summaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2021-06-10 01:15:32 +0200
committerChristian Pointner <equinox@spreadspace.org>2021-06-20 01:44:16 +0200
commit6082a92fa86d121d3ea4256859ee4c9d412e78c0 (patch)
tree56ece20d6814f1cf5e0479b940d1d2366edfdd2b /roles
parentprometheus: move CA to seperate role and add prometheus zone groups (diff)
promethues: remote certificate signing for exporter/base
Diffstat (limited to 'roles')
-rw-r--r--roles/monitoring/prometheus/ca/tasks/main.yml2
-rw-r--r--roles/monitoring/prometheus/exporter/base/tasks/tls.yml49
-rw-r--r--roles/monitoring/prometheus/server/tasks/tls.yml34
-rw-r--r--roles/monitoring/prometheus/server/templates/prometheus.yml.j216
4 files changed, 77 insertions, 24 deletions
diff --git a/roles/monitoring/prometheus/ca/tasks/main.yml b/roles/monitoring/prometheus/ca/tasks/main.yml
index 9f166321..cde4a267 100644
--- a/roles/monitoring/prometheus/ca/tasks/main.yml
+++ b/roles/monitoring/prometheus/ca/tasks/main.yml
@@ -34,7 +34,6 @@
useCommonNameForSAN: no
key_usage:
- cRLSign
- - digitalSignature
- keyCertSign
key_usage_critical: yes
basic_constraints:
@@ -50,3 +49,4 @@
provider: selfsigned
selfsigned_digest: sha256
selfsigned_not_after: "+18250d" ## 50 years
+ selfsigned_create_subject_key_identifier: always_create
diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
index b2731b09..72186acb 100644
--- a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
+++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
@@ -45,17 +45,56 @@
- 'CA:FALSE'
basic_constraints_critical: yes
-## TODO: implement remote singing using server
+- name: slurp CSR
+ slurp:
+ src: /etc/ssl/prometheus/exporter/csr.pem
+ register: prometheus_exporter_server_csr
-- name: create exporter certificate
- openssl_certificate:
+- name: check if exporter certificate exists
+ stat:
path: /etc/ssl/prometheus/exporter/crt.pem
- csr_path: /etc/ssl/prometheus/exporter/csr.pem
+ register: prometheus_exporter_server_cert
+
+- name: read exporter client certificate issuer key id and validity
+ when: prometheus_exporter_server_cert.stat.exists
+ openssl_certificate_info:
+ path: /etc/ssl/prometheus/exporter/crt.pem
+ valid_at:
+ ten_years: '+3650d'
+ register: prometheus_exporter_server_cert_info
+
+- name: slurp existing exporter certificate
+ when: prometheus_exporter_server_cert.stat.exists
+ slurp:
+ src: /etc/ssl/prometheus/exporter/crt.pem
+ register: prometheus_exporter_server_cert_current
+
+- name: generate exporter certificate
+ delegate_to: "{{ promethues_server }}"
+ community.crypto.x509_certificate_pipe:
+ content: "{{ prometheus_exporter_server_cert_current.content | default('') | b64decode }}"
+ csr_content: "{{ prometheus_exporter_server_csr.content | b64decode }}"
provider: ownca
ownca_path: /etc/ssl/prometheus/ca-crt.pem
ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
ownca_digest: sha256
ownca_not_after: "+18250d" ## 50 years
+ force: "{{ prometheus_exporter_server_cert.stat.exists and (not prometheus_exporter_server_cert_info.valid_at.ten_years) }}"
+ register: prometheus_exporter_server_cert
+
+- name: store exporter certificate
+ copy:
+ content: "{{ prometheus_exporter_server_cert.certificate }}"
+ dest: /etc/ssl/prometheus/exporter/crt.pem
notify: restart prometheus-exporter-exporter
-## TODO: install /etc/ssl/prometheus/ca-crt.pem from server
+- name: slurp CA certificate
+ delegate_to: "{{ promethues_server }}"
+ slurp:
+ src: /etc/ssl/prometheus/ca-crt.pem
+ register: prometheus_exporter_ca_certificate
+
+- name: install CA certificate
+ copy:
+ content: "{{ prometheus_exporter_ca_certificate.content | b64decode }}"
+ dest: /etc/ssl/prometheus/ca-crt.pem
diff --git a/roles/monitoring/prometheus/server/tasks/tls.yml b/roles/monitoring/prometheus/server/tasks/tls.yml
index 5c112e12..940c69b1 100644
--- a/roles/monitoring/prometheus/server/tasks/tls.yml
+++ b/roles/monitoring/prometheus/server/tasks/tls.yml
@@ -17,9 +17,9 @@
group: prometheus
mode: 0750
-- name: create private key to connect to exporter
+- name: create private key for scrape-client certificate
openssl_privatekey:
- path: /etc/ssl/prometheus/server/exporter-key.pem
+ path: /etc/ssl/prometheus/server/scrape-key.pem
type: RSA
size: 4096
owner: prometheus
@@ -27,10 +27,10 @@
mode: 0400
notify: reload prometheus
-- name: create signing request for client certificate to connect to exporter
+- name: create signing request for scrape-client certificate
openssl_csr:
- path: /etc/ssl/prometheus/server/exporter-csr.pem
- privatekey_path: /etc/ssl/prometheus/server/exporter-key.pem
+ path: /etc/ssl/prometheus/server/scrape-csr.pem
+ privatekey_path: /etc/ssl/prometheus/server/scrape-key.pem
CN: "{{ inventory_hostname }}"
subject_alt_name:
- "DNS:{{ host_name }}.{{ host_domain }}"
@@ -45,17 +45,31 @@
- 'CA:FALSE'
basic_constraints_critical: yes
+## TODO: install /etc/ssl/prometheus/ca-crt.pem from CA host
+
+- name: check if scrape-client certificate exists
+ stat:
+ path: /etc/ssl/prometheus/server/scrape-crt.pem
+ register: prometheus_server_scrape_client_cert
+
+- name: check scrape-client certificate validity
+ when: prometheus_server_scrape_client_cert.stat.exists
+ openssl_certificate_info:
+ path: /etc/ssl/prometheus/server/scrape-crt.pem
+ valid_at:
+ ten_years: '+3650d'
+ register: prometheus_server_scrape_client_cert_info
+
## TODO: implement remote signing?
-- name: create client certificate to connect to exporter
+- name: create scrape-client certificate
openssl_certificate:
- path: /etc/ssl/prometheus/server/exporter-crt.pem
- csr_path: /etc/ssl/prometheus/server/exporter-csr.pem
+ path: /etc/ssl/prometheus/server/scrape-crt.pem
+ csr_path: /etc/ssl/prometheus/server/scrape-csr.pem
provider: ownca
ownca_path: /etc/ssl/prometheus/ca-crt.pem
ownca_privatekey_path: /etc/ssl/prometheus/ca/key.pem
ownca_digest: sha256
ownca_not_after: "+18250d" ## 50 years
+ force: "{{ prometheus_server_scrape_client_cert.stat.exists and (not prometheus_server_scrape_client_cert_info.valid_at.ten_years) }}"
notify: reload prometheus
-
-## TODO: install /etc/ssl/prometheus/ca-crt.pem from server
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
index 5eb7c570..3975c74d 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
@@ -23,8 +23,8 @@ scrape_configs:
scheme: https
tls_config:
ca_file: /etc/ssl/prometheus/ca-crt.pem
- cert_file: /etc/ssl/prometheus/server/exporter-crt.pem
- key_file: /etc/ssl/prometheus/server/exporter-key.pem
+ cert_file: /etc/ssl/prometheus/server/scrape-crt.pem
+ key_file: /etc/ssl/prometheus/server/scrape-key.pem
file_sd_configs:
- files:
- "/etc/prometheus/jobs/{{ job }}/*.yml"
@@ -40,8 +40,8 @@ scrape_configs:
scheme: https
tls_config:
ca_file: /etc/ssl/prometheus/ca-crt.pem
- cert_file: /etc/ssl/prometheus/server/exporter-crt.pem
- key_file: /etc/ssl/prometheus/server/exporter-key.pem
+ cert_file: /etc/ssl/prometheus/server/scrape-crt.pem
+ key_file: /etc/ssl/prometheus/server/scrape-key.pem
static_configs:
- targets:
- 62.99.185.129
@@ -63,8 +63,8 @@ scrape_configs:
scheme: https
tls_config:
ca_file: /etc/ssl/prometheus/ca-crt.pem
- cert_file: /etc/ssl/prometheus/server/exporter-crt.pem
- key_file: /etc/ssl/prometheus/server/exporter-key.pem
+ cert_file: /etc/ssl/prometheus/server/scrape-crt.pem
+ key_file: /etc/ssl/prometheus/server/scrape-key.pem
static_configs:
- targets:
- web.chaos-at-home.org
@@ -85,8 +85,8 @@ scrape_configs:
scheme: https
tls_config:
ca_file: /etc/ssl/prometheus/ca-crt.pem
- cert_file: /etc/ssl/prometheus/server/exporter-crt.pem
- key_file: /etc/ssl/prometheus/server/exporter-key.pem
+ cert_file: /etc/ssl/prometheus/server/scrape-crt.pem
+ key_file: /etc/ssl/prometheus/server/scrape-key.pem
static_configs:
- targets:
- 192.168.32.230:222