diff --git a/.env.sample b/.env.sample index 043e3d8..d3d4a9c 100644 --- a/.env.sample +++ b/.env.sample @@ -6,6 +6,11 @@ LETS_ENCRYPT_ENV=production COMPOSE_FILE="compose.yml" SECRET_RPC_SECRET_VERSION=v1 # length=64 charset=hex +SECRET_ADMIN_TOKEN_SECRET_VERSION=v1 # length=64 charset=hex +SECRET_METRICS_TOKEN_SECRET_VERSION=v1 # length=64 charset=hex + +#COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml" +#MONITORING_ENABLED=true # Changing the replication factor after initial deployment is not # supported and requires deleting the existing cluster layout metadata. diff --git a/README.md b/README.md index 4195d5c..64a623a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# garage +# Garage > An open-source distributed object storage service tailored for selfhosting at a small-to-medium scale. @@ -52,7 +52,35 @@ You can optionally add this alias to your `.bashrc` (or similar) file to avoid h ### Garage Quick Start Guide Once `garage status` works, you can follow the guide here: https://garagehq.deuxfleurs.fr/documentation/quick-start/#checking-that-garage-runs-correctly +## Monitoring +### Enabling + +By default monitoring is disabled and must be enabled in your config. + +To enable, set `MONITORING` to `true` and uncomment the line `#COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"`. + +> If you've deployed garage before ver `0.0.2+v2.3.0` then you will need to add the following lines to your config: +> ``` +> MONITORING_DOMAIN=monitoring.garage.example.com +> SECRET_ADMIN_TOKEN_SECRET_VERSION=v1 # length=64 charset=hex +> SECRET_METRICS_TOKEN_SECRET_VERSION=v1 # length=64 charset=hex +> +> #COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml" +> MONITORING="true" +> ``` + +### Deploying + +Now, undeploy the service, generate the new secrets, and finally re-deploy: +``` +abra app undeploy +abra app secret generate --all +abra app deploy +``` +### Utilizing metrics + +Within your chosen monitoring software (ie. Telegraf, Prometheus, etc.), you'll need to make sure it interprets the correct scheme (https), and point it at /metrics as the monitoring endpoint. The secret you copied earlier called metrics_token will be used to authenticate the request. ## Backups diff --git a/compose.monitoring.yml b/compose.monitoring.yml new file mode 100644 index 0000000..ad1ae35 --- /dev/null +++ b/compose.monitoring.yml @@ -0,0 +1,25 @@ +--- +version: "3.8" + +services: + app: + secrets: + - source: metrics_token + mode: 0600 + - source: admin_token + mode: 0600 + deploy: + labels: + - "traefik.http.routers.${STACK_NAME}-metrics.rule=Host(`${DOMAIN}`) && Path(`/metrics`)" + - "traefik.http.routers.${STACK_NAME}-metrics.entrypoints=web-secure" + - "traefik.http.routers.${STACK_NAME}-metrics.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "traefik.http.routers.${STACK_NAME}-metrics.service=${STACK_NAME}-metrics" + - "traefik.http.services.${STACK_NAME}-metrics.loadbalancer.server.port=3903" + +secrets: + admin_token: + name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_SECRET_VERSION} + external: true + metrics_token: + name: ${STACK_NAME}_metrics_token_${SECRET_METRICS_TOKEN_SECRET_VERSION} + external: true diff --git a/compose.yml b/compose.yml index 967773e..a88a8a3 100644 --- a/compose.yml +++ b/compose.yml @@ -23,6 +23,7 @@ services: - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "traefik.http.routers.${STACK_NAME}.service=${STACK_NAME}" - "traefik.tcp.routers.${STACK_NAME}-rpc.rule=HostSNI(`*`)" - "traefik.tcp.routers.${STACK_NAME}-rpc.entrypoints=garage-rpc" - "traefik.tcp.services.${STACK_NAME}-rpc.loadbalancer.server.port=3901" diff --git a/garage.toml.tmpl b/garage.toml.tmpl index d54cc2f..caeb375 100644 --- a/garage.toml.tmpl +++ b/garage.toml.tmpl @@ -27,3 +27,11 @@ bootstrap_peers = [ s3_region = "garage" api_bind_addr = "[::]:3900" root_domain = ".s3.garage" + +{{ if eq (env "MONITORING_ENABLED") "true" }} +[admin] +api_bind_addr = "[::]:3903" +admin_token_file = "/run/secrets/admin_token" +metrics_require_token = true +metrics_token_file = "/run/secrets/metrics_token" +{{ end }} \ No newline at end of file