Enable prometheus ingress with basic-auth

dfb5ebe7 · Mark · 394de7e4 · dfb5ebe7 · dfb5ebe7 · dfb5ebe7
Verified Commit dfb5ebe7 authored 4 years ago by Mark
--- a/ansible/group_vars/all/oas.yml
+++ b/ansible/group_vars/all/oas.yml
@@ -31,6 +31,9 @@ wordpress_mariadb_root_password: "{{ lookup('password', '{{ cluster_dir }}/secre
 # Grafana credentials
 grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_admin_password chars=ascii_letters') }}"
+# Prometheus credentials
+prometheus_basic_auth: "{{ lookup('password', '{{ cluster_dir }}/secrets/prometheus_basic_auth chars=ascii_letters') }}"
 # Single sign-on passwords
 userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
 nextcloud_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_oauth_client_secret chars=ascii_letters') }}"

--- a/ansible/roles/apps/tasks/prometheus.yml
+++ b/ansible/roles/apps/tasks/prometheus.yml
 ---
+- name: Generate htpasswd hash
+  shell: openssl passwd -apr1 "{{ prometheus_basic_auth }}"
+  register: prometheus_passwd
+- name: Create auth secret for basic auth
+  tags:
+    - prometheus
+    - config
+    - secret
+  k8s:
+    state: present
+    definition:
+      api_version: v1
+      kind: Secret
+      metadata:
+        namespace: "oas"
+        name: "prometheus-basic-auth"
+      data:
+        auth: "{{ ('admin:' + prometheus_passwd.stdout )  | b64encode }}"
 - name: Create Kubernetes secret with prometheus settings
  tags:
    - config

--- a/ansible/roles/apps/templates/settings/prometheus.yaml
+++ b/ansible/roles/apps/templates/settings/prometheus.yaml
@@ -8,7 +8,19 @@ server:
  persistentVolume:
    existingClaim: "prometheus-server"
  retention: "10d"
+  ingress:
+    enabled: true
+    annotations:
+      nginx.ingress.kubernetes.io/auth-type: basic
+      nginx.ingress.kubernetes.io/auth-secret: prometheus-basic-auth
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+      kubernetes.io/tls-acme: "true"
+    hosts:
+      - "prometheus.{{ domain }}"
+    tls:
+      - secretName: prometheus-tls
+        hosts:
+          - "prometheus.{{ domain }}"
 serverFiles:
  alerting_rules.yml: