From ebaa6201168266393dea9182505275539c297618 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 27 Oct 2021 23:05:31 +0200
Subject: add basic auth to prometheus/server

---
 chaos-at-home/host_vars/ch-mon.yml                 | 22 +++++++++++++---------
 inventory/host_vars/ch-mon.yml                     |  3 +++
 .../prometheus/server/defaults/main/main.yml       |  3 +++
 roles/monitoring/prometheus/server/tasks/main.yml  | 16 ++++++++++++++++
 .../server/templates/prometheus.service.j2         |  2 +-
 5 files changed, 36 insertions(+), 10 deletions(-)

diff --git a/chaos-at-home/host_vars/ch-mon.yml b/chaos-at-home/host_vars/ch-mon.yml
index a4b2ea77..e4991b12 100644
--- a/chaos-at-home/host_vars/ch-mon.yml
+++ b/chaos-at-home/host_vars/ch-mon.yml
@@ -1,10 +1,14 @@
 $ANSIBLE_VAULT;1.2;AES256;chaos-at-home
-37346236393235663838306466333130363230643438623263666363623933653335636432643366
-6134333865633537323934393937613938333264636336630a653164313734613832653364666630
-38643965333832646563386338643666323735363034333338646432343634643265626337333632
-6564666239623835650a656231376135663132356464366139376230626331633466646339346263
-63633438616533356631303431343830613265323239336262333365633234303830373432623830
-62333033353262386266343737643533336562333938613963306666653238353065376134333462
-62336535663264616130363439356436613964663335333035313935653866613036313134303965
-35313031386633326235336462646131613232643961643832383931323163373364336365313139
-37613233343137366531386131333839383061323438633739343363383361666139
+30616132313037366566343937663637646165656539653234373737613735343762373865636534
+3462363461653439323066376633623061323030643436300a663966666563653963323265666539
+61643435633938646337643638323334393737663031623233623662383166393962353263323634
+3431333263313832350a386663376131653830326334373233316234316662346565306431313930
+63623732393365393031636438363233656164363435356135313534646334343065323966663765
+65373636303038653638336435326162363933376639623730656230383530653139626335356330
+32633534636462346530376535373130643137303232333162356231663962633132333361623264
+63323838323766626264643034333231333363373231666439613937313631316164383433353932
+36326137623335346231663832626134656463613330643830303432356464623232623765333465
+35663866343164653164373665376434316233376364393039666233633436356233373638656232
+35323564306133343838336132386531373239313439663265383837663066303636376338353630
+31373661643365333333383733623565346538636334393135666339336339663763623162313930
+6464
diff --git a/inventory/host_vars/ch-mon.yml b/inventory/host_vars/ch-mon.yml
index 37fcb648..60361738 100644
--- a/inventory/host_vars/ch-mon.yml
+++ b/inventory/host_vars/ch-mon.yml
@@ -67,6 +67,9 @@ prometheus_server_alertmanager:
 
 prometheus_server_web_external_url: /prometheus/
 
+prometheus_server_auth_users:
+  admin: "{{ vault_prometheus_server_auth_user_passwords['admin'] }}"
+
 
 prometheus_exporters_extra:
   - blackbox
diff --git a/roles/monitoring/prometheus/server/defaults/main/main.yml b/roles/monitoring/prometheus/server/defaults/main/main.yml
index 3aea0509..d149483e 100644
--- a/roles/monitoring/prometheus/server/defaults/main/main.yml
+++ b/roles/monitoring/prometheus/server/defaults/main/main.yml
@@ -29,3 +29,6 @@ prometheus_server_rules:
 
 prometheus_server_web_listen_address: 127.0.0.1:9090
 # prometheus_server_web_external_url: /prometheus/
+
+# prometheus_server_auth_users:
+#   foo: secret
diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml
index 1d89fc5a..f5965883 100644
--- a/roles/monitoring/prometheus/server/tasks/main.yml
+++ b/roles/monitoring/prometheus/server/tasks/main.yml
@@ -95,6 +95,22 @@
     validate: "promtool check config %s"
   notify: reload prometheus
 
+- name: generate web configuration file
+  when: prometheus_server_auth_users is defined
+  copy:
+    content: |
+      # Ansible managed
+      basic_auth_users:
+      {% for user,password in prometheus_server_auth_users.items() %}
+        {{ user }}: {{ password | password_hash('bcrypt', (user~'@'~inventory_hostname~'/prometheus/server') | bcrypt_salt) }}
+      {% endfor %}
+    dest: /etc/prometheus/prometheus-web.yml
+    mode: 0640
+    owner: root
+    group: prometheus
+    validate: "promtool check web-config %s"
+  notify: reload prometheus
+
 - name: generate systemd service unit
   template:
     src: prometheus.service.j2
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
index 3a366a61..b21cceae 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.service.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
@@ -6,7 +6,7 @@ After=time-sync.target
 [Service]
 Restart=on-failure
 User=prometheus
-ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
+ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %}{% if prometheus_server_auth_users is defined %} --web.config.file /etc/prometheus/prometheus-web.yml{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
 ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no
-- 
cgit v1.2.3