add mSSL between prometheus and alert manager

3 years ago · abe6a8d90a
parent 8220d167e9
commit abe6a8d90a
5 changed files with 58 additions and 19 deletions
--- a/roles/prometheus-alert-manager/meta/main.yml
+++ b/roles/prometheus-alert-manager/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+  - role: install_nginx
--- a/roles/prometheus-alert-manager/tasks/main.yml
+++ b/roles/prometheus-alert-manager/tasks/main.yml
@ -20,22 +20,39 @@
  vars:
    args:
      - name: web.listen-address
-        value: "{{ lan_address }}:9093"
+        value: "127.0.0.1:9093"

-#- name: Copy the CA cert
-#  copy:
-#    content: "{{ ca_cert }}"
-#    dest: /etc/?/ca.crt
-#  notify: Restart Alertmanager
-#
-#- name: Generate certificate
-#  include_role:
-#    name: generate-cert
-#  vars:
-#    directory: /etc/?/
-#    cname: "alertmanager-{{ lan_address }}"
-#    owner: ?
-#    group: ?
-#    key_mode: u=rw,g=,o=
-#    subject_alt_name: "IP:{{ lan_address }}"
-## Need an equivalent to notify here
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /etc/prometheus/ca.crt
+  notify: 
+   - Restart Alertmanager
+   - Reload nginx
+
+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /etc/prometheus/
+    cname: "alertmanager-{{ lan_address }}"
+    owner: prometheus
+    group: prometheus
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
+# Think prometheus, think!
+- name: Copy the nginx config
+  template:
+    src: atrocious_nginx_stub
+    dest: "/etc/nginx/sites-available/internal-alertmanager"
+  notify: Reload nginx
+
+- name: Activate the config
+  file:
+    src: "/etc/nginx/sites-available/internal-alertmanager"
+    dest: "/etc/nginx/sites-enabled/internal-alertmanager"
+    state: link
+    force: yes
--- a/roles/prometheus-alert-manager/templates/atrocious_nginx_stub
+++ b/roles/prometheus-alert-manager/templates/atrocious_nginx_stub
@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ lan_address }}:9093 ssl;
+    ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
+    ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
+    ssl_client_certificate /etc/prometheus/ca.crt;
+    ssl_verify_client on;
+
+    location / {
+        proxy_pass http://127.0.0.1:9093;
+    }
+}
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@ -34,7 +34,9 @@
  copy:
    content: "{{ ca_cert }}"
    dest: /etc/prometheus/ca.crt
-  notify: Restart prometheus
+  notify:
+   - Restart prometheus
+   - Reload nginx

 - name: Setup the prometheus config
  template:
--- a/roles/prometheus/templates/prometheus.yml
+++ b/roles/prometheus/templates/prometheus.yml
@ -15,6 +15,11 @@ alerting:
  alertmanagers:
  - static_configs:
    - targets: ['{{ lan_address }}:9093']
+    scheme: https
+    tls_config:
+      ca_file: '/etc/prometheus/ca.crt'
+      cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
+      key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'

 # Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
 rule_files: