Add telegraf_output selector for InfluxDB/Postgres dual-write

Introduces global.telegraf_output (INFLUXDB|POSTGRES|BOTH, default BOTH) so Telegraf can write metrics to Postgres alongside or instead of InfluxDB. Each minion authenticates with its own so_telegraf_<minion> role and writes to a matching schema inside a shared so_telegraf database, keeping blast radius per-credential to that minion's data. - Per-minion credentials auto-generated and persisted in postgres/auth.sls - postgres/telegraf_users.sls reconciles roles/schemas on every apply - Firewall opens 5432 only to minion hostgroups when Postgres output is active - Reactor on salt/auth + orch/telegraf_postgres_sync.sls provision new minions automatically on key accept - soup post_to_3.1.0 backfills users for existing minions on upgrade - so-show-stats prints latest CPU/mem/disk/load per minion for sanity checks - so-telegraf-trim + nightly cron prune rows older than postgres.telegraf.retention_days (default 14)
2026-05-11 05:40:32 +02:00 · 2026-04-15 14:32:10 -04:00
parent 9ccd0acb4f
commit cefbe01333
17 changed files with 440 additions and 2 deletions
@@ -362,7 +362,8 @@ preupgrade_changes() {
    # This function is to add any new pillar items if needed.
    echo "Checking to see if changes are needed."

-    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0   
+    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0
+    [[ "$INSTALLEDVERSION" =~ ^3\.0\.[0-9]+$ ]] && up_to_3.1.0
    true
 }

@@ -371,6 +372,7 @@ postupgrade_changes() {
    echo "Running post upgrade processes."

    [[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
+    [[ "$POSTVERSION" =~ ^3\.0\.[0-9]+$ ]] && post_to_3.1.0
    true
 }

@@ -469,6 +471,27 @@ post_to_3.0.0() {

 ### 3.0.0 End ###

+### 3.1.0 Start ###
+
+up_to_3.1.0() {
+  INSTALLEDVERSION=3.1.0
+}
+
+post_to_3.1.0() {
+  # Provision per-minion Telegraf Postgres users for every minion known to the
+  # manager. postgres.auth iterates manage.up to generate any missing passwords;
+  # postgres.telegraf_users reconciles the roles and schemas inside the so-postgres
+  # container. Then push a telegraf state to every minion so their telegraf.conf
+  # picks up the new credentials on the first apply after soup.
+  echo "Provisioning Telegraf Postgres users for existing minions."
+  salt-call --local state.apply postgres.auth postgres.telegraf_users || true
+  salt '*' state.sls telegraf || true
+
+  POSTVERSION=3.1.0
+}
+
+### 3.1.0 End ###
+
 repo_sync() {
  echo "Sync the local repo."
  su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."