feat/grafana 10 (#83)

feat(node-exporter): add a node exporter job fix(github-exporter): bump version fix(github-exporter): use the variable in the artifact string instead of hard-coding it fix(github-exporter): template the secret to be read into the environment fix(jenkins): use vault secret in template fix(grafana): use podman driver BREAKING CHANGE: no longer use the exec driver chore(monitoring): bump versions refactor(monitoring): lookup mysql service in the consul catalog fix(prometheus): fix path to metrics fix(promtail): add nomad job log scraping Signed-off-by: Bruce Becker <[email protected]> --------- Signed-off-by: Bruce Becker <[email protected]>
brucellino · Jan 4, 2024 · 4ed4818 · 4ed4818
1 parent 02f5feb
commit 4ed4818
Show file tree

Hide file tree

Showing 9 changed files with 434 additions and 262 deletions.
diff --git a/jenkins/jenkins.nomad b/jenkins/jenkins.nomad
@@ -1,28 +1,40 @@
+variable "jenkins_war" {
+  type = map(string)
+  default = {
+    war_version = "2.426.2"
+    war_sha256  = "3731b9f44973fbbf3e535f98a80c21aad9719cb4eea8a1e59e974c11fe846848" #pragma: allowlist secret
+  }
+  description = "Version of the Jenkins release to deploy"
+}
+
+variable "plugin_manager" {
+  type = map(string)
+  default = {
+    version = "2.12.8"
+  }
+  description = "Map of configuration entries for the java plugin manager."
+}
+
 job "jenkins" {
 
   update {
     max_parallel = 1
     health_check = "checks"
-    auto_revert = true
+    auto_revert  = true
     auto_promote = true
-    canary = 1
-  }
-
-  constraint {
-    attribute  = "${attr.unique.hostname}"
-    operator = "regexp"
-    value = "^turing.*"
+    canary       = 1
   }
 
   datacenters = ["dc1"]
+
   type = "service"
-  group "main" {
+
+  group "controller" {
     count = 1
     network {
-      port "ui" {
-        static = "8080"
-      }
-      mode = "host"
+      port "ui" {}
+      // mode = "host"
+      port "agent" {}
     }
 
     volume "casc" {
@@ -31,157 +43,150 @@ job "jenkins" {
       source    = "jenkins_casc"
     }
 
-    task "controller" {
+    task "plugins" {
       driver = "exec"
+      env {
+        CASC_JENKINS_CONFIG = "alloc/data/jenkins.yml"
+        JENKINS_HOME        = "alloc/jenkins"
+        CACHE_DIR           = "local/"
+      }
+      lifecycle {
+        hook    = "prestart"
+        sidecar = false
+      }
       volume_mount {
         volume      = "casc"
-        destination = "/usr/share/jenkins"
+        destination = "/usr/share/jenkins/"
         read_only   = false
       }
 
       artifact {
-        source = "https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.12.8/jenkins-plugin-manager-2.12.8.jar"
+        source      = "https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/${var.plugin_manager.version}/jenkins-plugin-manager-${var.plugin_manager.version}.jar"
         destination = "alloc/data/jenkins-plugin-manager.jar"
-        mode = "file"
+        mode        = "file"
       }
 
       artifact {
-        source = "https://get.jenkins.io/war-stable/2.346.1/jenkins.war"
+        source      = "https://get.jenkins.io/war-stable/${var.jenkins_war.war_version}/jenkins.war"
         destination = "alloc/data/jenkins.war"
-        mode = "file"
+        mode        = "file"
         options {
-          checksum = "sha256:176e2ce5c23d3c0b439befe0461e7ed1f53ac3091db05980198c23c7fde53b27"
+          checksum = "sha256:${var.jenkins_war.war_sha256}"
         }
       }
+
       template {
-        data = "{{ key \"jenkins/plugins\" }}"
-        destination = "local/plugins.txt"
+        data        = "{{ key \"nomad/jenkins/plugins\" }}"
+        destination = "alloc/data/plugins.txt"
         change_mode = "restart"
       }
-      env {
-        CASC_JENKINS_CONFIG = "alloc/data/jenkins.yml"
-        JENKINS_HOME        = "/usr/share/jenkins"
-        CACHE_DIR = "local/"
-      }
+
       template {
-        data = <<EOF
+        data        = <<EOF
 #!/bin/bash
-pwd
 set -eou pipefail
-mkdir -vp /usr/share/jenkins/plugins
+mkdir -vp /alloc/jenkins/plugins
 java -jar alloc/data/jenkins-plugin-manager.jar \
      --war alloc/data/jenkins.war \
-     --plugin-file local/plugins.txt \
+     --plugin-file alloc/data/plugins.txt \
      --skip-failed-plugins \
      --verbose \
-     -d /usr/share/jenkins/plugins/
+     -d /alloc/jenkins/plugins/
+ls -lht /alloc/jenkins/plugins
 echo "plugins installed"
-
-java \
-  -Xmx1024m \
-  -Xms256m \
-  -Dhudson.footerURL=https://hashiatho.me \
-  -Dhudson.model.WorkspaceCleanupThread.disabled=true \
-  -Dhudson.slaves.ConnectionActivityMonitor.timeToPing=30000 \
-  -Djenkins.install.runSetupWizard=false \
-  -Djenkins.security.SystemReadPermission=true \
-  -Djenkins.ui.refresh=true \
-  -jar alloc/data/jenkins.war \
-  --httpPort=${NOMAD_PORT_ui}
 EOF
-        destination = "local/script.sh"
-        perms = "0777"
+        destination = "local/plugins.sh"
+        perms       = "0777"
       }
 
       config {
         command = "/bin/bash"
-        args = ["local/script.sh"]
+        args    = ["local/plugins.sh"]
+      }
+
+      resources {
+        cpu    = "128"
+        memory = "64"
+        // memory_max = "256"
+      } // plugin task resources
+    }   // task
+
+    task "launch" {
+      env {
+        CASC_JENKINS_CONFIG = "alloc/data/jenkins.yml"
+        JENKINS_HOME        = "alloc/jenkins"
+        CACHE_DIR           = "local/"
+      }
+      driver = "java"
+      config {
+        jvm_options = [
+          "-Xmx2048m",
+          "-Xms256m",
+          "-Dhudson.footerURL=https://hashiatho.me",
+          "-Dhudson.model.WorkspaceCleanupThread.disabled=true",
+          "-Dhudson.slaves.ConnectionActivityMonitor.timeToPing=30000",
+          "-Djenkins.install.runSetupWizard=false",
+          "-Djenkins.security.SystemReadPermission=true",
+          "-Djenkins.ui.refresh=true"
+        ]
+        jar_path = "alloc/jenkins/jenkins.war"
+        args = [
+          "--httpPort=${NOMAD_PORT_ui}",
+          "--httpListenAddress=${NOMAD_IP_ui}"
+        ]
       }
 
+      volume_mount {
+        volume      = "casc"
+        destination = "/usr/share/jenkins"
+        read_only   = false
+      }
+      resources {
+        cpu    = "2048"
+        memory = "2048"
+        // memory_max = "2048"
+      } // launch task resources
       service {
         port = "ui"
-
+        name = "jenkins-controller"
         check {
-          type = "http"
-          port = "ui"
-          path = "/prometheus/"
+          type     = "http"
+          port     = "ui"
+          path     = "/prometheus/"
           interval = "10s"
-          timeout = "5s"
+          timeout  = "5s"
         }
-
         on_update = "require_healthy"
+        tags      = ["urlprefix-/jenkins"]
+      } // jenkins ui service
 
-        tags = ["urlprefix-/jenkins"]
-      }
-      template {
-        data = <<EOH
----
-jenkins:
-  agentprotocols:
-    - "JNLP4-connect"
-    - "Ping"
-  numExecutors: 0
-  authorizationStrategy:
-    globalMatrix:
-      permissions:
-        - "Overall/Administer:admin"
-  crumbIssuer:
-    strict:
-      checkSessionMatch: false
-  remotingSecurity:
-    enabled: true
-  systemMessage: "This the best ever message"
-  securityRealm:
-    local:
-      allowsSignup: false
-      users:
-        - id: "admin"
-          password: "1234"
-  clouds:
-    - nomad:
-        clientPassword: ""
-        name: "nomad"
-        nomadUrl: "http://nomad.service.consul:4646"
-        prune: false
-        serverPassword: ""
-        tlsEnabled: false
-        workerTimeout: 1
-
-security:
-  apiToken:
-    creationOfLegacyTokenEnabled: false
-    tokenGenerationOnCreationEnabled: false
-    usageStatisticsEnabled: true
-  globalJobDslSecurityConfiguration:
-    useScriptSecurity: true
-  sSHD:
-    port: -1
-unclassified:
-  prometheusConfiguration:
-    appendParamLabel: true
-    appendStatusLabel: true
-    collectDiskUsage: true
-    collectingMetricsPeriodInSeconds: 60
-    countAbortedBuilds: true
-    countFailedBuilds: true
-    countNotBuiltBuilds: true
-    countSuccessfulBuilds: true
-    countUnstableBuilds: true
-    defaultNamespace: "default"
-    fetchTestResults: true
-    jobAttributeName: "jenkins_job"
-    path: "prometheus"
-    processingDisabledBuilds: false
-    useAuthenticatedEndpoint: false
-EOH
-        destination = "alloc/data/jenkins.yml"
+      service {
+        port = "agent"
+        name = "jenkins-controller-inbound-agent"
+        check {
+          type      = "http"
+          port      = "agent"
+          path      = "/"
+          on_update = "require_healthy"
+          interval  = "30s"
+          timeout   = "5s"
+        }
       }
 
-      resources {
-        cores = 3
-        memory = "500"
-        memory_max = "1000"
+      artifact {
+        source      = "https://get.jenkins.io/war-stable/${var.jenkins_war.war_version}/jenkins.war"
+        destination = "alloc/jenkins/jenkins.war"
+        mode        = "file"
+        options {
+          checksum = "sha256:${var.jenkins_war.war_sha256}"
+        }
       }
+
+      template {
+        data        = file("jenkins.yml.tmpl")
+        destination = "alloc/data/jenkins.yml"
+        change_mode = "restart"
+      } // jenkins.yml template
     }
   }
 }
diff --git a/jenkins/jenkins.yml.tmpl b/jenkins/jenkins.yml.tmpl
@@ -0,0 +1,71 @@
+{{ with secret "hashiatho.me-v2/jenkins" }}
+---
+jenkins:
+  agentprotocols:
+    - "JNLP4-connect"
+    - "Ping"
+  numExecutors: 0
+  authorizationStrategy:
+    globalMatrix:
+      permissions:
+        - "Overall/Administer:{{ .Data.data.admin_username }}"
+
+  crumbIssuer:
+    strict:
+      checkSessionMatch: false
+  disableRememberMe: false
+  markdownFormatter: "plainText"
+  mode: NORMAL
+  myViewsTabBar: "standard"
+  nodeMonitors:
+    - diskSpaceMonitor:
+        freeSpaceThreshold: "1GB"
+    - tmpSpace:
+        freeSpaceThreshold: "1GB"
+  remotingSecurity:
+    enabled: true
+  systemMessage: "This the best ever message"
+  slaveAgentPort: ${NOMAD_PORT_agent}
+  securityRealm:
+    local:
+      allowsSignup: false
+      users:
+        - id: "{{ .Data.data.admin_username }}"
+          password: "{{ .Data.data.admin_password }}"
+  clouds:
+    - nomad:
+        clientPassword: ""
+        name: "nomad"
+        nomadUrl: "http://nomad.service.consul:4646"
+        prune: true
+        serverPassword: ""
+        tlsEnabled: false
+        workerTimeout: 1
+
+security:
+  apiToken:
+    creationOfLegacyTokenEnabled: false
+    tokenGenerationOnCreationEnabled: false
+    usageStatisticsEnabled: true
+  globalJobDslSecurityConfiguration:
+    useScriptSecurity: true
+  sSHD:
+    port: -1
+unclassified:
+  prometheusConfiguration:
+    appendParamLabel: true
+    appendStatusLabel: true
+    collectDiskUsage: true
+    collectingMetricsPeriodInSeconds: 60
+    countAbortedBuilds: true
+    countFailedBuilds: true
+    countNotBuiltBuilds: true
+    countSuccessfulBuilds: true
+    countUnstableBuilds: true
+    defaultNamespace: "default"
+    fetchTestResults: true
+    jobAttributeName: "jenkins_job"
+    path: "prometheus"
+    processingDisabledBuilds: false
+    useAuthenticatedEndpoint: false
+{{ end }}