Merge branch '577-collect-cluster-metrics-on-central-prometheus-server' into 'master'

Resolve "Collect cluster metrics on central prometheus server"

Closes #577

See merge request openappstack/openappstack!291

ansible/group_vars/all/oas.yml

@@ -29,6 +29,10 @@ wordpress_mariadb_root_password: "{{ lookup('password', '{{ cluster_dir }}/secre
 # Grafana credentials
 grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_admin_password chars=ascii_letters') }}"
 
+# Credetnials used to protect the prometheus server. Only needed when prometheus ingress is enabled
+# username is admin
+prometheus_basic_auth: "{{ lookup('password', '{{ cluster_dir }}/secrets/prometheus_basic_auth chars=ascii_letters') }}"
+
 # Single sign-on passwords
 userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
 nextcloud_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_oauth_client_secret chars=ascii_letters') }}"

ansible/group_vars/all/settings.yml.example

@@ -13,6 +13,8 @@ release_name: "test"
 # Important: Don't quote this variable !
 acme_staging: false
 
+prometheus_enable_ingress: false
+
 # A whitelist of applications that will be enabled.
 enabled_applications:
   # System components, necessary for the system to function.

ansible/roles/apps/tasks/prometheus.yml

 ---
-
+- name: Create auth secret for basic auth
+  tags:
+    - prometheus
+    - config
+    - secret
+  k8s:
+    state: present
+    definition:
+      api_version: v1
+      kind: Secret
+      metadata:
+        namespace: "oas"
+        name: "prometheus-basic-auth"
+      data:
+        auth: "{{ ('admin:' + (prometheus_basic_auth | password_hash('apr_md5_crypt')) + '\n')  | b64encode }}"
+  when: prometheus_enable_ingress is defined and prometheus_enable_ingress is true
 - name: Create Kubernetes secret with prometheus settings
   tags:
     - config

ansible/roles/apps/templates/settings/prometheus.yaml

+#jinja2:lstrip_blocks:"True"
 alertmanager:
   persistentVolume:
     existingClaim: "alertmanager"
@@ -8,7 +9,21 @@ server:
   persistentVolume:
     existingClaim: "prometheus-server"
   retention: "10d"
-
+  {% if prometheus_enable_ingress is defined and prometheus_enable_ingress %}
+  ingress:
+    enabled: true
+    annotations:
+      nginx.ingress.kubernetes.io/auth-type: basic
+      nginx.ingress.kubernetes.io/auth-secret: prometheus-basic-auth
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+      kubernetes.io/tls-acme: "true"
+    hosts:
+      - "prometheus.{{ domain }}"
+    tls:
+      - secretName: prometheus-tls
+        hosts:
+          - "prometheus.{{ domain }}"
+  {% endif %}
 
 serverFiles:
   alerting_rules.yml:

openappstack/__main__.py

@@ -77,6 +77,10 @@ def main():  # pylint: disable=too-many-statements,too-many-branches,too-many-lo
         type=str,
         help='hostname of the machine. If not provided for a new machine, the '
              'cluster name is used.')
+    create_parser.add_argument(
+        '--prometheus-enable-ingress',
+        action='store_true',
+        help=("Use this if you want to access OpenAppStack's prometheus api from outside"))
 
     group = create_parser.add_mutually_exclusive_group(required=True)
 
@@ -301,6 +305,8 @@ def create(clus, args):  # pylint: disable=too-many-branches
         clus.acme_staging = True
     if args.local_flux:
         clus.local_flux = True
+    if args.prometheus_enable_ingress:
+        clus.prometheus_enable_ingress = True
     if args.create_droplet:
         clus.create_droplet(ssh_key_id=args.ssh_key_id, hostname=args.create_hostname)
         if args.verbose:

openappstack/cluster.py

@@ -47,6 +47,9 @@ class Cluster:
         self.local_flux = False
         # Set this to False if the data needs to be (re)loaded from file
         self.data_loaded = False
+        # Set this to true if you want to access prometheus from outside you cluster
+        # The prometheus api is protected by basic authentication
+        self.prometheus_enable_ingress = False
         # Load data from inventory.yml and settings.yml
         if load_data:
             self.load_data()
@@ -152,6 +155,7 @@ class Cluster:
         settings['acme_staging'] = self.acme_staging
         settings['local_flux'] = self.local_flux
         settings['cluster_dir'] = self.cluster_dir
+        settings['prometheus_enable_ingress'] = self.prometheus_enable_ingress
 
         file_contents = yaml.safe_dump(settings, default_flow_style=False)
         log.debug(file_contents)
@@ -172,6 +176,7 @@ HOSTNAME={hostname}
 FQDN={domain}
 LOCAL_FLUX={local_flux}
 KUBECONFIG={secret_dir}/kube_config_cluster.yml
+PROMETHEUS_ENABLE_INGRESS={prometheus_enable_ingress}
 """
 
         with open(self.dotenv_file, 'w') as stream:
@@ -182,7 +187,8 @@ KUBECONFIG={secret_dir}/kube_config_cluster.yml
                 hostname=self.hostname,
                 domain=self.domain,
                 local_flux=self.local_flux,
-                secret_dir=self.secret_dir
+                secret_dir=self.secret_dir,
+                prometheus_enable_ingress=self.prometheus_enable_ingress
             ))
             log.info("Created %s", self.dotenv_file)
 

requirements-stable.txt

@@ -52,3 +52,4 @@ urllib3==1.25.8
 wcwidth==0.1.8
 websocket-client==0.57.0
 zipp==3.1.0
+passlib==1.7.2

requirements.txt

@@ -18,3 +18,4 @@ wheel>=0.33.1
 pytz>=2019.1
 -e git+https://open.greenhost.net/greenhost/cloud-api#egg=greenhost_cloud
 -e git+https://open.greenhost.net/openappstack/oas_behave#egg=oas_behave
+passlib>=1.7.2