ch-mon: monitoring services and landingpage now use new sso

author: Christian Pointner <equinox@spreadspace.org> 2023-11-15 19:10:53 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2023-11-15 19:10:53 +0100
commit: 289bc69e05df16245971db252668b7ba55ee3500 (patch)
tree: 3a667ebe7f8d1468cf2e7da8a1a4e9adacf98f40 /roles/monitoring
parent: ch-mon: add certificate for monitoring (diff)
5 files changed, 60 insertions, 1 deletions
diff --git a/roles/monitoring/grafana/defaults/main.yml b/roles/monitoring/grafana/defaults/main.yml
index 0eaeb061..20b886ca 100644
--- a/roles/monitoring/grafana/defaults/main.yml
+++ b/roles/monitoring/grafana/defaults/main.yml
@@ -22,6 +22,13 @@ grafana_config_users:
   allow_sign_up: false
   allow_org_create: false
 
+grafana_config_auth: {}
+#  disable_signout_menu: true
+
+grafana_config_auth_proxy: {}
+#  enabled: true
+#  whitelist: 127.0.0.1
+
 
 grafana_datasources: []
 #  - name: "Prometheus"
diff --git a/roles/monitoring/grafana/tasks/main.yml b/roles/monitoring/grafana/tasks/main.yml
index 1e21ea39..de2857df 100644
--- a/roles/monitoring/grafana/tasks/main.yml
+++ b/roles/monitoring/grafana/tasks/main.yml
@@ -68,6 +68,28 @@
     value: "{{ item.value | string }}"
   notify: restart grafana
 
+- name: configure grafana auth
+  loop: "{{ grafana_config_auth | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  ini_file:
+    path: /etc/grafana/grafana.ini
+    section: auth
+    option: "{{ item.key }}"
+    value: "{{ item.value | string }}"
+  notify: restart grafana
+
+- name: configure grafana auth.proxy
+  loop: "{{ grafana_config_auth_proxy | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  ini_file:
+    path: /etc/grafana/grafana.ini
+    section: auth.proxy
+    option: "{{ item.key }}"
+    value: "{{ item.value | string }}"
+  notify: restart grafana
+
 
 - name: install datasources
   copy:
diff --git a/roles/monitoring/landingpage/defaults/main.yml b/roles/monitoring/landingpage/defaults/main.yml
index 8cdaba86..8c093099 100644
--- a/roles/monitoring/landingpage/defaults/main.yml
+++ b/roles/monitoring/landingpage/defaults/main.yml
@@ -11,3 +11,16 @@ monitoring_landingpage_services:
   - prometheus
   - alertmanager
   - grafana
+
+# monitoring_landingpage_vhost_extra_directives: |
+#   include snippets/whawty-sso-example.conf;
+
+monitoring_landingpage_service_extra_directives: {}
+#  prometheus: |
+#    proxy_set_header Authorization "Basic {{ 'user:pass' | b64encode }}";
+#  alertmanager: |
+#    proxy_set_header Authorization "Basic {{ 'user:pass' | b64encode }}";
+#  grafana: |
+#    auth_request_set $username $upstream_http_x_username;
+#    proxy_set_header X-WEBAUTH-USER $username;
+#    proxy_set_header Authorization "";
diff --git a/roles/monitoring/landingpage/tasks/main.yml b/roles/monitoring/landingpage/tasks/main.yml
index 0e24b016..e9512700 100644
--- a/roles/monitoring/landingpage/tasks/main.yml
+++ b/roles/monitoring/landingpage/tasks/main.yml
@@ -13,6 +13,7 @@
   vars:
     monitoring_landingpage_vhost_base:
       name: landingpage
+      mode: "0600"
       template: generic
       hostnames: "{{ monitoring_landingpage_hostnames }}"
       locations:
@@ -23,18 +24,34 @@
       tls:
         {{ monitoring_landingpage_tls | to_nice_yaml(indent=2) | indent(2) }}
       {% endif %}
+      {% if monitoring_landingpage_vhost_extra_directives is defined %}
+      extra_directives: |
+        {{ monitoring_landingpage_vhost_extra_directives | indent(2) }}
+      {% endif %}
       locations:
       {% if 'prometheus' in monitoring_landingpage_services %}
         '/prometheus/':
           proxy_pass: "http://{{ prometheus_server_web_listen_address | default('127.0.0.1:9090')  }}"
+      {%   if 'prometheus' in monitoring_landingpage_service_extra_directives %}
+          extra_directives: |
+            {{ monitoring_landingpage_service_extra_directives['prometheus'] | indent(6) }}
+      {%   endif %}
       {% endif %}
       {% if 'alertmanager' in monitoring_landingpage_services %}
         '/alertmanager/':
           proxy_pass: "http://{{ prometheus_alertmanager_web_listen_address | default('127.0.0.1:9093') }}"
+      {%   if 'alertmanager' in monitoring_landingpage_service_extra_directives %}
+          extra_directives: |
+            {{ monitoring_landingpage_service_extra_directives['alertmanager'] | indent(6) }}
+      {%   endif %}
       {% endif %}
       {% if 'grafana' in monitoring_landingpage_services %}
         '/grafana/':
           proxy_pass: "http://{{ grafana_config_server.http_addr | default('localhost') }}:{{ grafana_config_server.http_port | default(3000) }}"
+      {%   if 'grafana' in monitoring_landingpage_service_extra_directives %}
+          extra_directives: |
+            {{ monitoring_landingpage_service_extra_directives['grafana'] | indent(6) }}
+      {%   endif %}
       {% endif %}
   set_fact:
     monitoring_landingpage_vhost: "{{ monitoring_landingpage_vhost_base | combine(monitoring_landingpage_vhost_override__yaml | from_yaml, recursive=True) }}"
diff --git a/roles/monitoring/landingpage/templates/index.html.j2 b/roles/monitoring/landingpage/templates/index.html.j2
index 3c6cbe98..769ba1a2 100644
--- a/roles/monitoring/landingpage/templates/index.html.j2
+++ b/roles/monitoring/landingpage/templates/index.html.j2
@@ -15,7 +15,7 @@
      <li><a target='_blank' href='/alertmanager/'>Prometheus Alertmanager</a></li>
 {% endif %}
 {% if 'grafana' in monitoring_landingpage_services %}
-     <li><a target='_blank' href='/grafana/'>Grafana</a></li>
+     <li><a target='_blank' href='/grafana/dashboards'>Grafana</a></li>
 {% endif %}
    </ul>
   </div>
author	Christian Pointner <equinox@spreadspace.org>	2023-11-15 19:10:53 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2023-11-15 19:10:53 +0100
commit	289bc69e05df16245971db252668b7ba55ee3500 (patch)
tree	3a667ebe7f8d1468cf2e7da8a1a4e9adacf98f40 /roles/monitoring
parent	ch-mon: add certificate for monitoring (diff)