Monitoring for Mikrotik devices

k8s/turingpi/apps/monitoring/grafana/app/helmrelease.yaml

@@ -124,6 +124,11 @@ spec:
           datasource:
             - { name: DS_PROMETHEUS, value: Prometheus }
             - { name: VAR_REPLICATIONDESTNAME, value: .*-dst }
+        mikrotik:
+          gnetId: 13679
+          revision: 22
+          datasource:
+            - { name: DS_PROMETHEUS, value: Prometheus }
     ingress:
       enabled: true
       ingressClassName: nginx

k8s/turingpi/apps/monitoring/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - ./grafana/ks.yaml
   - ./kube-prometheus-stack/ks.yaml
   - ./loki/ks.yaml
+  - ./mktxp-exporter/ks.yaml
   - ./network-ups-tools/ks.yaml
   - ./nut-exporter/ks.yaml
   - ./prometheus-operator-crds/ks.yaml

k8s/turingpi/apps/monitoring/mktxp-exporter/app/helmrelease.yaml

@@ -0,0 +1,170 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mktxp-exporter
+  namespace: monitoring
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+      interval: 1m
+  values:
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        fsGroup: 65534
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
+    controllers:
+      mktxp-exporter:
+        replicas: 1
+        containers:
+          app:
+            image:
+              repository: ghcr.io/akpw/mktxp
+              tag: stable-20240821070725
+              pullPolicy: IfNotPresent
+            resources:
+              limits:
+                memory: 128Mi
+              requests:
+                cpu: 10m
+                memory: 32Mi
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+    service:
+      app:
+        controller: mktxp-exporter
+        ports:
+          metrics:
+            port: 49090
+            protocol: HTTP
+    serviceMonitor:
+      app:
+        serviceName: mktxp-exporter
+        endpoints:
+          - port: metrics
+    persistence:
+      config:
+        type: secret
+        name: mktxp-exporter-config
+        defaultMode: 0400
+        globalMounts:
+          - path: /mktxp
+    secrets:
+      config:
+        stringData:
+          mktxp.conf: |-
+            [CRS310]
+              hostname = 192.168.254.253
+
+            [default]
+              username = ${NET_MONITORING_USER}
+              password = ${NET_MONITORING_PASS}
+
+              enabled = True                  # turns metrics collection for this RouterOS device on / off
+              hostname = localhost            # RouterOS IP address
+              port = 8728                     # RouterOS IP Port
+
+              use_ssl = False                 # enables connection via API-SSL servis
+              no_ssl_certificate = False      # enables API_SSL connect without router SSL certificate
+              ssl_certificate_verify = False  # turns SSL certificate verification on / off   
+              plaintext_login = True          # for legacy RouterOS versions below 6.43 use False
+
+              installed_packages = True       # Installed packages
+              dhcp = True                     # DHCP general metrics
+              dhcp_lease = True               # DHCP lease metrics
+
+              connections = True              # IP connections metrics
+              connection_stats = False        # Open IP connections metrics 
+
+              interface = True                # Interfaces traffic metrics
+
+              route = True                    # IPv4 Routes metrics
+              pool = True                     # IPv4 Pool metrics
+              firewall = True                 # IPv4 Firewall rules traffic metrics
+              neighbor = True                 # IPv4 Reachable Neighbors
+
+              ipv6_route = False              # IPv6 Routes metrics    
+              ipv6_pool = False               # IPv6 Pool metrics
+              ipv6_firewall = False           # IPv6 Firewall rules traffic metrics
+              ipv6_neighbor = False           # IPv6 Reachable Neighbors
+
+              poe = True                      # POE metrics
+              monitor = True                  # Interface monitor metrics
+              netwatch = True                 # Netwatch metrics
+              public_ip = True                # Public IP metrics
+              wireless = True                 # WLAN general metrics
+              wireless_clients = True         # WLAN clients metrics
+              capsman = True                  # CAPsMAN general metrics
+              capsman_clients = True          # CAPsMAN clients metrics
+
+              lte = False                     # LTE signal and status metrics (requires additional 'test' permission policy on RouterOS v6) 
+              ipsec = False                   # IPSec active peer metrics
+              switch_port = False             # Switch Port metrics
+
+              kid_control_assigned = False    # Allow Kid Control metrics for connected devices with assigned users
+              kid_control_dynamic = False     # Allow Kid Control metrics for all connected devices, including those without assigned user
+
+              user = True                     # Active Users metrics
+              queue = True                    # Queues metrics
+
+              bgp = False                     # BGP sessions metrics
+              certificate = False             # Certificates metrics
+
+              remote_dhcp_entry = None        # An MKTXP entry to provide for remote DHCP info / resolution
+              remote_capsman_entry = None     # An MKTXP entry to provide for remote capsman info 
+
+              use_comments_over_names = True  # when available, forces using comments over the interfaces names
+              check_for_updates = False       # check for available ROS updates
+          _mktxp.conf: |-
+            ## Copyright (c) 2020 Arseniy Kuznetsov
+            ##
+            ## This program is free software; you can redistribute it and/or
+            ## modify it under the terms of the GNU General Public License
+            ## as published by the Free Software Foundation; either version 2
+            ## of the License, or (at your option) any later version.
+            ##
+            ## This program is distributed in the hope that it will be useful,
+            ## but WITHOUT ANY WARRANTY; without even the implied warranty of
+            ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+
+
+            [MKTXP]
+                listen = '0.0.0.0:49090'         # Space separated list of socket addresses to listen to, both IPV4 and IPV6
+                socket_timeout = 5
+
+                initial_delay_on_failure = 120
+                max_delay_on_failure = 900
+                delay_inc_div = 5
+
+                bandwidth = False                # Turns metrics bandwidth metrics collection on / off    
+                bandwidth_test_interval = 600    # Interval for collecting bandwidth metrics
+                minimal_collect_interval = 5     # Minimal metric collection interval
+
+                verbose_mode = False             # Set it on for troubleshooting
+
+                fetch_routers_in_parallel = False   # Fetch metrics from multiple routers in parallel / sequentially 
+                max_worker_threads = 5              # Max number of worker threads that can fetch routers (parallel fetch only)
+                max_scrape_duration = 30            # Max duration of individual routers' metrics collection (parallel fetch only)
+                total_max_scrape_duration = 90      # Max overall duration of all metrics collection (parallel fetch only)
+
+                compact_default_conf_values = False  # Compact mktxp.conf, so only specific values are kept on the individual routers' level

k8s/turingpi/apps/monitoring/mktxp-exporter/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml

k8s/turingpi/apps/monitoring/mktxp-exporter/ks.yaml

@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app mktxp-exporter
+  namespace: flux-system
+spec:
+  targetNamespace: monitoring
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./k8s/turingpi/apps/monitoring/mktxp-exporter/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: homelab
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: cluster-secrets

k8s/turingpi/flux/vars/cluster-secrets.enc.yaml

@@ -5,52 +5,54 @@ metadata:
   namespace: flux-system
 type: Opaque
 stringData:
-  RESTIC_REPOSITORY: ENC[AES256_GCM,data:w9HmrJn92Q6jVDqxSAewB/EL8ulNBxRiQPbj4Sx+oNKj4toAKUE85WEpQsVKzjFP+lW22Z4bqj8Ri4uF6M986Zk0Vml5/5VkO/r2IEiR2Pg=,iv:Q7Bd2o30+egEbnNa/0DZLfJiH6vcealm/rCgjPf7mZg=,tag:8PFn8NsuiukKKA2a6lcXJA==,type:str]
-  RESTIC_PASSWORD: ENC[AES256_GCM,data:PprJeE02DZdqCl4e5y8ocuMJSlMLK60HkePvmzJjtERpTflfl3CLfSHSQZg1tA2qBqaLGhc4sYIOwx4V2EGB,iv:tq45rdCHUwo6Y+UHjfVaenrZiYnsMw97KARDwC39Rzw=,tag:uXt7lnU2W6F59Efqrrkfag==,type:str]
-  AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:PfUozYFznYaJ+FJ6hx/bCsryEiUypI59z+GCNr6XfuY=,iv:6NX7m1To+2qsEycBkbxbgnvmGaCQUzlG4f8Jstc5ccE=,tag:9BVQrFjD0NOo6NS33sn5mQ==,type:str]
-  AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:CITPxaCghRUY0fdNcyOKYcJNpLa5170/tHRzjKaNF7sWmWDLbnDakBhDPnp7hEqVA7FBTYI8UuFuwmrSsd01tA==,iv:SQTMon6UO8rc9dRZd5ucNykcFg1E45ElMOyNp9Av9ok=,tag:dHchaEbDFAIfnsRkGSXsVQ==,type:str]
-  ACME_EMAIL: ENC[AES256_GCM,data:KdRx3ILkc5cmOtn+5bONtBlcQDI=,iv:Yc0ylL08dKj6ZErclCu1qXaH+meLkEeKGgMOQREGc7E=,tag:XKfFd4gEmZIHrJijCFvrNg==,type:str]
+  RESTIC_REPOSITORY: ENC[AES256_GCM,data:g/4vQJeDsKywvEVKKp1RVwNgS2o4gWMOcfAV6V5n/U4M0LhljHyCk6Nh1X8nYIG6S2XsgQ+/DTUnSGsmApgENSwUgeXw2r7TOsLVFSV0MNQ=,iv:6ubItIKURiSXU0L42FTybnYTNu8LukB1thBBpReh0Qw=,tag:PHe6eXbcAtO0qz+ubcShoQ==,type:str]
+  RESTIC_PASSWORD: ENC[AES256_GCM,data:tGbjnE4D87hSTvkU9A68MdGx2iMVjGVR9HxLPdZkc5xfinlL3bPbe8Nna+xeFTSsp9ihGs+EKv2detrXwt0U,iv:7cdW4/XaFEtaHiS8S08cLqOx6AAILmpAt4MaWkhG5uw=,tag:P/XOMubjP8QF7B4WWn3ofA==,type:str]
+  AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:sLY5LzWQjrffDZ/PoBtJAhw3h3E0nJtYFBtfgSgZaJY=,iv:UllxCdUmIFDw29+5kF6dyT52F6DbLymvwTFK8CPzEsg=,tag:gfZCAXOJNc8QgA73wz8A4g==,type:str]
+  AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:Pb+7cIYvpwKXSOMZUBsLMXEeF1yuWrE1Ks/bTyDXaOs1WNMMPCV+U9l7ibRfwDRdBQFdLCQ9gygv3kdHwDmmYA==,iv:ex8zj6biM0ekoa5hE4Blw4C+Zf1Q7n0MZO1hASF5Cf0=,tag:JbuMKzKgdXvqCFUK4TYbUw==,type:str]
+  ACME_EMAIL: ENC[AES256_GCM,data:ewmu94e+1xOXdWn5BHLOUmBaXrI=,iv:Hw1PlNPmC5AEt3iQG6G3ILEDA0JfReWQUowr+Cx0C14=,tag:I5wA1QrF/5FHIKkR1cMswA==,type:str]
+  NET_MONITORING_USER: ENC[AES256_GCM,data:A0O9dm8dCCoqjg==,iv:tkoQyUYcBKsU2dUMviYnBLemAgYn8J89z1P0wUS7xpU=,tag:C+jesOYpfAs2UwCl9AnBxQ==,type:str]
+  NET_MONITORING_PASS: ENC[AES256_GCM,data:sQ+cWn0pWUUmTSpPksAhv4DwbiE=,iv:ZDKoVWd7JqjtpDN+zTUILJWrCAwlXpSpijXoypyi2G4=,tag:dERUvca+eJPsV0oEE21HtQ==,type:str]
 sops:
   kms: []
   gcp_kms: []
   azure_kv: []
   hc_vault: []
   age: []
-  lastmodified: "2024-09-22T23:18:39Z"
-  mac: ENC[AES256_GCM,data:w7wfeSJy7so9iKSpEyFm/8RQp44bEYav/u5J+gakAigJlt3vIFXbA/NvCq+uo+GM/bocZvlOUtJDJgq4qBJy4nEDbmgvh7rLW5UzGowlUJAR9FXvaiyUWJlEjNzzC59UhICQOC4/TmVaYsRx8wZ92B26hJxiI4r9xNcLWASKkb0=,iv:9QXzKq4j1c6f173jnPntfF0cyN9R6p6y38nCunGHaT8=,tag:+vRE6ryjcuI7Q7kc1wZ8hw==,type:str]
+  lastmodified: "2024-10-20T04:19:15Z"
+  mac: ENC[AES256_GCM,data:8xV+hNHQqjR+/1DZbx7zIm5p1FliSNMDR1GgRwWMlA3dgtWrakSAi+uKuXMc41MUmrGOQAHqlYtPx7CIOr4+3Gtg5WgJwiqAP81hHetNQ9TSH+X8Ew5JsyLfxOx4Wn2Qwqlz5INcApoEQqS22OBiTtvtoWrrux8lPUleOEmybis=,iv:uWUvcAdGpRiAVYatA+RybyRj3x32Kh7caEBMfTiHjjk=,tag:GKBi/r7zBAJDri+chgONkw==,type:str]
   pgp:
-    - created_at: "2024-09-22T23:18:39Z"
+    - created_at: "2024-10-20T04:19:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hQIMA5DuDCLnNCw6ARAAz1NUtTXIAA2earlxAv7NFcHsC1ScjQKrHiKpSBNLw1d/
-        +mfJUyEcqEG48pQCrWXvlQS7k0sqlplhXHIMIy9igUCqjsdoWWsXzf3hzboAA5pr
-        VpqX+b9y7hNMkGQcGnrfI4va9Co95moavix/Lk0d/bHtFmz3vW7A0t6az7/xRZbm
-        tu8zbni+bPHK86id6lhaNsIfV70+JCBMs9d/hgmAVdK2o3/2C85z1BJmrXriO0dW
-        0rBzM1qLUevxMB8eCI0MNe1JF9Pl04q3g8KW3woc4DW6NTrDYtpj8SKqw38EGKhl
-        FfXYIfyGovy6EQ/cY167zpVvcPlByV2RW5sViug+K2uIPXWloilfU+izMR8cmZBD
-        /7/mw+KYpmYdgyKTt5bpRFMNmZrCLkLh5lRaopZBExmzVkVnMXT97tYXeT+6hQwo
-        tDrriGfCCdBPc7bUZ+tFqgK2bWNonj9uoEAdNhMBGCzGOCttlWejLOSzmZIyWOJ4
-        9k0gG3Ms7m/BKquW4OzSc+n4OvAaGYxUGkjvIH/00EAjInwb+mrt3J5I/LyLn/ge
-        HJWZJm8mWoXCdqBeGzpRcqArJLBJuAc7UrNnpEjZl5XsTFgNSh50lBnbp3Y5go3r
-        Y7R6TV5iQwKSngwbkCDzlDpw/7BwGe+K3WjQcSYTzflyOrVztwnZjLfy1NSVnMfU
-        aAEJAhCECPy2HHC/m+LmEYeNAVrCH7ow2CPAfy223xFO7je4vPCJ4gHQUlsRNN4v
-        3cb5wzTPGeJAwjDsus1W3RjXGT4M7jKyFSrm0Zm37aegiUKXIS5DhXgJsmtMEY+T
-        qT8/RR1H295Z
-        =n6Ty
+        hQIMA5DuDCLnNCw6ARAAsVqfd1rkkr85S/SehqXVRSkoFAhOuGhPe/ZPO9MEZTAy
+        NDl3BPjNEmzmvUXaFqlPTyLeVedad4v4tCj+bP3lrtCpRek+5TbvRFGY6Sc6iu1a
+        8Z+rKJJukdFlFmZxEZmwPRu1u2N2QrNOfdRq9hPoLFvPEcsP8JlyE+TZOoGi7OSq
+        52kIBvA1Jy6FbBpvT1ZrAJT5A7B1WbXt0s6CQiM+D1J6+/28gYLIylbTt1gWR2Aa
+        3NUhG/BOBVORoMS70YzrHt9RlUs/371+Qnqf1su7wmvkl2bD3bxf26joB1n3Qhy0
+        deprjJgeF766VsUQrGllc+bt8lXHxfL3uM4FzaHs7BdublVgYVzh++sYmYK+q9NG
+        qpMP9Eyq+uSA1Qn62SGC5VhCCTasj8najgHFYcpkwFSTj+00xx1BRICIrtve1soN
+        Xyp8F28vukGOZmmbhKCdzPvWcSpzNnQeDHa8+z+L755cAEX5aVzd0LWErUnHKdr5
+        /A7gkSjbINCNNE+froDn/ecVKaTPdiR9epN3LJQ3zifJDJ8La68SIT7DmYznWaQF
+        iDTcKWCpqJ8GHmKiVAVj/I/+fJMWT493C+uVPa0tDROSu8Br3DPy3qqMATP7W2Py
+        mrtE5TUvykbVWBfCYU/Hrut5NPzGnhIdhoxu/P9Oz8QTGjYypheQZ2ZEzBfzWwvU
+        aAEJAhBLxZcujqhCueZZzjOgZdx2vIjc1N40+vO2q5s9RxyZfrqCbOkzHRKNB92U
+        z2/7ccVk9FcY5ndyQYF4mcIwFUnEdC4IhdB3VPD/T9xAJz6tOd6rbJkf5z/S5BXe
+        msQIZMZIgObi
+        =fJ/4
         -----END PGP MESSAGE-----
       fp: 050787E6CDC4F90636141B1D2C5BB181A0326054
-    - created_at: "2024-09-22T23:18:39Z"
+    - created_at: "2024-10-20T04:19:15Z"
       enc: |-
         -----BEGIN PGP MESSAGE-----
 
-        hF4DHfhkqE7LHSASAQdABZaS6xX426ORZ1icev2DHGvVIF0a7JK+yj34gy7icQcw
-        7bwnHNfDF6XxLinjN12+jrnihJswUMNXZwTU+8ZKtG7/BLfxFryC+M0nCJZfT4VA
-        1GgBCQIQUdAMijz9zB7MEnTGQJOe/rghwe17IhSvCfdpL6Vihxbs2wBWOTHU4gqI
-        v3m9wgPvL6RZ2EZixZ4BTj22lIQRqvu26tR4cqZCrBuPE4947+WEtdAJ1Roxr57V
-        DKzRdW6lG0Vl9Q==
-        =weAR
+        hF4DHfhkqE7LHSASAQdAuSwR+IZ7Nk5xAsB/he+OsZAPQd9m9abax0J0/6riMQsw
+        JmIWRN/Ekc4+0c6wsm+s2khAHdvnZYckbpDSSPKM90viGoArbtEXvEP7vzwLigwN
+        1GgBCQIQ6u9eYiBVlJ3fxT+H5bT5qK+Cyf1ER5zlCc1GcNwcZ1pBzmh6BeZfMD+H
+        SJjE4HxjlkP6vHIWUNzXQE/mF8o+2l164zugbjYfpA4s4mKLbuqwJKW9Bbox9v59
+        Q7oo9KT9Ubj4vw==
+        =xfjd
         -----END PGP MESSAGE-----
       fp: E39A9ADC5719F27F46267014C7339B5CD6A9FAB1
   encrypted_regex: ^(data|stringData)$
-  version: 3.9.0
+  version: 3.9.1