add mSSL between prometheus and alert manager
This commit is contained in:
parent
8220d167e9
commit
abe6a8d90a
GPG key ID:
67486F107F62E9E9
5 changed files with 58 additions and 19 deletions
2
roles/prometheus-alert-manager/meta/main.yml
Normal file
2
roles/prometheus-alert-manager/meta/main.yml
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
dependencies:
|
||||||
|
- role: install_nginx
|
||||||
|
|
@ -20,22 +20,39 @@
|
||||||
vars:
|
vars:
|
||||||
args:
|
args:
|
||||||
- name: web.listen-address
|
- name: web.listen-address
|
||||||
value: "{{ lan_address }}:9093"
|
value: "127.0.0.1:9093"
|
||||||
|
|
||||||
#- name: Copy the CA cert
|
- name: Copy the CA cert
|
||||||
# copy:
|
copy:
|
||||||
# content: "{{ ca_cert }}"
|
content: "{{ ca_cert }}"
|
||||||
# dest: /etc/?/ca.crt
|
dest: /etc/prometheus/ca.crt
|
||||||
# notify: Restart Alertmanager
|
notify:
|
||||||
#
|
- Restart Alertmanager
|
||||||
#- name: Generate certificate
|
- Reload nginx
|
||||||
# include_role:
|
|
||||||
# name: generate-cert
|
- name: Generate certificate
|
||||||
# vars:
|
include_role:
|
||||||
# directory: /etc/?/
|
name: generate-cert
|
||||||
# cname: "alertmanager-{{ lan_address }}"
|
vars:
|
||||||
# owner: ?
|
directory: /etc/prometheus/
|
||||||
# group: ?
|
cname: "alertmanager-{{ lan_address }}"
|
||||||
# key_mode: u=rw,g=,o=
|
owner: prometheus
|
||||||
# subject_alt_name: "IP:{{ lan_address }}"
|
group: prometheus
|
||||||
## Need an equivalent to notify here
|
key_mode: u=rw,g=,o=
|
||||||
|
subject_alt_name: "IP:{{ lan_address }}"
|
||||||
|
# Need an equivalent to notify here
|
||||||
|
|
||||||
|
# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
|
||||||
|
# Think prometheus, think!
|
||||||
|
- name: Copy the nginx config
|
||||||
|
template:
|
||||||
|
src: atrocious_nginx_stub
|
||||||
|
dest: "/etc/nginx/sites-available/internal-alertmanager"
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Activate the config
|
||||||
|
file:
|
||||||
|
src: "/etc/nginx/sites-available/internal-alertmanager"
|
||||||
|
dest: "/etc/nginx/sites-enabled/internal-alertmanager"
|
||||||
|
state: link
|
||||||
|
force: yes
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen {{ lan_address }}:9093 ssl;
|
||||||
|
ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
|
||||||
|
ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
|
||||||
|
ssl_client_certificate /etc/prometheus/ca.crt;
|
||||||
|
ssl_verify_client on;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:9093;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -34,7 +34,9 @@
|
||||||
copy:
|
copy:
|
||||||
content: "{{ ca_cert }}"
|
content: "{{ ca_cert }}"
|
||||||
dest: /etc/prometheus/ca.crt
|
dest: /etc/prometheus/ca.crt
|
||||||
notify: Restart prometheus
|
notify:
|
||||||
|
- Restart prometheus
|
||||||
|
- Reload nginx
|
||||||
|
|
||||||
- name: Setup the prometheus config
|
- name: Setup the prometheus config
|
||||||
template:
|
template:
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,11 @@ alerting:
|
||||||
alertmanagers:
|
alertmanagers:
|
||||||
- static_configs:
|
- static_configs:
|
||||||
- targets: ['{{ lan_address }}:9093']
|
- targets: ['{{ lan_address }}:9093']
|
||||||
|
scheme: https
|
||||||
|
tls_config:
|
||||||
|
ca_file: '/etc/prometheus/ca.crt'
|
||||||
|
cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
|
||||||
|
key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
|
||||||
|
|
||||||
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
|
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
|
||||||
rule_files:
|
rule_files:
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue