Configure Alloy (#97)

nelsonkopliku · web-flow · commit 449cfb40a5fe · 2026-02-10T14:12:25.000+01:00
* Add Prometheus configuration params

* Add task to generate alloy config

* Add agent cleanup tasks

* Make ansible lint happy

* Improve template conditionals to not render empty lines

* Improve variable docs
diff --git a/README.adoc b/README.adoc
@@ -687,6 +687,46 @@ per-role basis if appropriate.
   base64 string | false
 |===
 
+The following variables drive the monitoring tooling on an agent host.
+
+More detailed info about usage and defaults available link:https://github.com/trento-project/agent/blob/main/packaging/config/agent.yaml[here].
+
+[width="100%",cols="10%,47%,43%",options="header",]
+|===
+|Name | Description | Default
+
+| agent_prometheus_mode | 
+  Whether to use Prometheus in "pull" mode with prometheus node exporters or in "push" mode with grafana alloy. | 
+  If unspecified it resolves to "pull" for SLES \<= 15.7 and "pull" for SLES 16 and above.
+
+| agent_prometheus_exporter_name | 
+  Exporter name used in host discovery. | 
+  "node_exporter" in case of prometheus "pull" mode, "grafana_alloy" in case of "push" mode.
+
+| agent_prometheus_node_exporter_target | 
+  The target address of the node exporter to scrape metrics from, in case `agent_prometheus_mode` is set to "pull". | 
+  Defaults to the lowest discovered IP address with a default port number (9100).
+
+| agent_prometheus_remote_write_url | The remote write URL of the Prometheus server, in case `agent_prometheus_mode` is set to "push". | currently undefined. Needs to be improved for autodiscovery
+
+| agent_prometheus_scrape_interval | Scrape interval for Prometheus to scrape the node exporter, in case `agent_prometheus_mode` is set to "push". | "15s"
+
+| agent_prometheus_auth | Authentication method when pushing metrics to Prometheus, in case `agent_prometheus_mode` is set to "push". One of: "none", "basic", "bearer", "mtls" | "bearer"
+
+| agent_prometheus_auth_bearer_token | Bearer token used when `agent_prometheus_auth` is set to "bearer". Required if `agent_prometheus_auth` is set to "bearer" | ""
+
+| agent_prometheus_auth_username | Username used when `agent_prometheus_auth` is set to "basic". Required if `agent_prometheus_auth` is set to "basic". | ""
+
+| agent_prometheus_auth_password | Password used when `agent_prometheus_auth` is set to "basic". Required if `agent_prometheus_auth` is set to "basic". | ""
+
+| agent_prometheus_tls_ca_cert | CA certificate used to verify the TLS certificate of the Prometheus server, in case `agent_prometheus_mode` is set to "push" and the Prometheus server uses TLS. This is required when the Prometheus server TLS certificate is signed by a non-public CA. | ""
+
+| agent_prometheus_tls_client_cert | Client certificate used for mTLS authentication when `agent_prometheus_auth` is set to "mtls". Required if `agent_prometheus_auth` is set to "mtls". | ""
+
+| agent_prometheus_tls_client_key | Client key used for mTLS authentication when `agent_prometheus_auth` is set to "mtls". Required if `agent_prometheus_auth` is set to "mtls". | ""
+
+|===
+
 *Postgres role*
 
 [width="100%",cols="16%,57%,27%",options="header",]
diff --git a/cleanup-agents.yml b/cleanup-agents.yml
@@ -0,0 +1,10 @@
+# code: language=ansible
+---
+- name: Clean up trento components
+  hosts: agents
+  become: true
+  tasks:
+    - name: Clean up Trento Agents
+      ansible.builtin.import_role:
+        name: agent
+        tasks_from: cleanup
diff --git a/roles/agent/defaults/main.yml b/roles/agent/defaults/main.yml
@@ -9,3 +9,21 @@ agent_rabbitmq_vhost: "{{ rabbitmq_vhost | default(trento_rabbitmq_vhost) }}" #
 agent_install_monitoring_dep: true
 agent_server_ca_cert: "{{ undef() }}"
 agent_server_ca_cert_as_base64: false
+# See https://github.com/trento-project/agent/blob/main/packaging/config/agent.yaml for more details about the following variables
+agent_prometheus_mode: ""
+agent_prometheus_exporter_name: ""
+# pull mode specific variables
+agent_prometheus_node_exporter_target: ""
+# push mode specific variables
+agent_prometheus_scrape_interval: ""
+agent_prometheus_remote_write_url: ""
+agent_prometheus_auth: ""
+# when auth is bearer - default
+agent_prometheus_auth_bearer_token: ""
+# when auth is basic
+agent_prometheus_auth_username: ""
+agent_prometheus_auth_password: ""
+# TLS/mTLS related variables
+agent_prometheus_tls_ca_cert: ""
+agent_prometheus_tls_client_cert: ""
+agent_prometheus_tls_client_key: ""
diff --git a/roles/agent/handlers/main.yml b/roles/agent/handlers/main.yml
@@ -5,16 +5,14 @@
     name: trento-agent
     state: restarted
 
-- name: Start Prometheus node_exporter service
+- name: Restart Prometheus node_exporter service
   ansible.builtin.service:
     name: prometheus-node_exporter
     state: restarted
     enabled: true
-  when: agent_host_pre_16
 
-- name: Start Alloy service
+- name: Restart Alloy service
   ansible.builtin.service:
     name: alloy
     state: restarted
     enabled: true
-  when: agent_host_post_16
diff --git a/roles/agent/tasks/cleanup.yml b/roles/agent/tasks/cleanup.yml
@@ -0,0 +1,15 @@
+# code: language=ansible
+---
+- name: Stop and disable trento-agent service
+  ansible.builtin.service:
+    name: trento-agent
+    state: stopped
+    enabled: false
+
+- name: Remove trento alloy configuration
+  ansible.builtin.file:
+    path: "/etc/alloy/trento.alloy"
+    state: absent
+  when: agent_prometheus_mode_push
+  notify:
+    - Restart Alloy service
diff --git a/roles/agent/tasks/main.yml b/roles/agent/tasks/main.yml
@@ -43,14 +43,37 @@
   community.general.zypper:
     name: golang-github-prometheus-node_exporter
     state: latest
-  when: agent_install_monitoring_dep and agent_host_pre_16
+  when: agent_install_monitoring_dep and agent_prometheus_mode_pull
   notify:
-    - Start Prometheus node_exporter service
+    - Restart Prometheus node_exporter service
 
-- name: Install 'alloy' on SLES 16 and later
-  community.general.zypper:
-    name: alloy
-    state: latest
-  when: agent_install_monitoring_dep and agent_host_post_16
+- name: Install and configure alloy on SLES 16 and later
+  when: agent_install_monitoring_dep and agent_prometheus_mode_push
   notify:
-    - Start Alloy service
+    - Restart Alloy service
+  block:
+    - name: Install 'alloy'
+      community.general.zypper:
+        name: alloy
+        state: latest
+
+    - name: Get alloy configuration output from the agent
+      ansible.builtin.command: trento-agent generate alloy
+      register: __agent_alloy_config_result
+      changed_when: false
+
+    - name: Generate trento alloy configuration
+      ansible.builtin.blockinfile:
+        path: "/etc/alloy/trento.alloy"
+        block: "{{ __agent_alloy_config_result.stdout }}"
+        marker: "// {mark} TRENTO CONFIGURATION - ANSIBLE MANAGED"
+        mode: "0644"
+        create: true
+        backup: true
+
+    - name: Append trento alloy configuration
+      ansible.builtin.replace:
+        path: "/etc/sysconfig/alloy"
+        regexp: '^CONFIG_FILE=".*"$'
+        replace: 'CONFIG_FILE="/etc/alloy/"'
+        backup: true
diff --git a/roles/agent/templates/agent.conf.j2 b/roles/agent/templates/agent.conf.j2
@@ -3,3 +3,38 @@
 server-url: {{ agent_trento_server_url }}
 api-key: {{ agent_web_api_key }}
 facts-service-url: {{ agent_amqp_protocol }}://{{ agent_rabbitmq_username }}:{{ agent_rabbitmq_password }}@{{ agent_rabbitmq_host }}/{{ agent_rabbitmq_vhost | urlencode | replace('/', '%2F') }}
+
+prometheus-mode: {{ agent_resolved_prometheus_mode }}
+{% if agent_prometheus_exporter_name is truthy -%}
+prometheus-exporter-name: {{ agent_prometheus_exporter_name }}
+{% endif -%}
+{% if agent_resolved_prometheus_node_exporter_target is truthy -%}
+prometheus-node-exporter-target: {{ agent_resolved_prometheus_node_exporter_target }}
+{% endif -%}
+{% if agent_resolved_prometheus_scrape_interval is truthy -%}
+prometheus-scrape-interval: {{ agent_resolved_prometheus_scrape_interval }}
+{% endif -%}
+{% if agent_resolved_prometheus_remote_write_url is truthy -%}
+prometheus-url: {{ agent_resolved_prometheus_remote_write_url }}
+{% endif -%}
+{% if agent_resolved_prometheus_auth is truthy -%}
+prometheus-auth: {{ agent_resolved_prometheus_auth }}
+{% endif -%}
+{% if agent_resolved_prometheus_auth_bearer_token is truthy -%}
+prometheus-auth-bearer-token: {{ agent_resolved_prometheus_auth_bearer_token }}
+{% endif -%}
+{% if agent_resolved_prometheus_auth_username is truthy -%}
+prometheus-auth-username: {{ agent_resolved_prometheus_auth_username }}
+{% endif -%}
+{% if agent_resolved_prometheus_auth_password is truthy -%}
+prometheus-auth-password: {{ agent_resolved_prometheus_auth_password }}
+{% endif -%}
+{% if agent_resolved_prometheus_tls_ca_cert is truthy -%}
+prometheus-tls-ca-cert: {{ agent_resolved_prometheus_tls_ca_cert }}
+{% endif -%}
+{% if agent_resolved_prometheus_tls_client_cert is truthy -%}
+prometheus-tls-client-cert: {{ agent_resolved_prometheus_tls_client_cert }}
+{% endif -%}
+{% if agent_resolved_prometheus_tls_client_key is truthy -%}
+prometheus-tls-client-key: {{ agent_resolved_prometheus_tls_client_key }}
+{% endif -%}
diff --git a/roles/agent/vars/main.yml b/roles/agent/vars/main.yml
@@ -1,3 +1,19 @@
 ---
 agent_host_pre_16: "{{ ansible_distribution_version is version('15.7', '<=') | bool }}"
 agent_host_post_16: "{{ ansible_distribution_version is version('16.0', '>=') | bool }}"
+agent_resolved_prometheus_mode: "{{ agent_prometheus_mode | default(agent_host_pre_16 | ternary('pull', 'push'), true) }}"
+agent_prometheus_mode_pull: "{{ agent_resolved_prometheus_mode == 'pull' }}"
+agent_prometheus_mode_push: "{{ agent_resolved_prometheus_mode == 'push' }}"
+agent_resolved_prometheus_node_exporter_target: "{{ agent_prometheus_mode_pull | ternary(agent_prometheus_node_exporter_target, '') }}"
+agent_resolved_prometheus_scrape_interval: "{{ agent_prometheus_mode_push | ternary(agent_prometheus_scrape_interval, '') }}"
+
+__agent_discovered_prometheus_remote_write_url: "{{ agent_prometheus_remote_write_url | default('http://{}:{}{}'.format(trento_server_name, 9090, '/api/v1/write'), true) }}"
+agent_resolved_prometheus_remote_write_url: "{{ agent_prometheus_mode_push | ternary(__agent_discovered_prometheus_remote_write_url, '') }}"
+
+agent_resolved_prometheus_auth: "{{ agent_prometheus_mode_push | ternary(agent_prometheus_auth, '') }}"
+agent_resolved_prometheus_auth_bearer_token: "{{ agent_prometheus_mode_push | ternary(agent_prometheus_auth_bearer_token, '') }}"
+agent_resolved_prometheus_auth_username: "{{ agent_prometheus_mode_push | ternary(agent_prometheus_auth_username, '') }}"
+agent_resolved_prometheus_auth_password: "{{ agent_prometheus_mode_push | ternary(agent_prometheus_auth_password, '') }}"
+agent_resolved_prometheus_tls_ca_cert: "{{ agent_prometheus_mode_push | ternary(agent_prometheus_tls_ca_cert, '') }}"
+agent_resolved_prometheus_tls_client_cert: "{{ agent_prometheus_mode_push | ternary(agent_prometheus_tls_client_cert, '') }}"
+agent_resolved_prometheus_tls_client_key: "{{ agent_prometheus_mode_push | ternary(agent_prometheus_tls_client_key, '') }}"
