From d063215ce09b31c906b6aee35a82b5ce660c6ccc Mon Sep 17 00:00:00 2001
From: Varac <varac@varac.net>
Date: Wed, 28 Apr 2021 16:58:16 +0200
Subject: [PATCH] Make both prometheus and alertmanager ingresses no-optional

Related: #762
---
 ansible/group_vars/all/oas.yml                |  5 +++--
 ansible/group_vars/all/settings.yml.example   |  2 --
 ansible/roles/apps/tasks/prometheus-stack.yml | 19 +++++++++++++++++--
 .../templates/settings/prometheus-stack.yaml  | 17 +++++++++++++++--
 .../roles/compatibility-checks/tasks/main.yml |  1 -
 5 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/ansible/group_vars/all/oas.yml b/ansible/group_vars/all/oas.yml
index 559c1e7f5..91ea82101 100644
--- a/ansible/group_vars/all/oas.yml
+++ b/ansible/group_vars/all/oas.yml
@@ -30,9 +30,10 @@ wordpress_mariadb_root_password: "{{ lookup('password', '{{ cluster_dir }}/secre
 # Grafana credentials
 grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_admin_password chars=ascii_letters') }}"
 
-# Credetnials used to protect the prometheus server. Only needed when prometheus ingress is enabled
-# username is admin
+# Credetnials used to protect the prometheus server. Username is "admin"
 prometheus_basic_auth: "{{ lookup('password', '{{ cluster_dir }}/secrets/prometheus_basic_auth chars=ascii_letters') }}"
+# Credetnials used to protect the alertmanager server. Username is "admin"
+alertmanager_basic_auth: "{{ lookup('password', '{{ cluster_dir }}/secrets/alertmanager_basic_auth chars=ascii_letters') }}"
 
 # Single sign-on passwords
 userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
diff --git a/ansible/group_vars/all/settings.yml.example b/ansible/group_vars/all/settings.yml.example
index 6d711141e..308e717f8 100644
--- a/ansible/group_vars/all/settings.yml.example
+++ b/ansible/group_vars/all/settings.yml.example
@@ -110,8 +110,6 @@ enabled_applications:
   # - 'rocketchat'
   # - 'wordpress'
 
-prometheus_enable_ingress: false
-
 
 # Use `APPNAME_extra_values` to provide additional, custom
 # helm chart values. Look for the correct APPNAME in above
diff --git a/ansible/roles/apps/tasks/prometheus-stack.yml b/ansible/roles/apps/tasks/prometheus-stack.yml
index bc5158afc..7941f3733 100644
--- a/ansible/roles/apps/tasks/prometheus-stack.yml
+++ b/ansible/roles/apps/tasks/prometheus-stack.yml
@@ -1,5 +1,5 @@
 ---
-- name: Create auth secret for basic auth
+- name: Create prometheus auth secret for basic auth
   tags:
     - prometheus-stack
     - config
@@ -14,7 +14,22 @@
         name: "prometheus-basic-auth"
       data:
         auth: "{{ ('admin:' + (prometheus_basic_auth | password_hash('apr_md5_crypt')) + '\n')  | b64encode }}"
-  when: prometheus_enable_ingress is defined and prometheus_enable_ingress is true
+
+- name: Create alertmanager auth secret for basic auth
+  tags:
+    - prometheus-stack
+    - config
+    - secret
+  k8s:
+    state: present
+    definition:
+      api_version: v1
+      kind: Secret
+      metadata:
+        namespace: "oas"
+        name: "alertmanager-basic-auth"
+      data:
+        auth: "{{ ('admin:' + (alertmanager_basic_auth | password_hash('apr_md5_crypt')) + '\n')  | b64encode }}"
 
 - name: Create Kubernetes secret with prometheus settings
   tags:
diff --git a/ansible/roles/apps/templates/settings/prometheus-stack.yaml b/ansible/roles/apps/templates/settings/prometheus-stack.yaml
index 74ff15c68..69b1ffba6 100644
--- a/ansible/roles/apps/templates/settings/prometheus-stack.yaml
+++ b/ansible/roles/apps/templates/settings/prometheus-stack.yaml
@@ -1,4 +1,6 @@
 #jinja2:lstrip_blocks:"True"
+# https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml
+
 # From: https://github.com/cablespaghetti/k3s-monitoring/blob/master/kube-prometheus-stack-values.yaml
 # Disable etcd monitoring. See https://github.com/cablespaghetti/k3s-monitoring/issues/4
 kubeEtcd:
@@ -13,6 +15,19 @@ kubeScheduler:
 alertmanager:
   persistentVolume:
     existingClaim: "alertmanager"
+  ingress:
+    enabled: true
+    annotations:
+      nginx.ingress.kubernetes.io/auth-type: basic
+      nginx.ingress.kubernetes.io/auth-secret: alertmanager-basic-auth
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+      kubernetes.io/tls-acme: "true"
+    hosts:
+      - "alertmanager.{{ domain }}"
+    tls:
+      - secretName: alertmanager-tls
+        hosts:
+          - "alertmanager.{{ domain }}"
   config:
     {% if outgoing_mail.enabled %}
     global:
@@ -102,7 +117,6 @@ prometheus:
         cpu: 10m
         memory: 512Mi
 
-  {% if prometheus_enable_ingress is defined and prometheus_enable_ingress %}
   ingress:
     enabled: true
     annotations:
@@ -116,7 +130,6 @@ prometheus:
       - secretName: prometheus-tls
         hosts:
           - "prometheus.{{ domain }}"
-  {% endif %}
 
 #
 #  service:
diff --git a/ansible/roles/compatibility-checks/tasks/main.yml b/ansible/roles/compatibility-checks/tasks/main.yml
index f9aa2ae7b..f94767412 100644
--- a/ansible/roles/compatibility-checks/tasks/main.yml
+++ b/ansible/roles/compatibility-checks/tasks/main.yml
@@ -22,7 +22,6 @@
     - domain
     - admin_email
     - acme_staging
-    - prometheus_enable_ingress
     - backup
     - flux
     - helm_operator
-- 
GitLab