Update monitoring roles (#292)

* Add Grafana installation tasks and variables for RedHat and Rocky
* Refactor node_exporter service handling to reload and restart in a single task
* Add prometheus_scrape_targets option to configure scrape hosts in Prometheus
* Refactor Prometheus service management and set SELinux to permissive mode
* Update README and argument specs

Signed-off-by: rsuplina <[email protected]>

Author: rsuplina

roles/grafana/tasks/RedHat.yml

@@ -0,0 +1,24 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Import Grafana GPG key
+  ansible.builtin.rpm_key:
+    state: present
+    key: "{{ grafana_gpg_key_url }}"
+
+- name: Install Grafana packages
+  ansible.builtin.yum:
+    name: "{{ grafana_tarball_url }}"
+    state: present

roles/grafana/tasks/Rocky.yml

@@ -0,0 +1,24 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Import Grafana GPG key
+  ansible.builtin.rpm_key:
+    state: present
+    key: "{{ grafana_gpg_key_url }}"
+
+- name: Install Grafana packages
+  ansible.builtin.yum:
+    name: "{{ grafana_tarball_url }}"
+    state: present

roles/grafana/vars/RedHat.yml

@@ -0,0 +1,20 @@
+---
+
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+grafana_tarball_url: https://dl.grafana.com/oss/release/grafana-10.2.3-1.x86_64.rpm
+grafana_gpg_key_url: https://rpm.grafana.com/gpg.key
+
+grafana_service: grafana-server

roles/grafana/vars/Rocky.yml

@@ -0,0 +1,20 @@
+---
+
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+grafana_tarball_url: https://dl.grafana.com/oss/release/grafana-10.2.3-1.x86_64.rpm
+grafana_gpg_key_url: https://rpm.grafana.com/gpg.key
+
+grafana_service: grafana-server

roles/nodeexporter/handlers/main.yml

@@ -13,14 +13,10 @@
 # limitations under the License.
 
 ---
-- name: Start node_exporter service
-  block:
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-
-    - name: Enable and start node_exporter service
-      ansible.builtin.systemd:
-        name: node_exporter
-        state: started
-        enabled: true
+- name: Reload and restart node_exporter
+  become: true
+  ansible.builtin.systemd:
+    name: node_exporter
+    daemon_reload: true
+    state: restarted
+    enabled: true

roles/nodeexporter/tasks/main.yml

@@ -59,4 +59,4 @@
     src: node_exporter.service.j2
     dest: "{{ node_exporter_service_directory }}"
     mode: "0755"
-  notify: Start node_exporter service
+  notify: Reload and restart node_exporter

roles/prometheus/README.md

@@ -9,6 +9,7 @@ The role will:
 - Create necessary directories for Prometheus configuration (`/etc/prometheus`) and TSDB storage (`/var/lib/prometheus`).
 - Download the Prometheus distribution tarball.
 - Extract the Prometheus binary and related files to the installation directory.
+- Set SELinux to permissive mode on the target host.
 - Install a basic `prometheus.yml` configuration file.
 - Set up a `systemd` service for Prometheus.
 - Enable and start the Prometheus service, ensuring it runs on system boot.
@@ -33,6 +34,7 @@ None.
 | `prometheus_user` | `str` | `False` | `prometheus` | Prometheus service user. |
 | `prometheus_group` | `str` | `False` | `prometheus` | Prometheus service group. |
 | `prometheus_service_directory` | `path` | `False` | `/etc/systemd/system/prometheus.service` | Prometheus Systemd service directory (full path to the service file). |
+| `prometheus_scrape_targets` | `list` | `False` | `["localhost"]` | List of hosts to scrape with node_exporter. |
 
 # Example Playbook
 

roles/prometheus/handlers/main.yml

@@ -13,19 +13,9 @@
 # limitations under the License.
 
 ---
-- name: Enable Prometheus
-  block:
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-
-    - name: Enable and start Prometheus service
-      ansible.builtin.systemd:
-        name: prometheus
-        state: started
-        enabled: true
-
-- name: Restart Prometheus
-  ansible.builtin.service:
+- name: Manage Prometheus Service
+  ansible.builtin.systemd:
     name: prometheus
+    daemon_reload: true
     state: restarted
+    enabled: true

roles/prometheus/meta/argument_specs.yml

@@ -18,6 +18,7 @@ argument_specs:
     short_description: Install Prometheus.
     description:
       - Install Prometheus from the distribution archive file.
+      - Set up SELinux to permissive mode (to ensure Prometheus can run without policy restrictions).
       - Set up the local time-series database.
       - Set up the service user and group.
       - Install a basic configuration.
@@ -59,3 +60,10 @@ argument_specs:
         type: path
         required: false
         default: /etc/systemd/system/prometheus.service
+      prometheus_scrape_targets:
+        description: List of hosts to scrape with node_exporter
+        type: list
+        elements: str
+        required: false
+        default:
+          - "localhost"

roles/prometheus/tasks/main.yml

@@ -13,6 +13,11 @@
 # limitations under the License.
 
 ---
+- name: Set SELinux to permissive mode
+  ansible.posix.selinux:
+    policy: targeted
+    state: permissive
+
 - name: Create Prometheus directory
   ansible.builtin.file:
     path: "{{ prometheus_directory }}"
@@ -69,11 +74,11 @@
     src: prometheus.service.j2
     dest: "{{ prometheus_service_directory }}"
     mode: "0755"
-  notify: Enable Prometheus
+  notify: Manage Prometheus Service
 
 - name: Update Prometheus configuration
   ansible.builtin.template:
     src: prometheus.yml.j2
     dest: /etc/prometheus/prometheus.yml
     mode: "0755"
-  notify: Restart Prometheus
+  notify: Manage Prometheus Service