add mSSL support for the prometheus server

2021-09-21 16:30:49 +02:00 · 2021-09-21 16:30:49 +02:00 · 5a3268dc37
commit 5a3268dc37
parent 569c9df319
3 changed files with 24 additions and 1 deletions
--- a/roles/prometheus-node-exporter/tasks/main.yml
+++ b/roles/prometheus-node-exporter/tasks/main.yml
@ -37,7 +37,7 @@
    group: prometheus
    key_mode: u=rw,g=,o=
    subject_alt_name: "IP:{{ lan_address }}"
-  notify: Restart prometheus-node-exporter
+# Need an equivalent to notify here

 - name: Copy the CA cert
  copy:
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@ -19,6 +19,24 @@
    owner: prometheus
    mode: u=rwx,g=rx,o=rx

+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /etc/prometheus/
+    cname: "prometheus-{{ lan_address }}"
+    owner: prometheus
+    group: prometheus
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /etc/prometheus/ca.crt
+  notify: Restart prometheus
+
 - name: Setup the prometheus config
  template:
    src: prometheus.yml
--- a/roles/prometheus/templates/prometheus.yml
+++ b/roles/prometheus/templates/prometheus.yml
@ -45,3 +45,8 @@ scrape_configs:
      - source_labels: [__param_target]
        target_label: __address__
        replacement: '$1:9100'
+    scheme: https
+    tls_config:
+      ca_file: '/etc/prometheus/ca.crt'
+      cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
+      key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'