Browse Source

add mSSL between prometheus and alert manager

monitoring
histausse 1 year ago
parent
commit
abe6a8d90a
Signed by: histausse
GPG Key ID: 67486F107F62E9E9
  1. 2
      roles/prometheus-alert-manager/meta/main.yml
  2. 53
      roles/prometheus-alert-manager/tasks/main.yml
  3. 13
      roles/prometheus-alert-manager/templates/atrocious_nginx_stub
  4. 4
      roles/prometheus/tasks/main.yml
  5. 5
      roles/prometheus/templates/prometheus.yml

2
roles/prometheus-alert-manager/meta/main.yml

@ -0,0 +1,2 @@
dependencies:
- role: install_nginx

53
roles/prometheus-alert-manager/tasks/main.yml

@ -20,22 +20,39 @@
vars:
args:
- name: web.listen-address
value: "{{ lan_address }}:9093"
value: "127.0.0.1:9093"
#- name: Copy the CA cert
# copy:
# content: "{{ ca_cert }}"
# dest: /etc/?/ca.crt
# notify: Restart Alertmanager
#
#- name: Generate certificate
# include_role:
# name: generate-cert
# vars:
# directory: /etc/?/
# cname: "alertmanager-{{ lan_address }}"
# owner: ?
# group: ?
# key_mode: u=rw,g=,o=
# subject_alt_name: "IP:{{ lan_address }}"
## Need an equivalent to notify here
- name: Copy the CA cert
copy:
content: "{{ ca_cert }}"
dest: /etc/prometheus/ca.crt
notify:
- Restart Alertmanager
- Reload nginx
- name: Generate certificate
include_role:
name: generate-cert
vars:
directory: /etc/prometheus/
cname: "alertmanager-{{ lan_address }}"
owner: prometheus
group: prometheus
key_mode: u=rw,g=,o=
subject_alt_name: "IP:{{ lan_address }}"
# Need an equivalent to notify here
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
# Think prometheus, think!
- name: Copy the nginx config
template:
src: atrocious_nginx_stub
dest: "/etc/nginx/sites-available/internal-alertmanager"
notify: Reload nginx
- name: Activate the config
file:
src: "/etc/nginx/sites-available/internal-alertmanager"
dest: "/etc/nginx/sites-enabled/internal-alertmanager"
state: link
force: yes

13
roles/prometheus-alert-manager/templates/atrocious_nginx_stub

@ -0,0 +1,13 @@
{{ ansible_managed | comment }}
server {
listen {{ lan_address }}:9093 ssl;
ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
ssl_client_certificate /etc/prometheus/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:9093;
}
}

4
roles/prometheus/tasks/main.yml

@ -34,7 +34,9 @@
copy:
content: "{{ ca_cert }}"
dest: /etc/prometheus/ca.crt
notify: Restart prometheus
notify:
- Restart prometheus
- Reload nginx
- name: Setup the prometheus config
template:

5
roles/prometheus/templates/prometheus.yml

@ -15,6 +15,11 @@ alerting:
alertmanagers:
- static_configs:
- targets: ['{{ lan_address }}:9093']
scheme: https
tls_config:
ca_file: '/etc/prometheus/ca.crt'
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:

Loading…
Cancel
Save