feat(deploy): Grafana infra alerts + blackbox cert probe + admin-alert wiring
Grafana: GF_SMTP from the shared relay (STARTTLS host:port) + alerting provisioning (contact point → SERVICE_EMAIL, route-all policy, and rules for scrape-target down, gateway internal-error rate + p99 latency, host mem/disk/cpu, postgres connections, and TLS cert < 20 days). All rules noDataState=OK so an absent metric never false-alerts. blackbox_exporter probes the edge caddy's TLS (probe_ssl_earliest_cert_expiry) — effective on prod (caddy terminates TLS; contour caddy is HTTP-only so the metric is absent). Wires the new env through compose (backend admin From/To, Grafana SMTP), ci.yaml (TEST_), prod-deploy (PROD_ + env.sh), .env.example and the README var table.
This commit is contained in:
@@ -23,3 +23,21 @@ scrape_configs:
|
||||
- job_name: node
|
||||
static_configs:
|
||||
- targets: ["node_exporter:9100"]
|
||||
# TLS certificate expiry of the edge caddy (probe_ssl_earliest_cert_expiry), for the
|
||||
# certificate-renewal-failure alert. Effective on prod, where caddy terminates TLS on
|
||||
# :443; on the test contour caddy is HTTP-only, so the probe finds nothing and the metric
|
||||
# is absent (the alert rule is absent-safe). The exporter probes the target passed as a
|
||||
# scrape parameter and answers on its own :9115.
|
||||
- job_name: blackbox_tls
|
||||
metrics_path: /probe
|
||||
params:
|
||||
module: [tls_cert]
|
||||
static_configs:
|
||||
- targets: ["caddy:443"]
|
||||
relabel_configs:
|
||||
- source_labels: [__address__]
|
||||
target_label: __param_target
|
||||
- source_labels: [__param_target]
|
||||
target_label: instance
|
||||
- target_label: __address__
|
||||
replacement: blackbox_exporter:9115
|
||||
|
||||
Reference in New Issue
Block a user