add mSSL between prometheus and alert manager

3 years ago · abe6a8d90a
parent 8220d167e9
commit abe6a8d90a
5 changed files with 58 additions and 19 deletions
--- a/roles/prometheus-alert-manager/meta/main.yml
+++ b/roles/prometheus-alert-manager/meta/main.yml
@ -0,0 +1,2 @@
 dependencies:
  - role: install_nginx
--- a/roles/prometheus-alert-manager/tasks/main.yml
+++ b/roles/prometheus-alert-manager/tasks/main.yml
@ -20,22 +20,39 @@
  vars:
    args:
      - name: web.listen-address
-        value: "{{ lan_address }}:9093"
+        value: "127.0.0.1:9093"
-#- name: Copy the CA cert
+- name: Copy the CA cert
-#  copy:
+  copy:
-#    content: "{{ ca_cert }}"
+    content: "{{ ca_cert }}"
-#    dest: /etc/?/ca.crt
+    dest: /etc/prometheus/ca.crt
-#  notify: Restart Alertmanager
+  notify: 
-#
+   - Restart Alertmanager
-#- name: Generate certificate
+   - Reload nginx
-#  include_role:
+
-#    name: generate-cert
+- name: Generate certificate
-#  vars:
+  include_role:
-#    directory: /etc/?/
+    name: generate-cert
-#    cname: "alertmanager-{{ lan_address }}"
+  vars:
-#    owner: ?
+    directory: /etc/prometheus/
-#    group: ?
+    cname: "alertmanager-{{ lan_address }}"
-#    key_mode: u=rw,g=,o=
+    owner: prometheus
-#    subject_alt_name: "IP:{{ lan_address }}"
+    group: prometheus
-## Need an equivalent to notify here
+    key_mode: u=rw,g=,o=
    subject_alt_name: "IP:{{ lan_address }}"
 # Need an equivalent to notify here
 # Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
 # Think prometheus, think!
 - name: Copy the nginx config
  template:
    src: atrocious_nginx_stub
    dest: "/etc/nginx/sites-available/internal-alertmanager"
  notify: Reload nginx
 - name: Activate the config
  file:
    src: "/etc/nginx/sites-available/internal-alertmanager"
    dest: "/etc/nginx/sites-enabled/internal-alertmanager"
    state: link
    force: yes
--- a/roles/prometheus-alert-manager/templates/atrocious_nginx_stub
+++ b/roles/prometheus-alert-manager/templates/atrocious_nginx_stub
@ -0,0 +1,13 @@
 {{ ansible_managed | comment }}
 server {
    listen {{ lan_address }}:9093 ssl;
    ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
    ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
    ssl_client_certificate /etc/prometheus/ca.crt;
    ssl_verify_client on;
    location / {
        proxy_pass http://127.0.0.1:9093;
    }
 }
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@ -34,7 +34,9 @@
  copy:
    content: "{{ ca_cert }}"
    dest: /etc/prometheus/ca.crt
-  notify: Restart prometheus
+  notify:
   - Restart prometheus
   - Reload nginx
 - name: Setup the prometheus config
  template:
--- a/roles/prometheus/templates/prometheus.yml
+++ b/roles/prometheus/templates/prometheus.yml
@ -15,6 +15,11 @@ alerting:
  alertmanagers:
  - static_configs:
    - targets: ['{{ lan_address }}:9093']
    scheme: https
    tls_config:
      ca_file: '/etc/prometheus/ca.crt'
      cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
      key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
 # Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
 rule_files: