Complete telemetry configuration

2 files changed, 73 insertions, 0 deletions

diff --git a/cluster/prod/app/telemetry/config/grafana-ldap.toml b/cluster/prod/app/telemetry/config/grafana-ldap.toml
new file mode 100644
index 0000000..31cf18a
--- /dev/null
+++ b/cluster/prod/app/telemetry/config/grafana-ldap.toml
@@ -0,0 +1,49 @@
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "bottin.service.prod.consul"
+# Default port is 389 or 636 if use_ssl = true
+port = 389
+# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
+use_ssl = false
+# If set to true, use LDAP with STARTTLS instead of LDAPS
+start_tls = false
+# set to true if you want to skip SSL cert validation
+ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
+
+# Search user bind dn
+bind_dn = "cn=grafana,ou=services,ou=users,dc=deuxfleurs,dc=fr"
+# Search user bind password
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+bind_password = "{{ key "secrets/telemetry/grafana/grafana_ldap_password" | trimSpace }}"
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
+search_filter = "(cn=%s)"
+
+# An array of base dns to search through
+search_base_dns = ["ou=users,dc=deuxfleurs,dc=fr"]
+
+# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+# group_search_filter_user_attribute = "distinguishedName"
+# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+
+[[servers.group_mappings]]
+group_dn = "cn=admin,ou=groups,dc=deuxfleurs,dc=fr"
+org_role = "Admin"
+grafana_admin = true
+
+[[servers.group_mappings]]
+group_dn = "*"
+org_role = "Viewer"
+
+# Specify names of the LDAP attributes your LDAP uses
+[servers.attributes]
+member_of = "memberof"
+email =  "mail"
+username = "cn"
+uid = "cn"
diff --git a/cluster/prod/app/telemetry/config/prometheus.yml b/cluster/prod/app/telemetry/config/prometheus.yml
index 42d438c..a52b64d 100644
--- a/cluster/prod/app/telemetry/config/prometheus.yml
+++ b/cluster/prod/app/telemetry/config/prometheus.yml
@@ -41,3 +41,27 @@ scrape_configs:
         ca_file: /etc/prometheus/consul.crt
         cert_file: /etc/prometheus/consul-client.crt
         key_file: /etc/prometheus/consul-client.key
+
+  # see https://prometheus.io/docs/prometheus/latest/configuration/configuration/#static_config
+  # and https://www.nomadproject.io/api-docs/metrics
+  # and https://learn.hashicorp.com/tutorials/nomad/prometheus-metrics
+  # dashboard at https://grafana.com/grafana/dashboards/3800
+  - job_name: 'nomad'
+    scrape_interval: 10s
+    metrics_path: "/v1/metrics"
+    params:
+      format: ['prometheus']
+    scheme: 'https'
+    tls_config:
+      ca_file: /etc/prometheus/nomad.crt
+      cert_file: /etc/prometheus/nomad-client.crt
+      key_file: /etc/prometheus/nomad-client.key
+      insecure_skip_verify: true
+    consul_sd_configs:
+    - server: 'https://localhost:8501'
+      services:
+        - 'nomad-client'
+      tls_config:
+        ca_file: /etc/prometheus/consul.crt
+        cert_file: /etc/prometheus/consul-client.crt
+        key_file: /etc/prometheus/consul-client.key