => $http_port,
srange => "(@resolve((${query_hosts_ferm})) @resolve((${query_hosts_ferm}), AAAA))",
}
# Deploy Thanos recording rules
thanos::recording_rule { 'recording_rules.yaml':
source => 'puppet:///modules/profile/thanos/recording_rules.yaml',
}
}
|