diff options
8 files changed, 65 insertions, 15 deletions
diff --git a/chaos-at-home/host_vars/ch-mon.yml b/chaos-at-home/host_vars/ch-mon.yml index e4991b12..132e3e9f 100644 --- a/chaos-at-home/host_vars/ch-mon.yml +++ b/chaos-at-home/host_vars/ch-mon.yml @@ -1,14 +1,18 @@ $ANSIBLE_VAULT;1.2;AES256;chaos-at-home -30616132313037366566343937663637646165656539653234373737613735343762373865636534 -3462363461653439323066376633623061323030643436300a663966666563653963323265666539 -61643435633938646337643638323334393737663031623233623662383166393962353263323634 -3431333263313832350a386663376131653830326334373233316234316662346565306431313930 -63623732393365393031636438363233656164363435356135313534646334343065323966663765 -65373636303038653638336435326162363933376639623730656230383530653139626335356330 -32633534636462346530376535373130643137303232333162356231663962633132333361623264 -63323838323766626264643034333231333363373231666439613937313631316164383433353932 -36326137623335346231663832626134656463613330643830303432356464623232623765333465 -35663866343164653164373665376434316233376364393039666233633436356233373638656232 -35323564306133343838336132386531373239313439663265383837663066303636376338353630 -31373661643365333333383733623565346538636334393135666339336339663763623162313930 -6464 +31613732366630363830623161656537376532616661303238666631393766636164386534646162 +3633366463313561393664393861313939643631616235640a313266636663626463643261313734 +34353361313564323136316262326238323766643639643962373039333637393238623935626366 +6636663635633834370a663632396332383631643865393835313637363539326362663366616332 +36313463303639306330313833616437663336316632376461396130623065616132613666616361 +32303333386164633766333164363461393364306536663439346534613832383631613433303432 +37356363623539656365353130333237633466343463363138313933623962313763643033396338 +66663738333261633065653966373835653932313439366165313031626436343630323434376233 +30313330333065653063636139366530376130313139323633613736373231373236643265656666 +66373261373435323334396465323366646366663861346434396331303135313763326332663965 +61623531363631313239383462323166383435326633623461663935356536326365383535376236 +61643231343865643064333038613434336661376465656435383930623335623837376263333433 +66633836623062333135643362623230373538386163633761336237383361323361366632656335 +34633263303763376437613033623530666638666461643033356331393131316564393663656665 +33616331366465633733313135646464353836373933336634303938633533666439306564623533 +31396131653334653663323061626162346631396337623831396138626464613530616337633262 +30336136643734333832323663356437376561373961336231366334376262613034 diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml index 60361738..743a7136 100644 --- a/inventory/host_vars/ch-mon.yml +++ b/inventory/host_vars/ch-mon.yml @@ -64,6 +64,9 @@ prometheus_server_storage: prometheus_server_alertmanager: url: "127.0.0.1:9093" path_prefix: "/alertmanager/" + basic_auth: + username: server + password: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}" prometheus_server_web_external_url: /prometheus/ @@ -129,6 +132,10 @@ prometheus_alertmanager_smtp: prometheus_alertmanager_web_route_prefix: /alertmanager/ +prometheus_alertmanager_auth_users: + server: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}" + admin: "{{ vault_prometheus_alertmanager_auth_user_passwords['admin'] }}" + grafana_secret_key: "{{ vault_grafana_secret_key }}" diff --git a/roles/monitoring/prometheus/alertmanager/defaults/main.yml b/roles/monitoring/prometheus/alertmanager/defaults/main.yml index ecec1d7c..a7f94b38 100644 --- a/roles/monitoring/prometheus/alertmanager/defaults/main.yml +++ b/roles/monitoring/prometheus/alertmanager/defaults/main.yml @@ -19,3 +19,6 @@ prometheus_alertmanager_route: prometheus_alertmanager_receivers: - name: empty + +# prometheus_server_auth_users: +# foo: secret diff --git a/roles/monitoring/prometheus/alertmanager/tasks/main.yml b/roles/monitoring/prometheus/alertmanager/tasks/main.yml index 10c0860a..338b0cbe 100644 --- a/roles/monitoring/prometheus/alertmanager/tasks/main.yml +++ b/roles/monitoring/prometheus/alertmanager/tasks/main.yml @@ -32,6 +32,21 @@ dest: /etc/prometheus/alertmanager.yml notify: reload prometheus-alertmanager +- name: generate web configuration file + when: prometheus_alertmanager_auth_users is defined + copy: + content: | + # Ansible managed + basic_auth_users: + {% for user,password in prometheus_alertmanager_auth_users.items() %} + {{ user }}: {{ password | password_hash('bcrypt', (user~'@'~inventory_hostname~'/prometheus/alertmanager') | bcrypt_salt) }} + {% endfor %} + dest: /etc/prometheus/alertmanager-web.yml + mode: 0640 + owner: root + group: prometheus-alertmanager + notify: reload prometheus-alertmanager + - name: generate systemd service unit template: src: prometheus-alertmanager.service.j2 diff --git a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 index e548607d..5e0e3008 100644 --- a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 +++ b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 @@ -5,7 +5,7 @@ Documentation=https://prometheus.io/docs/alerting/alertmanager/ [Service] Restart=on-failure User=prometheus-alertmanager -ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"{% if prometheus_alertmanager_web_route_prefix is defined %} --web.route-prefix={{ prometheus_alertmanager_web_route_prefix }}{% endif %} --web.listen-address={{ prometheus_alertmanager_web_listen_address }} +ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"{% if prometheus_alertmanager_web_route_prefix is defined %} --web.route-prefix={{ prometheus_alertmanager_web_route_prefix }}{% endif %}{% if prometheus_alertmanager_auth_users is defined %} --web.config.file=/etc/prometheus/alertmanager-web.yml{% endif %} --web.listen-address={{ prometheus_alertmanager_web_listen_address }} ExecReload=/bin/kill -HUP $MAINPID TimeoutStopSec=20s SendSIGKILL=no diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml index f5965883..b2e5f0eb 100644 --- a/roles/monitoring/prometheus/server/tasks/main.yml +++ b/roles/monitoring/prometheus/server/tasks/main.yml @@ -111,6 +111,17 @@ validate: "promtool check web-config %s" notify: reload prometheus +- name: generate password file prometheus server to access alertmanager + when: "'basic_auth' in prometheus_server_alertmanager" + copy: + content: "{{ prometheus_server_alertmanager.basic_auth.password }}\n" + dest: /etc/prometheus/prometheus-alertmanager.password + mode: 0640 + owner: root + group: prometheus + no_log: yes + notify: reload prometheus + - name: generate systemd service unit template: src: prometheus.service.j2 diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2 index b21cceae..77a3b02a 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2 @@ -6,7 +6,7 @@ After=time-sync.target [Service] Restart=on-failure User=prometheus -ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %}{% if prometheus_server_auth_users is defined %} --web.config.file /etc/prometheus/prometheus-web.yml{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }} +ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %}{% if prometheus_server_auth_users is defined %} --web.config.file=/etc/prometheus/prometheus-web.yml{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }} ExecReload=/bin/kill -HUP $MAINPID TimeoutStopSec=20s SendSIGKILL=no diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 index e73ca354..98ac1aaa 100644 --- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 +++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 @@ -18,6 +18,11 @@ alerting: {% if 'path_prefix' in prometheus_server_alertmanager %} path_prefix: '{{ prometheus_server_alertmanager.path_prefix }}' {% endif %} +{% if 'basic_auth' in prometheus_server_alertmanager %} + basic_auth: + username: '{{ prometheus_server_alertmanager.basic_auth.username }}' + password_file: '/etc/prometheus/prometheus-alertmanager.password' +{% endif %} {% endif %} scrape_configs: @@ -35,6 +40,11 @@ scrape_configs: {% if 'path_prefix' in prometheus_server_alertmanager %} metrics_path: '{{ (prometheus_server_alertmanager.path_prefix, 'metrics') | path_join }}' {% endif %} +{% if 'basic_auth' in prometheus_server_alertmanager %} + basic_auth: + username: '{{ prometheus_server_alertmanager.basic_auth.username }}' + password_file: '/etc/prometheus/prometheus-alertmanager.password' +{% endif %} static_configs: - targets: ['{{ prometheus_server_alertmanager.url }}'] {% endif %} |