From dfb5ebe76443b64c4738fa2089fa942caa90cd35 Mon Sep 17 00:00:00 2001
From: Mark <mark@openappstack.net>
Date: Tue, 26 May 2020 12:40:53 +0200
Subject: [PATCH] Enable prometheus ingress with basic-auth

---
 ansible/group_vars/all/oas.yml                 |  3 +++
 ansible/roles/apps/tasks/prometheus.yml        | 18 ++++++++++++++++++
 .../apps/templates/settings/prometheus.yaml    | 14 +++++++++++++-
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/ansible/group_vars/all/oas.yml b/ansible/group_vars/all/oas.yml
index ce3978d88..bc73c8ac4 100644
--- a/ansible/group_vars/all/oas.yml
+++ b/ansible/group_vars/all/oas.yml
@@ -31,6 +31,9 @@ wordpress_mariadb_root_password: "{{ lookup('password', '{{ cluster_dir }}/secre
 # Grafana credentials
 grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_admin_password chars=ascii_letters') }}"
 
+# Prometheus credentials
+prometheus_basic_auth: "{{ lookup('password', '{{ cluster_dir }}/secrets/prometheus_basic_auth chars=ascii_letters') }}"
+
 # Single sign-on passwords
 userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
 nextcloud_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_oauth_client_secret chars=ascii_letters') }}"
diff --git a/ansible/roles/apps/tasks/prometheus.yml b/ansible/roles/apps/tasks/prometheus.yml
index b5daf515d..a43a3cbeb 100644
--- a/ansible/roles/apps/tasks/prometheus.yml
+++ b/ansible/roles/apps/tasks/prometheus.yml
@@ -1,5 +1,23 @@
 ---
+- name: Generate htpasswd hash
+  shell: openssl passwd -apr1 "{{ prometheus_basic_auth }}"
+  register: prometheus_passwd
 
+- name: Create auth secret for basic auth
+  tags:
+    - prometheus
+    - config
+    - secret
+  k8s:
+    state: present
+    definition:
+      api_version: v1
+      kind: Secret
+      metadata:
+        namespace: "oas"
+        name: "prometheus-basic-auth"
+      data:
+        auth: "{{ ('admin:' + prometheus_passwd.stdout )  | b64encode }}"
 - name: Create Kubernetes secret with prometheus settings
   tags:
     - config
diff --git a/ansible/roles/apps/templates/settings/prometheus.yaml b/ansible/roles/apps/templates/settings/prometheus.yaml
index 8661895d3..4cad61830 100644
--- a/ansible/roles/apps/templates/settings/prometheus.yaml
+++ b/ansible/roles/apps/templates/settings/prometheus.yaml
@@ -8,7 +8,19 @@ server:
   persistentVolume:
     existingClaim: "prometheus-server"
   retention: "10d"
-
+  ingress:
+    enabled: true
+    annotations:
+      nginx.ingress.kubernetes.io/auth-type: basic
+      nginx.ingress.kubernetes.io/auth-secret: prometheus-basic-auth
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+      kubernetes.io/tls-acme: "true"
+    hosts:
+      - "prometheus.{{ domain }}"
+    tls:
+      - secretName: prometheus-tls
+        hosts:
+          - "prometheus.{{ domain }}"
 
 serverFiles:
   alerting_rules.yml:
-- 
GitLab