From fd59ad7165ff94a7d24ab49ff4515fa36cdcc535 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sat, 29 May 2021 17:52:24 +0200 Subject: [PATCH] feat: add web tls config --- defaults/main.yml | 26 +++++++++------ molecule/centos7/converge.yml | 23 +++++++++++++ tasks/main.yml | 3 ++ tasks/setup.yml | 4 +++ tasks/tls.yml | 32 +++++++++++++++++++ templates/conf/prometheus.yml.j2 | 4 +-- templates/conf/web.yml.j2 | 24 +++++++++++++- .../etc/systemd/system/prometheus.service.j2 | 3 +- 8 files changed, 105 insertions(+), 14 deletions(-) create mode 100644 tasks/tls.yml diff --git a/defaults/main.yml b/defaults/main.yml index 05d389a..6d59227 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -16,13 +16,21 @@ prometheus_read_only_dirs: [] prometheus_web_bind_ip: 127.0.0.1 prometheus_web_bind_port: 9090 -prometheus_web_external_url: "" +prometheus_web_external_url: "http://localhost:9090/" -# @var prometheus_web_config:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md). -prometheus_web_config: - tls_server_config: {} - http_server_config: {} - basic_auth_users: {} +prometheus_web_tls_enabled: False +prometheus_web_tls_cert_path: "{{ prometheus_base_dir }}/tls/certs/mycert.pem" +prometheus_web_tls_key_path: "{{ prometheus_base_dir }}/tls/private/mykey.pem" +prometheus_web_tls_cert_source: mycert.pem +prometheus_web_tls_key_source: mykey.pem + +# @var prometheus_web_http_server:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md). +# @var prometheus_web_http_server: $ "_unset_" + +# @var prometheus_web_basic_auth_users:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md). +# @var prometheus_web_basic_auth_users: $ "_unset_" + +prometheus_log_level: error prometheus_storage_retention: "30d" prometheus_storage_retention_size: "0" @@ -33,10 +41,8 @@ prometheus_storage_retention_size: "0" prometheus_config_flags_extra: [] # @var prometheus_config_flags_extra:example: > # prometheus_config_flags_extra: -# - name: storage.tsdb.retention -# value: 15d # - name: alertmanager.timeout -# - value: 10s +# value: 10s # @end prometheus_alertmanager_config: [] @@ -94,7 +100,7 @@ prometheus_targets: [] prometheus_scrape_configs: - job_name: "prometheus" - metrics_path: "{{ prometheus_web_external_url | urlsplit('path') }}/metrics" + metrics_path: "{{ prometheus_web_external_url | urlsplit('path') if (prometheus_web_external_url | urlsplit('path')) | length > 1 else '' }}/metrics" static_configs: - targets: - "{{ ansible_fqdn | default(ansible_host) | default('localhost') }}:9090" diff --git a/molecule/centos7/converge.yml b/molecule/centos7/converge.yml index b12075b..d3db8a9 100644 --- a/molecule/centos7/converge.yml +++ b/molecule/centos7/converge.yml @@ -1,5 +1,28 @@ --- - name: Converge hosts: all + vars: + prometheus_config_flags_extra: + - name: alertmanager.timeout + value: 10s + prometheus_alertmanager_config: + - scheme: https + path_prefix: alertmanager/ + basic_auth: + username: user + password: pass + static_configs: + - targets: + - "127.0.0.1:9093" + prometheus_alert_relabel_configs: + - action: labeldrop + regex: replica + prometheus_targets: + - name: node + config: + - targets: + - localhost:9100 + labels: + env: test roles: - role: xoxys.prometheus diff --git a/tasks/main.yml b/tasks/main.yml index 4502997..923a2de 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,3 +3,6 @@ - include_tasks: setup.yml - include_tasks: selinux.yml when: ansible_selinux.status == "enabled" +- import_tasks: tls.yml + when: prometheus_web_tls_enabled | bool + tags: tls_renewal diff --git a/tasks/setup.yml b/tasks/setup.yml index a769aad..3436c51 100644 --- a/tasks/setup.yml +++ b/tasks/setup.yml @@ -19,6 +19,7 @@ - "{{ prometheus_config_dir }}" - "{{ prometheus_rules_dir }}" - "{{ prometheus_data_dir }}" + - "{{ prometheus_file_sd_dir }}" - name: Download and extract Prometheus tarball unarchive: @@ -53,6 +54,7 @@ owner: "{{ prometheus_user }}" group: "{{ prometheus_user }}" mode: 0640 + validate: "{{ prometheus_base_dir }}/promtool check web-config %s" - name: Configure prometheus static targets template: @@ -62,6 +64,8 @@ group: "{{ prometheus_user }}" mode: 0640 loop: "{{ prometheus_targets }}" + loop_control: + label: "{{ item.name }}" - name: Copy prometheus custom static targets copy: diff --git a/tasks/tls.yml b/tasks/tls.yml new file mode 100644 index 0000000..115047d --- /dev/null +++ b/tasks/tls.yml @@ -0,0 +1,32 @@ +--- +- block: + - name: Create tls folder structure + file: + path: "{{ item }}" + state: directory + owner: "{{ prometheus_user }}" + group: "{{ prometheus_group }}" + recurse: True + loop: + - "{{ prometheus_web_tls_cert_path | dirname }}" + - "{{ prometheus_web_tls_key_path | dirname }}" + become: True + become_user: root + +- block: + - name: Copy certs and private key + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + loop: + - src: "{{ prometheus_web_tls_key_source }}" + dest: "{{ prometheus_web_tls_key_path }}" + mode: "0600" + - src: "{{ prometheus_web_tls_cert_source }}" + dest: "{{ prometheus_web_tls_cert_path }}" + mode: "0750" + loop_control: + label: "{{ item.dest }}" + become: True + become_user: "{{ prometheus_user }}" diff --git a/templates/conf/prometheus.yml.j2 b/templates/conf/prometheus.yml.j2 index 4cef2d3..1be1e02 100644 --- a/templates/conf/prometheus.yml.j2 +++ b/templates/conf/prometheus.yml.j2 @@ -5,12 +5,12 @@ global: {{ prometheus_global | to_nice_yaml(indent=2) | indent(2, False) }} external_labels: {{ prometheus_external_labels | to_nice_yaml(indent=2) | indent(4, False) }} -{% if prometheus_remote_write != [] %} +{% if prometheus_remote_write | length > 0 %} remote_write: {{ prometheus_remote_write | to_nice_yaml(indent=2) | indent(2, False) }} {% endif %} -{% if prometheus_remote_read != [] %} +{% if prometheus_remote_read | length > 0 %} remote_read: {{ prometheus_remote_read | to_nice_yaml(indent=2) | indent(2, False) }} diff --git a/templates/conf/web.yml.j2 b/templates/conf/web.yml.j2 index 04fa7b9..866e4f2 100644 --- a/templates/conf/web.yml.j2 +++ b/templates/conf/web.yml.j2 @@ -1,4 +1,26 @@ #jinja2: lstrip_blocks: True {{ ansible_managed | comment }} -{{ prometheus_web_config | to_nice_yaml(indent=2) }} +{% if prometheus_web_tls_enabled | bool %} +tls_server_config: + cert_file: {{ prometheus_web_tls_cert_path }} + key_file: {{ prometheus_web_tls_key_path }} +{% else %} +tls_server_config: {} +{% endif %} +{% if prometheus_web_http_server is defined %} + +http_server_config: + {{ prometheus_web_http_server | to_nice_yaml(indent=2) | indent(2,False) }} +{% else %} + +http_server_config: {} +{% endif %} +{% if prometheus_web_basic_auth_users is defined %} + +basic_auth_users: + {{ prometheus_web_basic_auth_users | to_nice_yaml(indent=2) | indent(2,False) }} +{% else %} + +basic_auth_users: {} +{% endif %} diff --git a/templates/etc/systemd/system/prometheus.service.j2 b/templates/etc/systemd/system/prometheus.service.j2 index 8eb0e6d..1bc07bf 100644 --- a/templates/etc/systemd/system/prometheus.service.j2 +++ b/templates/etc/systemd/system/prometheus.service.j2 @@ -25,13 +25,14 @@ ExecStart={{ prometheus_base_dir }}/prometheus \ {% if flag.value is not defined %} --{{ flag.name }} \ {% elif flag.value is string %} - --{{ flag.name }}={{ flag_value }} \ + --{{ flag.name }}={{ flag.value }} \ {% elif flag.value is sequence %} {% for flag_value_item in flag.value %} --{{ flag.name }}={{ flag_value_item }} \ {% endfor %} {% endif %} {% endfor %} + --log.level={{ prometheus_log_level }} \ --config.file={{ prometheus_config_dir }}/prometheus.yml LimitNOFILE=65000