From 187894ff0d651f0f9924df9a40bc1085f4172612 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 27 Oct 2021 23:30:04 +0200
Subject: prometheus add basic auth to alert-manager

---
 .../monitoring/prometheus/alertmanager/defaults/main.yml  |  3 +++
 roles/monitoring/prometheus/alertmanager/tasks/main.yml   | 15 +++++++++++++++
 .../templates/prometheus-alertmanager.service.j2          |  2 +-
 roles/monitoring/prometheus/server/tasks/main.yml         | 11 +++++++++++
 .../prometheus/server/templates/prometheus.service.j2     |  2 +-
 .../prometheus/server/templates/prometheus.yml.j2         | 10 ++++++++++
 6 files changed, 41 insertions(+), 2 deletions(-)

(limited to 'roles')

diff --git a/roles/monitoring/prometheus/alertmanager/defaults/main.yml b/roles/monitoring/prometheus/alertmanager/defaults/main.yml
index ecec1d7c..a7f94b38 100644
--- a/roles/monitoring/prometheus/alertmanager/defaults/main.yml
+++ b/roles/monitoring/prometheus/alertmanager/defaults/main.yml
@@ -19,3 +19,6 @@ prometheus_alertmanager_route:
 
 prometheus_alertmanager_receivers:
   - name: empty
+
+# prometheus_server_auth_users:
+#   foo: secret
diff --git a/roles/monitoring/prometheus/alertmanager/tasks/main.yml b/roles/monitoring/prometheus/alertmanager/tasks/main.yml
index 10c0860a..338b0cbe 100644
--- a/roles/monitoring/prometheus/alertmanager/tasks/main.yml
+++ b/roles/monitoring/prometheus/alertmanager/tasks/main.yml
@@ -32,6 +32,21 @@
     dest: /etc/prometheus/alertmanager.yml
   notify: reload prometheus-alertmanager
 
+- name: generate web configuration file
+  when: prometheus_alertmanager_auth_users is defined
+  copy:
+    content: |
+      # Ansible managed
+      basic_auth_users:
+      {% for user,password in prometheus_alertmanager_auth_users.items() %}
+        {{ user }}: {{ password | password_hash('bcrypt', (user~'@'~inventory_hostname~'/prometheus/alertmanager') | bcrypt_salt) }}
+      {% endfor %}
+    dest: /etc/prometheus/alertmanager-web.yml
+    mode: 0640
+    owner: root
+    group: prometheus-alertmanager
+  notify: reload prometheus-alertmanager
+
 - name: generate systemd service unit
   template:
     src: prometheus-alertmanager.service.j2
diff --git a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2 b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
index e548607d..5e0e3008 100644
--- a/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
+++ b/roles/monitoring/prometheus/alertmanager/templates/prometheus-alertmanager.service.j2
@@ -5,7 +5,7 @@ Documentation=https://prometheus.io/docs/alerting/alertmanager/
 [Service]
 Restart=on-failure
 User=prometheus-alertmanager
-ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"{% if prometheus_alertmanager_web_route_prefix is defined %} --web.route-prefix={{ prometheus_alertmanager_web_route_prefix }}{% endif %} --web.listen-address={{ prometheus_alertmanager_web_listen_address }}
+ExecStart=/usr/bin/prometheus-alertmanager --config.file=/etc/prometheus/alertmanager.yml --cluster.listen-address= --storage.path="/var/lib/prometheus/alertmanager"{% if prometheus_alertmanager_web_route_prefix is defined %} --web.route-prefix={{ prometheus_alertmanager_web_route_prefix }}{% endif %}{% if prometheus_alertmanager_auth_users is defined %} --web.config.file=/etc/prometheus/alertmanager-web.yml{% endif %} --web.listen-address={{ prometheus_alertmanager_web_listen_address }}
 ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no
diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml
index f5965883..b2e5f0eb 100644
--- a/roles/monitoring/prometheus/server/tasks/main.yml
+++ b/roles/monitoring/prometheus/server/tasks/main.yml
@@ -111,6 +111,17 @@
     validate: "promtool check web-config %s"
   notify: reload prometheus
 
+- name: generate password file prometheus server to access alertmanager
+  when: "'basic_auth' in prometheus_server_alertmanager"
+  copy:
+    content: "{{ prometheus_server_alertmanager.basic_auth.password }}\n"
+    dest: /etc/prometheus/prometheus-alertmanager.password
+    mode: 0640
+    owner: root
+    group: prometheus
+  no_log: yes
+  notify: reload prometheus
+
 - name: generate systemd service unit
   template:
     src: prometheus.service.j2
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.service.j2 b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
index b21cceae..77a3b02a 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.service.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.service.j2
@@ -6,7 +6,7 @@ After=time-sync.target
 [Service]
 Restart=on-failure
 User=prometheus
-ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %}{% if prometheus_server_auth_users is defined %} --web.config.file /etc/prometheus/prometheus-web.yml{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
+ExecStart=/usr/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus/metrics2/ --storage.tsdb.retention.time={{ prometheus_server_retention }}{% if prometheus_server_web_external_url is defined %} --web.external-url={{ prometheus_server_web_external_url }}{% endif %}{% if prometheus_server_auth_users is defined %} --web.config.file=/etc/prometheus/prometheus-web.yml{% endif %} --web.listen-address={{ prometheus_server_web_listen_address }}
 ExecReload=/bin/kill -HUP $MAINPID
 TimeoutStopSec=20s
 SendSIGKILL=no
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
index e73ca354..98ac1aaa 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
@@ -18,6 +18,11 @@ alerting:
 {%   if 'path_prefix' in prometheus_server_alertmanager %}
     path_prefix: '{{ prometheus_server_alertmanager.path_prefix }}'
 {%   endif %}
+{%   if 'basic_auth' in prometheus_server_alertmanager %}
+    basic_auth:
+      username: '{{ prometheus_server_alertmanager.basic_auth.username }}'
+      password_file: '/etc/prometheus/prometheus-alertmanager.password'
+{%   endif %}
 {% endif %}
 
 scrape_configs:
@@ -34,6 +39,11 @@ scrape_configs:
   - job_name: 'alertmanager'
 {%   if 'path_prefix' in prometheus_server_alertmanager %}
     metrics_path: '{{ (prometheus_server_alertmanager.path_prefix, 'metrics') | path_join }}'
+{%   endif %}
+{%   if 'basic_auth' in prometheus_server_alertmanager %}
+    basic_auth:
+      username: '{{ prometheus_server_alertmanager.basic_auth.username }}'
+      password_file: '/etc/prometheus/prometheus-alertmanager.password'
 {%   endif %}
     static_configs:
     - targets: ['{{ prometheus_server_alertmanager.url }}']
-- 
cgit v1.2.3