Merge branch 'main' into podman-exporter-port

Signed-off-by: Juan Larriba <[email protected]>
openstack-k8s-operators · Feb 28, 2025 · 0f385ea · 0f385ea
2 parents 3b53762 + 34d7ee0
commit 0f385ea
Show file tree

Hide file tree

Showing 11 changed files with 177 additions and 25 deletions.
diff --git a/docs/source/roles/role-edpm_network_config.rst b/docs/source/roles/role-edpm_network_config.rst
@@ -19,6 +19,11 @@ This Ansible role does the following tasks:
   - Checks for the presence of required RPMS
   - Uses "provider" ifcfg/nmstate based on flag "edpm_network_config_nmstate"
 
+Note: By default this role will cleanup devices/interfaces not in
+"edpm_network_config_template". If there is requirement to keep them
+for pre-provisioned nodes, "edpm_network_config_nonconfigured_cleanup"
+ansible var can be set to "false".
+
 Here is an example playbook to run os-net-config tool:
 
 .. code-block:: YAML

diff --git a/roles/edpm_network_config/defaults/main.yml b/roles/edpm_network_config/defaults/main.yml
@@ -54,4 +54,4 @@ edpm_network_config_safe_defaults: true
 edpm_network_config_template: ""
 edpm_bond_interface_ovs_options: "bond_mode=active-backup"
 edpm_dns_search_domains: []
-edpm_network_config_nonconfigured_cleanup: false
+edpm_network_config_nonconfigured_cleanup: true
diff --git a/roles/edpm_network_config/meta/argument_specs.yml b/roles/edpm_network_config/meta/argument_specs.yml
@@ -82,4 +82,4 @@ argument_specs:
       edpm_network_config_nonconfigured_cleanup:
         type: bool
         description: "Cleanup network interfaces not in network config"
-        default: false
+        default: true
diff --git a/roles/edpm_nftables/tasks/configure.yml b/roles/edpm_nftables/tasks/configure.yml
@@ -145,18 +145,6 @@
         group: root
         mode: "0600"
 
-    - name: Create a sentinel file when nft rules are changed
-      ansible.builtin.file:
-        path: /etc/nftables/edpm-rules.nft.changed
-        state: touch
-        owner: root
-        group: root
-        mode: "0600"
-      when:
-        - nft_ruleset is defined
-        - nft_ruleset is changed
-
-
 # We cannot use the "validate" parameter from the "template" module, since
 # we don't load the chains before. So let's validate now, with all the things.
 # Remember, the "iptables" compat layout is already loaded at this point.

diff --git a/roles/edpm_nftables/tasks/run.yml b/roles/edpm_nftables/tasks/run.yml
@@ -26,22 +26,12 @@
 - name: Reload custom nftables ruleset files
   become: true
   block:
-    - name: Check if rules are changed
-      ansible.builtin.stat:
-        path: /etc/nftables/edpm-rules.nft.changed
-      register: nft_ruleset_changed
     - name: Reload ruleset
       ansible.builtin.shell: >-
         set -o pipefail;
         cat /etc/nftables/edpm-flushes.nft
         /etc/nftables/edpm-rules.nft
         /etc/nftables/edpm-update-jumps.nft | nft -f -
-      when: nft_ruleset_changed.stat.exists
       register: nft_reload_ruleset
       changed_when: nft_reload_ruleset.rc == 0
       failed_when: nft_reload_ruleset.rc != 0
-  always:
-    - name: Delete nft_ruleset_changed file
-      ansible.builtin.file:
-        path: /etc/nftables/edpm-rules.nft.changed
-        state: absent
diff --git a/roles/edpm_telemetry/defaults/main.yml b/roles/edpm_telemetry/defaults/main.yml
@@ -28,6 +28,8 @@ edpm_telemetry_node_exporter_image: quay.io/prometheus/node-exporter:v1.5.0
 edpm_telemetry_podman_exporter_image: quay.io/navidys/prometheus-podman-exporter:v1.10.1
 # Image to use for Ceilometer
 edpm_telemetry_ceilometer_compute_image: quay.io/podified-antelope-centos9/openstack-ceilometer-compute:current-podified
+# Image to use for openstack_network_exporter
+edpm_telemetry_openstack_network_exporter_image: quay.io/openstack-k8s-operators/openstack-network-exporter:latest
 # Certificates location for tls encryption
 edpm_telemetry_certs: "/var/lib/openstack/certs/{{ edpm_telemetry_service_name }}/default"
 # CA certs location for tls encryption
@@ -46,6 +48,7 @@ edpm_telemetry_healthcheck_sources:
   ceilometer_agent_compute: ceilometer_agent
   node_exporter: exporter
   podman_exporter: exporter
+  openstack_network_exporter: exporter
 #  kepler: exporter
 # If telemetry services should have health checks enabled
 edpm_telemetry_healthcheck: true
@@ -54,3 +57,4 @@ edpm_telemetry_enabled_exporters:
   - ceilometer_agent_compute
   - node_exporter
   - podman_exporter
+  - openstack_network_exporter
diff --git a/roles/edpm_telemetry/meta/argument_specs.yml b/roles/edpm_telemetry/meta/argument_specs.yml
@@ -31,6 +31,10 @@ argument_specs:
         type: "str"
         required: true
         description: "The name of the ceilometer compute podman image"
+      edpm_telemetry_openstack_network_exporter_image:
+        type: "str"
+        required: true
+        description: "The name of the openstack_network_exporter podman image"
       edpm_telemetry_config_src:
         type: "str"
         required: true

diff --git a/roles/edpm_telemetry/templates/firewall.yaml.j2 b/roles/edpm_telemetry/templates/firewall.yaml.j2
@@ -10,3 +10,8 @@
     proto: tcp
     dport:
      - "9882"
+- rule_name: 001 Allow openstack_network_exporter traffic
+  rule:
+    proto: tcp
+    dport:
+     - "9105"
diff --git a/roles/edpm_telemetry/templates/node_exporter.json.j2 b/roles/edpm_telemetry/templates/node_exporter.json.j2
@@ -2,13 +2,16 @@
     "image": "{{ edpm_telemetry_node_exporter_image }}",
     "restart": "always",
     "recreate": true,
+    "user": "root",
     "privileged": true,
     "ports": ["9100:9100"],
     "command": [
 {% if tls_cert_exists|bool %}
         "--web.config.file=/etc/node_exporter/node_exporter.yaml",
 {% endif %}
         "--web.disable-exporter-metrics",
+        "--collector.systemd",
+        "--collector.systemd.unit-include=(edpm_.*|ovs.*|openvswitch|virt.*|rsyslog)\\.service",
         "--no-collector.dmi",
         "--no-collector.entropy",
         "--no-collector.thermal_zone",
@@ -37,7 +40,8 @@
     "volumes": [
 {% if tls_cert_exists|bool %}
         "{{ edpm_telemetry_config_dest }}/node_exporter.yaml:/etc/node_exporter/node_exporter.yaml:z",
-        "{{ edpm_telemetry_certs }}:/etc/node_exporter/tls:z"
+        "{{ edpm_telemetry_certs }}:/etc/node_exporter/tls:z",
 {% endif %}
+        "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:rw"
     ]
 }
diff --git a/roles/edpm_telemetry/templates/openstack_network_exporter.json.j2 b/roles/edpm_telemetry/templates/openstack_network_exporter.json.j2
@@ -0,0 +1,28 @@
+{
+    "image": "{{ edpm_telemetry_openstack_network_exporter_image }}",
+    "restart": "always",
+    "recreate": true,
+    "privileged": true,
+    "ports": ["9105:9105"],
+    "command": [],
+    "net": "host",
+    "environment": {
+        "OS_ENDPOINT_TYPE":"internal",
+        "OPENSTACK_NETWORK_EXPORTER_YAML":"/etc/openstack_network_exporter/openstack_network_exporter.yaml"
+    },
+{% if edpm_telemetry_healthcheck %}
+    "healthcheck": {
+        "test": "/openstack/healthcheck openstack-netwo",
+        "mount": "/var/lib/openstack/healthchecks/openstack_network_exporter"
+    },
+{% endif %}
+    "volumes": [
+        "{{ edpm_telemetry_config_dest }}/openstack_network_exporter.yaml:/etc/openstack_network_exporter/openstack_network_exporter.yaml:z",
+{% if tls_cert_exists|bool %}
+        "{{ edpm_telemetry_certs }}:/etc/openstack_network_exporter/tls:z",
+{% endif %}
+        "/var/run/openvswitch:/run/openvswitch:rw,z",
+        "/var/lib/openvswitch/ovn:/run/ovn:rw,z",
+        "/proc:/host/proc:ro"
+    ]
+}
diff --git a/roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2 b/roles/edpm_telemetry/templates/openstack_network_exporter.yaml.j2
@@ -0,0 +1,124 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) 2024 Robin Jarry
+#
+# This is the configuration file for OpenStack openstack-network-exporter. It is
+# written in the YAML format. The exporter will lookup the configuration file
+# at /etc/openstack-network-exporter.yaml by default. The path can be changed via
+# the OPENSTACK_NETWORK_EXPORTER_YAML environment variable.
+#
+# All settings have default values and some of them can be overriden via
+# environment variables as indicated in their description.
+
+---
+# Local addess and port to listen to for scraping HTTP requests. Can be
+# "127.0.0.1:<port>" or "[::1]:<port>" to limit to localhost. If address is
+# omited, listen on all addresses.
+#
+# Env: OPENSTACK_NETWORK_EXPORTER_HTTP_LISTEN
+# Default: ":1981"
+#
+http-listen: ":9105"
+
+# The HTTP path where to serve responses to prometheus scrapers.
+#
+# Env: OPENSTACK_NETWORK_EXPORTER_HTTP_PATH
+# Default: /metrics
+#
+#http-path: /metrics
+
+# The path to a TLS certificate to enable HTTPS support.
+#
+# Env: OPENSTACK_NETWORK_EXPORTER_TLS_CERT
+# Default: ""
+#
+{% if tls_cert_exists|bool %}
+tls-cert: "/etc/openstack_network_exporter/tls/tls.crt"
+{% endif %}
+
+# The path to a TLS certificate secret key to enable HTTPS support.
+#
+# Env: OPENSTACK_NETWORK_EXPORTER_TLS_KEY
+# Default: ""
+#
+{% if tls_cert_exists|bool %}
+tls-key: "/etc/openstack_network_exporter/tls/tls.key"
+{% endif %}
+
+# Space separated list of valid users and passwords. Leave empty to disable
+# authentication. Authentication will only be enforced when TLS is enabled.
+#
+# Example:
+#
+#   auth-users:
+#     - name: admin
+#       password: admin
+#     - name: foobar
+#       password: s3cr3t
+#     - name: johndoe
+#       password: p4ssw0rd
+#
+# Default: []
+#
+#auth-users: []
+
+# Overall log verbosity of the exporter.
+#
+# Supported levels are: debug info notice warning error critical
+#
+# Env: OPENSTACK_NETWORK_EXPORTER_LOG_LEVEL
+# Default: notice
+#
+log-level: info
+
+# The absolute path to the runtime directory of ovn-controller. This folder is
+# expected to contain the the ovn-controller pid file "ovn-controller.pid" and
+# its unixctl socket "ovn-controller.$pid.ctl".
+#
+# Env: OPENSTACK_NETWORK_EXPORTER_OVN_RUNDIR
+# Default: /run/ovn
+#
+
+# The absolute path to the runtime directory of openvswitch. This folder is
+# expected to contain the ovsdb-server socket endpoint "db.sock", the
+# "ovs-vswitchd.pid" file and each bridge openflow management sockets
+# "$bridge_name.mgmt".
+#
+# Env: OPENSTACK_NETWORK_EXPORTER_OVS_RUNDIR
+# Default: /run/openvswitch
+#
+#ovs-rundir: /run/openvswitch
+
+# The mount path of the procfs directory to search for the PID found in
+# ovs-vswitchd.pid. When running the exporter in a different PID namespace than
+# OVS, this will need to be changed to another folder.
+#
+# Env: OPENSTACK_NETWORK_EXPORTER_OVS_PROCDIR
+# Default: /proc
+#
+ovs-procdir: /host/proc
+
+# List of metric collectors to scrape and export. To list the available
+# collectors and the metrics they export, use "openstack-network-exporter -l". If
+# the list is empty (default) all collectors will be enabled.
+#
+# Default: []
+#
+#collectors: []
+#collectors:
+#  - bridge
+#  - counters
+# List of metric sets to export. This is cumulative with the collectors option.
+# The "openstack-network-exporter -l" flag will list all supported metrics along
+# with their set name. If the list is empty (default) all metrics from enabled
+# collectors will be exported.
+#
+# Supported sets are: base errors perf counters debug
+#
+# Default: [base, errors, perf, counters]
+#
+metric-sets:
+  - base
+  - errors
+  - perf
+  - counters
+  - debug