DEV-579: added prometheus basic auth

3 years ago · 98c5f39c85
parent e5e2bdf93e
commit 98c5f39c85
11 changed files with 1748 additions and 1607 deletions
--- a/group_vars/stage_dev/plain.yml
+++ b/group_vars/stage_dev/plain.yml
@ -355,6 +355,13 @@ argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 awx_admin_username: "awx-admin"
 awx_admin_password: "{{ awx_admin_password_vault }}"

+prometheus_admin_username: "prometheus-admin"
+prometheus_admin_password: "{{ prometheus_admin_password_vault }}"
+prometheus_admin_password_unencrypted: "{{ prometheus_admin_password_unencrypted_vault }}"
+
+k8s_prometheus_basic_auth_username: "prometheus-admin"
+k8s_prometheus_basic_auth_password: "{{ k8s_prometheus_basic_auth_password_vault }}"
+
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

--- a/group_vars/stage_dev/vault.yml
+++ b/group_vars/stage_dev/vault.yml
--- a/group_vars/stage_prodnso/plain.yml
+++ b/group_vars/stage_prodnso/plain.yml
@ -355,6 +355,13 @@ argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 awx_admin_username: "awx-admin"
 awx_admin_password: "{{ awx_admin_password_vault }}"

+prometheus_admin_username: "prometheus-admin"
+prometheus_admin_password: "{{ prometheus_admin_password_vault }}"
+prometheus_admin_password_unencrypted: "{{ prometheus_admin_password_unencrypted_vault }}"
+
+k8s_prometheus_basic_auth_username: "prometheus-admin"
+k8s_prometheus_basic_auth_password: "{{ k8s_prometheus_basic_auth_password_vault }}"
+
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

--- a/group_vars/stage_prodnso/vault.yml
+++ b/group_vars/stage_prodnso/vault.yml
--- a/group_vars/stage_qa/plain.yml
+++ b/group_vars/stage_qa/plain.yml
@ -355,6 +355,13 @@ argocd_server_admin_password: "{{ argocd_server_admin_password_vault }}"
 awx_admin_username: "awx-admin"
 awx_admin_password: "{{ awx_admin_password_vault }}"

+prometheus_admin_username: "prometheus-admin"
+prometheus_admin_password: "{{ prometheus_admin_password_vault }}"
+prometheus_admin_password_unencrypted: "{{ prometheus_admin_password_unencrypted_vault }}"
+
+k8s_prometheus_basic_auth_username: "prometheus-admin"
+k8s_prometheus_basic_auth_password: "{{ k8s_prometheus_basic_auth_password_vault }}"
+
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"
 netgo_msteams_hook_alerting: "{{ netgo_msteams_hook_alerting_vault }}"

--- a/group_vars/stage_qa/vault.yml
+++ b/group_vars/stage_qa/vault.yml
--- a/roles/kubernetes/prometheus/defaults/main.yml
+++ b/roles/kubernetes/prometheus/defaults/main.yml
@ -1,5 +1,12 @@
 ---

+k8s_prometheus_basic_auth_secret_name: "prometheus-basic-auth" 
+k8s_prometheus_basic_auth_username: "prometheus-admin"
+k8s_prometheus_basic_auth_password: "{{ k8s_prometheus_basic_auth_password_vault }}"
+htpasswd_file_path: "/tmp/prometheus-auth"
+
+
+
 k8s_prometheus_helm__name: "prometheus"
 k8s_prometheus_helm__release_namespace: "monitoring"

@ -15,6 +22,9 @@ k8s_prometheus_helm__release_values:
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/ssl-redirect: "false"
        nginx.ingress.kubernetes.io/whitelist-source-range: "{{ ( ip_whitelist + ip_whitelist_admins ) | join(',') }}"
+        nginx.ingress.kubernetes.io/auth-type: "basic"
+        nginx.ingress.kubernetes.io/auth-secret: "{{ k8s_prometheus_basic_auth_secret_name }}"
+        nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
      hosts:
        - "{{ stage }}-kube-prometheus.{{ domain }}"
      tls:
--- a/roles/kubernetes/prometheus/tasks/main.yml
+++ b/roles/kubernetes/prometheus/tasks/main.yml
@ -3,6 +3,54 @@
 ### tags:
 ###   prometheus

+
+- name: Create empty htpswd file
+  file:
+    path: "{{ htpasswd_file_path }}"
+    state: touch
+  tags:
+    - prometheus
+
+- name: Install latest passlib with pip
+  pip: name=passlib
+
+- name: Add a user and password to empty htpswd file
+  community.general.htpasswd:
+    path: "{{ htpasswd_file_path }}"
+    name: "{{ k8s_prometheus_basic_auth_username }}"
+    password: "{{ k8s_prometheus_basic_auth_password }}"
+  tags:
+    - prometheus
+
+- name: read credentials out of htpasswd file
+  ansible.builtin.slurp:
+    src: "{{ htpasswd_file_path }}"
+  register: prometheus_credentials
+  tags:
+    - prometheus
+
+- name: "Create prometheus secrets"
+  become: yes
+  kubernetes.core.k8s:
+    definition:
+      api_version: v1
+      kind: Secret
+      metadata:
+        namespace: "{{ k8s_prometheus_helm__release_namespace  }}"
+        name: "{{ k8s_prometheus_basic_auth_secret_name }}"
+      type: Opaque
+      data: 
+        auth: "{{ prometheus_credentials['content'] }}"
+  tags:
+    - prometheus
+
+- name: "delete htpasswd file"
+  become: yes
+  file:
+    path: "{{ htpasswd_file_path }}"
+    state: absent
+
+
 - name: Deploy kube-prometheus-stack inside monitoring namespace
  become: yes
  kubernetes.core.helm:
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@ -81,6 +81,8 @@
 - name: "Wait for <{{ http_s }}://{{ prometheus_id }}.{{ domain }}>"
  uri:
    url: "{{ http_s }}://{{ prometheus_id }}.{{ domain }}"
+    url_username: "{{ prometheus_admin_username }}"
+    url_password: "{{ prometheus_admin_password_unencrypted }}"
    method: GET
    status_code: 200
    return_content: yes
@ -94,6 +96,8 @@
 - name: "Reload prometheus configuration"
  uri:
    url: "{{ http_s }}://{{ prometheus_id }}.{{ domain }}/-/reload"
+    url_username: "{{ prometheus_admin_username }}"
+    url_password: "{{ prometheus_admin_password_unencrypted }}"
    method: POST
    timeout: 300 # blocks until reload configuration is complete
    status_code: 200
--- a/roles/prometheus/vars/main.yml
+++ b/roles/prometheus/vars/main.yml
@ -41,6 +41,8 @@ prometheus_docker: {
        '"traefik.http.routers.{{ prometheus_id }}.tls=true"',
        '"traefik.http.routers.{{ prometheus_id }}.tls.certresolver=letsencrypt"',
        '"traefik.http.services.{{ prometheus_id }}.loadbalancer.server.port={{ service_port_prometheus }}"',
+        '"traefik.http.routers.{{ prometheus_id }}.middlewares={{ prometheus_id }}-basicauth"',
+        '"traefik.http.middlewares.{{ prometheus_id }}-basicauth.basicauth.users={{ prometheus_admin_username }}:{{ prometheus_admin_password }}"',
      ],
      command: [
        '"--config.file=/etc/prometheus/prometheus.yml"',
--- a/templates/prometheus/config/prometheus/prometheus.yml.j2
+++ b/templates/prometheus/config/prometheus/prometheus.yml.j2
@ -479,6 +479,9 @@ scrape_configs:

  - job_name: 'federate - kube'
    scheme: https
+    basic_auth:
+      username: '{{ k8s_prometheus_basic_auth_username }}'
+      password: '{{ k8s_prometheus_basic_auth_password }}'

    honor_labels: true
    metrics_path: '/federate'