prometheus: add ssl exporter

author: Christian Pointner <equinox@spreadspace.org> 2021-09-28 18:02:27 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2021-09-28 18:02:27 +0200
commit: c49412b8f31f551ec90b3dcd1d8e8e867a2b1680 (patch)
tree: 3cc302ee1282f3bd2c7e7a9a0bd6c220bb15e025 /roles/monitoring/prometheus/exporter
parent: cosmetic fix (diff)
7 files changed, 104 insertions, 3 deletions
diff --git a/roles/monitoring/prometheus/exporter/TODO b/roles/monitoring/prometheus/exporter/TODO
index 57179464..53ded412 100644
--- a/roles/monitoring/prometheus/exporter/TODO
+++ b/roles/monitoring/prometheus/exporter/TODO
@@ -25,6 +25,3 @@ SNMP Exporter:
 Process Exporter:
   - https://github.com/ncabatoff/process-exporter
   - https://packages.debian.org/bullseye/prometheus-process-exporter
-
-SSL Exporter:
-  - https://github.com/ribbybibby/ssl_exporter
diff --git a/roles/monitoring/prometheus/exporter/meta/main.yml b/roles/monitoring/prometheus/exporter/meta/main.yml
index 68fce6cb..31dbd611 100644
--- a/roles/monitoring/prometheus/exporter/meta/main.yml
+++ b/roles/monitoring/prometheus/exporter/meta/main.yml
@@ -11,3 +11,5 @@ dependencies:
     when: "'node' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
   - role: monitoring/prometheus/exporter/nut
     when: "'nut' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
+  - role: monitoring/prometheus/exporter/ssl
+    when: "'ssl' in (prometheus_exporters_default | union(prometheus_exporters_extra))"
diff --git a/roles/monitoring/prometheus/exporter/ssl/defaults/main.yml b/roles/monitoring/prometheus/exporter/ssl/defaults/main.yml
new file mode 100644
index 00000000..d7edd3f4
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+prometheus_exporter_ssl_modules:
+  tcp:
+    prober: tcp
+  http:
+    prober: https
+  https:
+    prober: https
+  file:
+    prober: file
+  kubernetes:
+    prober: kubernetes
+  kubeconfig:
+    prober: kubeconfig
+
+prometheus_exporter_ssl_modules_extra: {}
diff --git a/roles/monitoring/prometheus/exporter/ssl/handlers/main.yml b/roles/monitoring/prometheus/exporter/ssl/handlers/main.yml
new file mode 100644
index 00000000..2fb43f19
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart prometheus-ssl-exporter
+  service:
+    name: prometheus-ssl-exporter
+    state: restarted
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
diff --git a/roles/monitoring/prometheus/exporter/ssl/tasks/main.yml b/roles/monitoring/prometheus/exporter/ssl/tasks/main.yml
new file mode 100644
index 00000000..c57ea0b1
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+  ## TODO: pin version
+- name: install apt packages
+  apt:
+    name: prom-exporter-ssl
+    state: present
+
+- name: create config directory
+  file:
+    path: /etc/prometheus/exporter/ssl
+    state: directory
+
+- name: generate configuration
+  template:
+    src: config.yml.j2
+    dest: /etc/prometheus/exporter/ssl/config.yml
+  notify: restart prometheus-ssl-exporter
+
+- name: generate systemd service unit
+  template:
+    src: service.j2
+    dest: /etc/systemd/system/prometheus-ssl-exporter.service
+  notify: restart prometheus-ssl-exporter
+
+- name: make sure prometheus-ssl-exporter is enabled and started
+  systemd:
+    name: prometheus-ssl-exporter.service
+    daemon_reload: yes
+    state: started
+    enabled: yes
+
+- name: register exporter
+  copy:
+    content: |
+      location = /ssl {
+          proxy_pass http://127.0.0.1:9219/metrics;
+      }
+      location = /ssl/probe {
+          proxy_pass http://127.0.0.1:9219/probe;
+      }
+    dest: /etc/prometheus/exporter/ssl.locations
+  notify: reload nginx
diff --git a/roles/monitoring/prometheus/exporter/ssl/templates/config.yml.j2 b/roles/monitoring/prometheus/exporter/ssl/templates/config.yml.j2
new file mode 100644
index 00000000..1ef84541
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/templates/config.yml.j2
@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+modules:
+  {{ prometheus_exporter_ssl_modules | combine(prometheus_exporter_ssl_modules_extra) | to_nice_yaml(indent=2) | indent(2) }}
diff --git a/roles/monitoring/prometheus/exporter/ssl/templates/service.j2 b/roles/monitoring/prometheus/exporter/ssl/templates/service.j2
new file mode 100644
index 00000000..fdd754a4
--- /dev/null
+++ b/roles/monitoring/prometheus/exporter/ssl/templates/service.j2
@@ -0,0 +1,30 @@
+[Unit]
+Description=Prometheus ssl exporter
+
+[Service]
+Restart=always
+ExecStart=/usr/bin/prometheus-ssl-exporter --web.listen-address="127.0.0.1:9219" --config.file=/etc/prometheus/exporter/ssl/config.yml
+ExecReload=/bin/kill -HUP $MAINPID
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
author	Christian Pointner <equinox@spreadspace.org>	2021-09-28 18:02:27 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2021-09-28 18:02:27 +0200
commit	c49412b8f31f551ec90b3dcd1d8e8e867a2b1680 (patch)
tree	3cc302ee1282f3bd2c7e7a9a0bd6c220bb15e025 /roles/monitoring/prometheus/exporter
parent	cosmetic fix (diff)