From f294c367c70d04d3de1c10fa87c2be4ea6cc3012 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 7 Dec 2022 19:16:39 +0100
Subject: prometheus/node-exporter: make certificate SANs configurable
 promethues/server: add support for federation

---
 .../prometheus/exporter/base/defaults/main.yml     |  4 ++++
 .../prometheus/exporter/base/tasks/tls.yml         |  4 +---
 .../prometheus/server/defaults/main/main.yml       | 12 ++++++++++
 roles/monitoring/prometheus/server/tasks/main.yml  | 17 ++++++++++++--
 .../prometheus/server/templates/prometheus.yml.j2  | 27 ++++++++++++++++++++++
 5 files changed, 59 insertions(+), 5 deletions(-)

(limited to 'roles')

diff --git a/roles/monitoring/prometheus/exporter/base/defaults/main.yml b/roles/monitoring/prometheus/exporter/base/defaults/main.yml
index 2eef79fe..f6c8567f 100644
--- a/roles/monitoring/prometheus/exporter/base/defaults/main.yml
+++ b/roles/monitoring/prometheus/exporter/base/defaults/main.yml
@@ -1,3 +1,7 @@
 ---
 #prometheus_exporter_listen_addr:
 prometheus_exporter_listen_port: 9999
+
+prometheus_exporter_certificate_san:
+  - "DNS:{{ host_name }}.{{ host_domain }}"
+  - "IP:{{ (inventory_hostname == prometheus_server) | ternary('127.0.0.1', (prometheus_exporter_listen_addr | default(ansible_default_ipv4.address))) }}"
diff --git a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
index 35f410e8..a2d2f4a9 100644
--- a/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
+++ b/roles/monitoring/prometheus/exporter/base/tasks/tls.yml
@@ -32,9 +32,7 @@
     path: /etc/ssl/prometheus/exporter/csr.pem
     privatekey_path: /etc/ssl/prometheus/exporter/key.pem
     CN: "{{ inventory_hostname }}"
-    subject_alt_name:
-    - "DNS:{{ host_name }}.{{ host_domain }}"
-    - "IP:{{ (inventory_hostname == prometheus_server) | ternary('127.0.0.1', (prometheus_exporter_listen_addr | default(ansible_default_ipv4.address))) }}"
+    subject_alt_name: "{{ prometheus_exporter_certificate_san }}"
     key_usage:
     - digitalSignature
     key_usage_critical: yes
diff --git a/roles/monitoring/prometheus/server/defaults/main/main.yml b/roles/monitoring/prometheus/server/defaults/main/main.yml
index 8aa06d42..375b3458 100644
--- a/roles/monitoring/prometheus/server/defaults/main/main.yml
+++ b/roles/monitoring/prometheus/server/defaults/main/main.yml
@@ -48,3 +48,15 @@ prometheus_server_web_listen_address: 127.0.0.1:9090
 # prometheus_server_selfscraping_auth:
 #   username: server
 #   password: changme
+
+# prometheus_server_federation:
+#   somehost:
+#     scheme: http
+#     url: 192.2.0.1:9000
+#     path_prefix: /prometheus
+#     basic_auth:
+#       username: federate
+#       password: secret
+#     jobs:
+#     - node
+#     - blackbox
diff --git a/roles/monitoring/prometheus/server/tasks/main.yml b/roles/monitoring/prometheus/server/tasks/main.yml
index e93221d5..fce41214 100644
--- a/roles/monitoring/prometheus/server/tasks/main.yml
+++ b/roles/monitoring/prometheus/server/tasks/main.yml
@@ -91,13 +91,13 @@
     notify: reload prometheus
 
 - name: create sub-directories for all jobs in rules directory
-  loop: "{{ prometheus_server_jobs | select('match', '.*/.*') | map('dirname') | unique }}"
+  loop: "{{ prometheus_server_jobs | union(prometheus_server_federation | default({}) | dict2items | map(attribute='value.jobs') | flatten | unique) | select('match', '.*/.*') | map('dirname') | unique }}"
   file:
     path: "/etc/prometheus/rules/{{ item }}"
     state: directory
 
 - name: generate rules files for all jobs
-  loop: "{{ prometheus_server_jobs | union(['prometheus']) }}"
+  loop: "{{ prometheus_server_jobs | union(prometheus_server_federation | default({}) | dict2items | map(attribute='value.jobs') | flatten | unique) | union(['prometheus']) }}"
   template:
     src: rules.yml.j2
     dest: "/etc/prometheus/rules/{{ item }}.yml"
@@ -151,6 +151,19 @@
   no_log: yes
   notify: reload prometheus
 
+- name: generate password file prometheus server to access federation
+  loop: "{{ prometheus_server_federation | default({}) | dict2items | selectattr('value.basic_auth', 'defined') }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    content: "{{ item.value.basic_auth.password }}\n"
+    dest: "/etc/prometheus/prometheus-federation-{{ item.key }}.password"
+    mode: 0640
+    owner: root
+    group: prometheus
+  no_log: yes
+  notify: reload prometheus
+
 - name: generate systemd service unit
   template:
     src: prometheus.service.j2
diff --git a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2 b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
index aed69de5..e9d83c1d 100644
--- a/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
+++ b/roles/monitoring/prometheus/server/templates/prometheus.yml.j2
@@ -67,3 +67,30 @@ scrape_configs:
 
   {{ prometheus_server_jobs_extra | indent(2) }}
 {% endif %}
+{% for source, config in (prometheus_server_federation | default({})).items() %}
+
+  ## federation: {{ source }}
+{%   for job in config.jobs %}
+
+  - job_name: 'federate/{{ source }}/{{ job }}'
+    scrape_interval: 15s
+    scrape_timeout: 15s
+    scheme: {{ config.scheme | default('https') }}
+    metrics_path: {{ config.path_prefix | default('') }}/federate
+{%   if 'basic_auth' in config %}
+    basic_auth:
+      username: '{{ config.basic_auth.username }}'
+      password_file: '/etc/prometheus/prometheus-federation-{{ source }}.password'
+{%   endif %}
+    honor_labels: true
+    metric_relabel_configs:
+    - source_labels: [id]
+      regex: '^static-agent$'
+      action: drop
+    params:
+      match[]:
+      - '{job="{{ job }}"}'
+    static_configs:
+    - targets: ['{{ config.url }}']
+{%   endfor %}
+{% endfor %}
-- 
cgit v1.2.3