From ebaa6201168266393dea9182505275539c297618 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 27 Oct 2021 23:05:31 +0200
Subject: add basic auth to prometheus/server

---
 .../monitoring/prometheus/server/defaults/main/main.yml  |  3 +++
 roles/monitoring/prometheus/server/tasks/main.yml        | 16 ++++++++++++++++
 .../prometheus/server/templates/prometheus.service.j2    |  2 +-
 3 files changed, 20 insertions(+), 1 deletion(-)

(limited to 'roles/monitoring')

diff --git a/roles/monitoring/prometheus/server/defaults/main/main.yml b/roles/monitoring/prometheus/server/defaults/main/main.yml
index 3aea0509..d149483e 100644
--- a/roles/monitoring/prometheus/server/defaults/main/main.yml
+++ b/roles/monitoring/prometheus/server/defaults/main/main.yml
@@ -29,3 +29,6 @@ prometheus_server_rules:
 
 prometheus_server_web_listen_address: 127.0.0.1:9090
 # prometheus_server_web_external_url: /prometheus/
+
+# prometheus_server_auth_users:
+#   foo: secret
diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml
index 1d89fc5a..f5965883 100644
--- a/roles/monitoring/prometheus/server/tasks/main.yml
+++ b/roles/monitoring/prometheus/server/tasks/main.yml
@@ -95,6 +95,22 @@
     validate: "promtool check config %s"
   notify: reload prometheus
 
+- name: generate web configuration file
+  when: prometheus_server_auth_users is defined
+  copy:
+    content: |
+      # Ansible managed
+      basic_auth_users:
+      {% for user,password in prometheus_server_auth_users.items() %}
+        {{ user }}: {{ password | password_hash('bcrypt', (user~'@'~inventory_hostname~'/prometheus/server') | bcrypt_salt) }}
+      {% endfor %}
+    dest: /etc/prometheus/prometheus-web.yml
+    mode: 0640
+    owner: root
+    group: prometheus
+    validate: "promtool check web-config %s"
+  notify: reload prometheus
+
 - name: generate systemd service unit
   template:
     src: prometheus.service.j2
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
index 3a366a61..b21cceae 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.service.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
@@ -6,7 +6,7 @@ After=time-sync.target
 [Service]
 Restart=on-failure
 User=prometheus
-ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
+ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %}{% if prometheus_server_auth_users is defined %} --web.config.file /etc/prometheus/prometheus-web.yml{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
 ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no
-- 
cgit v1.2.3