feat: add web tls config

2021-05-29 17:52:24 +02:00 · 2021-05-29 17:52:24 +02:00 · fd59ad7165
commit fd59ad7165
parent cc064da1f1
8 changed files with 105 additions and 14 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -16,13 +16,21 @@ prometheus_read_only_dirs: []

 prometheus_web_bind_ip: 127.0.0.1
 prometheus_web_bind_port: 9090
-prometheus_web_external_url: ""
+prometheus_web_external_url: "http://localhost:9090/"

-# @var prometheus_web_config:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md).
-prometheus_web_config:
-  tls_server_config: {}
-  http_server_config: {}
-  basic_auth_users: {}
+prometheus_web_tls_enabled: False
+prometheus_web_tls_cert_path: "{{ prometheus_base_dir }}/tls/certs/mycert.pem"
+prometheus_web_tls_key_path: "{{ prometheus_base_dir }}/tls/private/mykey.pem"
+prometheus_web_tls_cert_source: mycert.pem
+prometheus_web_tls_key_source: mykey.pem
+
+# @var prometheus_web_http_server:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md).
+# @var prometheus_web_http_server: $ "_unset_"
+
+# @var prometheus_web_basic_auth_users:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md).
+# @var prometheus_web_basic_auth_users: $ "_unset_"
+
+prometheus_log_level: error

 prometheus_storage_retention: "30d"
 prometheus_storage_retention_size: "0"
@ -33,10 +41,8 @@ prometheus_storage_retention_size: "0"
 prometheus_config_flags_extra: []
 # @var prometheus_config_flags_extra:example: >
 # prometheus_config_flags_extra:
-#   - name: storage.tsdb.retention
-#     value: 15d
 #   - name: alertmanager.timeout
-#   - value: 10s
+#     value: 10s
 # @end

 prometheus_alertmanager_config: []
@ -94,7 +100,7 @@ prometheus_targets: []

 prometheus_scrape_configs:
  - job_name: "prometheus"
-    metrics_path: "{{ prometheus_web_external_url | urlsplit('path') }}/metrics"
+    metrics_path: "{{ prometheus_web_external_url | urlsplit('path') if (prometheus_web_external_url | urlsplit('path')) | length > 1 else '' }}/metrics"
    static_configs:
      - targets:
          - "{{ ansible_fqdn | default(ansible_host) | default('localhost') }}:9090"
--- a/molecule/centos7/converge.yml
+++ b/molecule/centos7/converge.yml
@ -1,5 +1,28 @@
 ---
 - name: Converge
  hosts: all
+  vars:
+    prometheus_config_flags_extra:
+      - name: alertmanager.timeout
+        value: 10s
+    prometheus_alertmanager_config:
+      - scheme: https
+        path_prefix: alertmanager/
+        basic_auth:
+          username: user
+          password: pass
+        static_configs:
+          - targets:
+              - "127.0.0.1:9093"
+    prometheus_alert_relabel_configs:
+      - action: labeldrop
+        regex: replica
+    prometheus_targets:
+      - name: node
+        config:
+          - targets:
+              - localhost:9100
+            labels:
+              env: test
  roles:
    - role: xoxys.prometheus
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -3,3 +3,6 @@
 - include_tasks: setup.yml
 - include_tasks: selinux.yml
  when: ansible_selinux.status == "enabled"
+- import_tasks: tls.yml
+  when: prometheus_web_tls_enabled | bool
+  tags: tls_renewal
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@ -19,6 +19,7 @@
        - "{{ prometheus_config_dir }}"
        - "{{ prometheus_rules_dir }}"
        - "{{ prometheus_data_dir }}"
+        - "{{ prometheus_file_sd_dir }}"

    - name: Download and extract Prometheus tarball
      unarchive:
@ -53,6 +54,7 @@
        owner: "{{ prometheus_user }}"
        group: "{{ prometheus_user }}"
        mode: 0640
+        validate: "{{ prometheus_base_dir }}/promtool check web-config %s"

    - name: Configure prometheus static targets
      template:
@ -62,6 +64,8 @@
        group: "{{ prometheus_user }}"
        mode: 0640
      loop: "{{ prometheus_targets }}"
+      loop_control:
+        label: "{{ item.name }}"

    - name: Copy prometheus custom static targets
      copy:
--- a/tasks/tls.yml
+++ b/tasks/tls.yml
@ -0,0 +1,32 @@
+---
+- block:
+    - name: Create tls folder structure
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: "{{ prometheus_user }}"
+        group: "{{ prometheus_group }}"
+        recurse: True
+      loop:
+        - "{{ prometheus_web_tls_cert_path | dirname }}"
+        - "{{ prometheus_web_tls_key_path | dirname }}"
+  become: True
+  become_user: root
+
+- block:
+    - name: Copy certs and private key
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+      loop:
+        - src: "{{ prometheus_web_tls_key_source }}"
+          dest: "{{ prometheus_web_tls_key_path }}"
+          mode: "0600"
+        - src: "{{ prometheus_web_tls_cert_source }}"
+          dest: "{{ prometheus_web_tls_cert_path }}"
+          mode: "0750"
+      loop_control:
+        label: "{{ item.dest }}"
+  become: True
+  become_user: "{{ prometheus_user }}"
--- a/templates/conf/prometheus.yml.j2
+++ b/templates/conf/prometheus.yml.j2
@ -5,12 +5,12 @@ global:
  {{ prometheus_global | to_nice_yaml(indent=2) | indent(2, False) }}
  external_labels:
    {{ prometheus_external_labels | to_nice_yaml(indent=2) | indent(4, False) }}
-{% if prometheus_remote_write != [] %}
+{% if prometheus_remote_write | length > 0 %}

 remote_write:
  {{ prometheus_remote_write | to_nice_yaml(indent=2) | indent(2, False) }}
 {% endif %}
-{% if prometheus_remote_read != [] %}
+{% if prometheus_remote_read | length > 0 %}

 remote_read:
  {{ prometheus_remote_read | to_nice_yaml(indent=2) | indent(2, False) }}
--- a/templates/conf/web.yml.j2
+++ b/templates/conf/web.yml.j2
@ -1,4 +1,26 @@
 #jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}

-{{ prometheus_web_config | to_nice_yaml(indent=2) }}
+{% if prometheus_web_tls_enabled | bool %}
+tls_server_config:
+  cert_file: {{ prometheus_web_tls_cert_path }}
+  key_file: {{ prometheus_web_tls_key_path }}
+{% else %}
+tls_server_config: {}
+{% endif %}
+{% if prometheus_web_http_server is defined %}
+
+http_server_config:
+  {{ prometheus_web_http_server | to_nice_yaml(indent=2) | indent(2,False) }}
+{% else %}
+
+http_server_config: {}
+{% endif %}
+{% if prometheus_web_basic_auth_users is defined %}
+
+basic_auth_users:
+  {{ prometheus_web_basic_auth_users | to_nice_yaml(indent=2) | indent(2,False) }}
+{% else %}
+
+basic_auth_users: {}
+{% endif %}
--- a/templates/etc/systemd/system/prometheus.service.j2
+++ b/templates/etc/systemd/system/prometheus.service.j2
@ -25,13 +25,14 @@ ExecStart={{ prometheus_base_dir }}/prometheus \
 {% if flag.value is not defined %}
  --{{ flag.name }} \
 {% elif flag.value is string %}
-  --{{ flag.name }}={{ flag_value }} \
+  --{{ flag.name }}={{ flag.value }} \
 {% elif flag.value is sequence %}
 {% for flag_value_item in flag.value %}
  --{{ flag.name }}={{ flag_value_item }} \
 {% endfor %}
 {% endif %}
 {% endfor %}
+  --log.level={{ prometheus_log_level }} \
  --config.file={{ prometheus_config_dir }}/prometheus.yml

 LimitNOFILE=65000