feat: add web tls config
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Robert Kaussow 2021-05-29 17:52:24 +02:00
parent cc064da1f1
commit fd59ad7165
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
8 changed files with 105 additions and 14 deletions

View File

@ -16,13 +16,21 @@ prometheus_read_only_dirs: []
prometheus_web_bind_ip: 127.0.0.1 prometheus_web_bind_ip: 127.0.0.1
prometheus_web_bind_port: 9090 prometheus_web_bind_port: 9090
prometheus_web_external_url: "" prometheus_web_external_url: "http://localhost:9090/"
# @var prometheus_web_config:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md). prometheus_web_tls_enabled: False
prometheus_web_config: prometheus_web_tls_cert_path: "{{ prometheus_base_dir }}/tls/certs/mycert.pem"
tls_server_config: {} prometheus_web_tls_key_path: "{{ prometheus_base_dir }}/tls/private/mykey.pem"
http_server_config: {} prometheus_web_tls_cert_source: mycert.pem
basic_auth_users: {} prometheus_web_tls_key_source: mykey.pem
# @var prometheus_web_http_server:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md).
# @var prometheus_web_http_server: $ "_unset_"
# @var prometheus_web_basic_auth_users:description: See official [documentation](https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md).
# @var prometheus_web_basic_auth_users: $ "_unset_"
prometheus_log_level: error
prometheus_storage_retention: "30d" prometheus_storage_retention: "30d"
prometheus_storage_retention_size: "0" prometheus_storage_retention_size: "0"
@ -33,10 +41,8 @@ prometheus_storage_retention_size: "0"
prometheus_config_flags_extra: [] prometheus_config_flags_extra: []
# @var prometheus_config_flags_extra:example: > # @var prometheus_config_flags_extra:example: >
# prometheus_config_flags_extra: # prometheus_config_flags_extra:
# - name: storage.tsdb.retention
# value: 15d
# - name: alertmanager.timeout # - name: alertmanager.timeout
# - value: 10s # value: 10s
# @end # @end
prometheus_alertmanager_config: [] prometheus_alertmanager_config: []
@ -94,7 +100,7 @@ prometheus_targets: []
prometheus_scrape_configs: prometheus_scrape_configs:
- job_name: "prometheus" - job_name: "prometheus"
metrics_path: "{{ prometheus_web_external_url | urlsplit('path') }}/metrics" metrics_path: "{{ prometheus_web_external_url | urlsplit('path') if (prometheus_web_external_url | urlsplit('path')) | length > 1 else '' }}/metrics"
static_configs: static_configs:
- targets: - targets:
- "{{ ansible_fqdn | default(ansible_host) | default('localhost') }}:9090" - "{{ ansible_fqdn | default(ansible_host) | default('localhost') }}:9090"

View File

@ -1,5 +1,28 @@
--- ---
- name: Converge - name: Converge
hosts: all hosts: all
vars:
prometheus_config_flags_extra:
- name: alertmanager.timeout
value: 10s
prometheus_alertmanager_config:
- scheme: https
path_prefix: alertmanager/
basic_auth:
username: user
password: pass
static_configs:
- targets:
- "127.0.0.1:9093"
prometheus_alert_relabel_configs:
- action: labeldrop
regex: replica
prometheus_targets:
- name: node
config:
- targets:
- localhost:9100
labels:
env: test
roles: roles:
- role: xoxys.prometheus - role: xoxys.prometheus

View File

@ -3,3 +3,6 @@
- include_tasks: setup.yml - include_tasks: setup.yml
- include_tasks: selinux.yml - include_tasks: selinux.yml
when: ansible_selinux.status == "enabled" when: ansible_selinux.status == "enabled"
- import_tasks: tls.yml
when: prometheus_web_tls_enabled | bool
tags: tls_renewal

View File

@ -19,6 +19,7 @@
- "{{ prometheus_config_dir }}" - "{{ prometheus_config_dir }}"
- "{{ prometheus_rules_dir }}" - "{{ prometheus_rules_dir }}"
- "{{ prometheus_data_dir }}" - "{{ prometheus_data_dir }}"
- "{{ prometheus_file_sd_dir }}"
- name: Download and extract Prometheus tarball - name: Download and extract Prometheus tarball
unarchive: unarchive:
@ -53,6 +54,7 @@
owner: "{{ prometheus_user }}" owner: "{{ prometheus_user }}"
group: "{{ prometheus_user }}" group: "{{ prometheus_user }}"
mode: 0640 mode: 0640
validate: "{{ prometheus_base_dir }}/promtool check web-config %s"
- name: Configure prometheus static targets - name: Configure prometheus static targets
template: template:
@ -62,6 +64,8 @@
group: "{{ prometheus_user }}" group: "{{ prometheus_user }}"
mode: 0640 mode: 0640
loop: "{{ prometheus_targets }}" loop: "{{ prometheus_targets }}"
loop_control:
label: "{{ item.name }}"
- name: Copy prometheus custom static targets - name: Copy prometheus custom static targets
copy: copy:

32
tasks/tls.yml Normal file
View File

@ -0,0 +1,32 @@
---
- block:
- name: Create tls folder structure
file:
path: "{{ item }}"
state: directory
owner: "{{ prometheus_user }}"
group: "{{ prometheus_group }}"
recurse: True
loop:
- "{{ prometheus_web_tls_cert_path | dirname }}"
- "{{ prometheus_web_tls_key_path | dirname }}"
become: True
become_user: root
- block:
- name: Copy certs and private key
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
loop:
- src: "{{ prometheus_web_tls_key_source }}"
dest: "{{ prometheus_web_tls_key_path }}"
mode: "0600"
- src: "{{ prometheus_web_tls_cert_source }}"
dest: "{{ prometheus_web_tls_cert_path }}"
mode: "0750"
loop_control:
label: "{{ item.dest }}"
become: True
become_user: "{{ prometheus_user }}"

View File

@ -5,12 +5,12 @@ global:
{{ prometheus_global | to_nice_yaml(indent=2) | indent(2, False) }} {{ prometheus_global | to_nice_yaml(indent=2) | indent(2, False) }}
external_labels: external_labels:
{{ prometheus_external_labels | to_nice_yaml(indent=2) | indent(4, False) }} {{ prometheus_external_labels | to_nice_yaml(indent=2) | indent(4, False) }}
{% if prometheus_remote_write != [] %} {% if prometheus_remote_write | length > 0 %}
remote_write: remote_write:
{{ prometheus_remote_write | to_nice_yaml(indent=2) | indent(2, False) }} {{ prometheus_remote_write | to_nice_yaml(indent=2) | indent(2, False) }}
{% endif %} {% endif %}
{% if prometheus_remote_read != [] %} {% if prometheus_remote_read | length > 0 %}
remote_read: remote_read:
{{ prometheus_remote_read | to_nice_yaml(indent=2) | indent(2, False) }} {{ prometheus_remote_read | to_nice_yaml(indent=2) | indent(2, False) }}

View File

@ -1,4 +1,26 @@
#jinja2: lstrip_blocks: True #jinja2: lstrip_blocks: True
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
{{ prometheus_web_config | to_nice_yaml(indent=2) }} {% if prometheus_web_tls_enabled | bool %}
tls_server_config:
cert_file: {{ prometheus_web_tls_cert_path }}
key_file: {{ prometheus_web_tls_key_path }}
{% else %}
tls_server_config: {}
{% endif %}
{% if prometheus_web_http_server is defined %}
http_server_config:
{{ prometheus_web_http_server | to_nice_yaml(indent=2) | indent(2,False) }}
{% else %}
http_server_config: {}
{% endif %}
{% if prometheus_web_basic_auth_users is defined %}
basic_auth_users:
{{ prometheus_web_basic_auth_users | to_nice_yaml(indent=2) | indent(2,False) }}
{% else %}
basic_auth_users: {}
{% endif %}

View File

@ -25,13 +25,14 @@ ExecStart={{ prometheus_base_dir }}/prometheus \
{% if flag.value is not defined %} {% if flag.value is not defined %}
--{{ flag.name }} \ --{{ flag.name }} \
{% elif flag.value is string %} {% elif flag.value is string %}
--{{ flag.name }}={{ flag_value }} \ --{{ flag.name }}={{ flag.value }} \
{% elif flag.value is sequence %} {% elif flag.value is sequence %}
{% for flag_value_item in flag.value %} {% for flag_value_item in flag.value %}
--{{ flag.name }}={{ flag_value_item }} \ --{{ flag.name }}={{ flag_value_item }} \
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
--log.level={{ prometheus_log_level }} \
--config.file={{ prometheus_config_dir }}/prometheus.yml --config.file={{ prometheus_config_dir }}/prometheus.yml
LimitNOFILE=65000 LimitNOFILE=65000