From 187894ff0d651f0f9924df9a40bc1085f4172612 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 27 Oct 2021 23:30:04 +0200
Subject: prometheus add basic auth to alert-manager

---
 chaos-at-home/host_vars/ch-mon.yml                 | 30 ++++++++++++----------
 inventory/host_vars/ch-mon.yml                     |  7 +++++
 .../prometheus/alertmanager/defaults/main.yml      |  3 +++
 .../prometheus/alertmanager/tasks/main.yml         | 15 +++++++++++
 .../templates/prometheus-alertmanager.service.j2   |  2 +-
 roles/monitoring/prometheus/server/tasks/main.yml  | 11 ++++++++
 .../server/templates/prometheus.service.j2         |  2 +-
 .../prometheus/server/templates/prometheus.yml.j2  | 10 ++++++++
 8 files changed, 65 insertions(+), 15 deletions(-)

diff --git a/chaos-at-home/host_vars/ch-mon.yml b/chaos-at-home/host_vars/ch-mon.yml
index e4991b12..132e3e9f 100644
--- a/chaos-at-home/host_vars/ch-mon.yml
+++ b/chaos-at-home/host_vars/ch-mon.yml
@@ -1,14 +1,18 @@
 $ANSIBLE_VAULT;1.2;AES256;chaos-at-home
-30616132313037366566343937663637646165656539653234373737613735343762373865636534
-3462363461653439323066376633623061323030643436300a663966666563653963323265666539
-61643435633938646337643638323334393737663031623233623662383166393962353263323634
-3431333263313832350a386663376131653830326334373233316234316662346565306431313930
-63623732393365393031636438363233656164363435356135313534646334343065323966663765
-65373636303038653638336435326162363933376639623730656230383530653139626335356330
-32633534636462346530376535373130643137303232333162356231663962633132333361623264
-63323838323766626264643034333231333363373231666439613937313631316164383433353932
-36326137623335346231663832626134656463613330643830303432356464623232623765333465
-35663866343164653164373665376434316233376364393039666233633436356233373638656232
-35323564306133343838336132386531373239313439663265383837663066303636376338353630
-31373661643365333333383733623565346538636334393135666339336339663763623162313930
-6464
+31613732366630363830623161656537376532616661303238666631393766636164386534646162
+3633366463313561393664393861313939643631616235640a313266636663626463643261313734
+34353361313564323136316262326238323766643639643962373039333637393238623935626366
+6636663635633834370a663632396332383631643865393835313637363539326362663366616332
+36313463303639306330313833616437663336316632376461396130623065616132613666616361
+32303333386164633766333164363461393364306536663439346534613832383631613433303432
+37356363623539656365353130333237633466343463363138313933623962313763643033396338
+66663738333261633065653966373835653932313439366165313031626436343630323434376233
+30313330333065653063636139366530376130313139323633613736373231373236643265656666
+66373261373435323334396465323366646366663861346434396331303135313763326332663965
+61623531363631313239383462323166383435326633623461663935356536326365383535376236
+61643231343865643064333038613434336661376465656435383930623335623837376263333433
+66633836623062333135643362623230373538386163633761336237383361323361366632656335
+34633263303763376437613033623530666638666461643033356331393131316564393663656665
+33616331366465633733313135646464353836373933336634303938633533666439306564623533
+31396131653334653663323061626162346631396337623831396138626464613530616337633262
+30336136643734333832323663356437376561373961336231366334376262613034
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index 60361738..743a7136 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -64,6 +64,9 @@ prometheus_server_storage:
 prometheus_server_alertmanager:
   url: "127.0.0.1:9093"
   path_prefix: "/alertmanager/"
+  basic_auth:
+    username: server
+    password: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}"
 
 prometheus_server_web_external_url: /prometheus/
 
@@ -129,6 +132,10 @@ prometheus_alertmanager_smtp:
 
 prometheus_alertmanager_web_route_prefix: /alertmanager/
 
+prometheus_alertmanager_auth_users:
+  server: "{{ vault_prometheus_alertmanager_auth_user_passwords['server'] }}"
+  admin: "{{ vault_prometheus_alertmanager_auth_user_passwords['admin'] }}"
+
 
 grafana_secret_key: "{{ vault_grafana_secret_key }}"
 
diff --git a/roles/monitoring/prometheus/alertmanager/defaults/main.yml b/roles/monitoring/prometheus/alertmanager/defaults/main.yml
index ecec1d7c..a7f94b38 100644
--- a/roles/monitoring/prometheus/alertmanager/defaults/main.yml
+++ b/roles/monitoring/prometheus/alertmanager/defaults/main.yml
@@ -19,3 +19,6 @@ prometheus_alertmanager_route:
 
 prometheus_alertmanager_receivers:
   - name: empty
+
+# prometheus_server_auth_users:
+#   foo: secret
diff --git a/roles/monitoring/prometheus/alertmanager/tasks/main.yml b/roles/monitoring/prometheus/alertmanager/tasks/main.yml
index 10c0860a..338b0cbe 100644
--- a/roles/monitoring/prometheus/alertmanager/tasks/main.yml
+++ b/roles/monitoring/prometheus/alertmanager/tasks/main.yml
@@ -32,6 +32,21 @@
     dest: /etc/prometheus/alertmanager.yml
   notify: reload prometheus-alertmanager
 
+- name: generate web configuration file
+  when: prometheus_alertmanager_auth_users is defined
+  copy:
+    content: |
+      # Ansible managed
+      basic_auth_users:
+      {% for user,password in prometheus_alertmanager_auth_users.items() %}
+        {{ user }}: {{ password | password_hash('bcrypt', (user~'@'~inventory_hostname~'/prometheus/alertmanager') | bcrypt_salt) }}
+      {% endfor %}
+    dest: /etc/prometheus/alertmanager-web.yml
+    mode: 0640
+    owner: root
+    group: prometheus-alertmanager
+  notify: reload prometheus-alertmanager
+
 - name: generate systemd service unit
   template:
     src: prometheus-alertmanager.service.j2
diff --git a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
index e548607d..5e0e3008 100644
--- a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
+++ b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
@@ -5,7 +5,7 @@ Documentation=https://prometheus.io/docs/alerting/alertmanager/
 [Service]
 Restart=on-failure
 User=prometheus-alertmanager
-ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"{% if prometheus_alertmanager_web_route_prefix is defined %} --web.route-prefix={{ prometheus_alertmanager_web_route_prefix }}{% endif %} --web.listen-address={{ prometheus_alertmanager_web_listen_address }}
+ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"{% if prometheus_alertmanager_web_route_prefix is defined %} --web.route-prefix={{ prometheus_alertmanager_web_route_prefix }}{% endif %}{% if prometheus_alertmanager_auth_users is defined %} --web.config.file=/etc/prometheus/alertmanager-web.yml{% endif %} --web.listen-address={{ prometheus_alertmanager_web_listen_address }}
 ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no
diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml
index f5965883..b2e5f0eb 100644
--- a/roles/monitoring/prometheus/server/tasks/main.yml
+++ b/roles/monitoring/prometheus/server/tasks/main.yml
@@ -111,6 +111,17 @@
     validate: "promtool check web-config %s"
   notify: reload prometheus
 
+- name: generate password file prometheus server to access alertmanager
+  when: "'basic_auth' in prometheus_server_alertmanager"
+  copy:
+    content: "{{ prometheus_server_alertmanager.basic_auth.password }}\n"
+    dest: /etc/prometheus/prometheus-alertmanager.password
+    mode: 0640
+    owner: root
+    group: prometheus
+  no_log: yes
+  notify: reload prometheus
+
 - name: generate systemd service unit
   template:
     src: prometheus.service.j2
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
index b21cceae..77a3b02a 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.service.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
@@ -6,7 +6,7 @@ After=time-sync.target
 [Service]
 Restart=on-failure
 User=prometheus
-ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %}{% if prometheus_server_auth_users is defined %} --web.config.file /etc/prometheus/prometheus-web.yml{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
+ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %}{% if prometheus_server_auth_users is defined %} --web.config.file=/etc/prometheus/prometheus-web.yml{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
 ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
index e73ca354..98ac1aaa 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
@@ -18,6 +18,11 @@ alerting:
 {%   if 'path_prefix' in prometheus_server_alertmanager %}
     path_prefix: '{{ prometheus_server_alertmanager.path_prefix }}'
 {%   endif %}
+{%   if 'basic_auth' in prometheus_server_alertmanager %}
+    basic_auth:
+      username: '{{ prometheus_server_alertmanager.basic_auth.username }}'
+      password_file: '/etc/prometheus/prometheus-alertmanager.password'
+{%   endif %}
 {% endif %}
 
 scrape_configs:
@@ -34,6 +39,11 @@ scrape_configs:
   - job_name: 'alertmanager'
 {%   if 'path_prefix' in prometheus_server_alertmanager %}
     metrics_path: '{{ (prometheus_server_alertmanager.path_prefix, 'metrics') | path_join }}'
+{%   endif %}
+{%   if 'basic_auth' in prometheus_server_alertmanager %}
+    basic_auth:
+      username: '{{ prometheus_server_alertmanager.basic_auth.username }}'
+      password_file: '/etc/prometheus/prometheus-alertmanager.password'
 {%   endif %}
     static_configs:
     - targets: ['{{ prometheus_server_alertmanager.url }}']
-- 
cgit v1.2.3