libretic/ansible-role-docker_nodeexporter
6
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Ajout authentification et tls sur nodeexporter via traefik

Browse source
This commit is contained in:
Navas 2024-12-25 21:52:16 +01:00
parent 0ab582daa1
commit e72e32084d
4 changed files with 13 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
defaults/main.yml
View file

@ -1,2 +1 @@
docker_nodeexporter_port: "9100" docker_nodeexporter_port: "9100"
docker_nodeexporter_enable_tlsauth: false

33
tasks/main.yml
View file

@ -8,36 +8,3 @@
src: docker-compose.yml src: docker-compose.yml
dest: /opt/{{ docker_nodeexporter_service_id }}/ dest: /opt/{{ docker_nodeexporter_service_id }}/
notify: docker-compose-up notify: docker-compose-up
- name: Prepare config.yml
ansible.builtin.template:
src: config.yml
dest: /opt/{{ docker_nodeexporter_service_id }}/
when: docker_nodeexporter_enable_tlsauth
notify: docker-compose-up
- name: Copie le certificat pour tls
ansible.builtin.get_url:
url: "{{ docker_nodeexporter_certificate_url }}"
dest: /opt/{{ docker_nodeexporter_service_id }}/cert.pem
username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
mode: u=rw,g=r,o=r
owner: root
group: root
notify:
- docker-compose-up
when: docker_nodeexporter_enable_tlsauth
- name: Copie la clé pour tls
ansible.builtin.get_url:
url: "{{ docker_nodeexporter_key_url }}"
dest: /opt/{{ docker_nodeexporter_service_id }}/key.pem
username: "{{ lookup('env', 'AAP_RESSOURCES_USER') }}"
password: "{{ lookup('env', 'AAP_RESSOURCES_PASSWORD') }}"
mode: u=rw,g=r,o=r
owner: root
group: root
notify:
- docker-compose-up
when: docker_nodeexporter_enable_tlsauth

6
templates/config.yml
View file

@ -1,6 +0,0 @@
basic_auth_users:
prometheus: {{ docker_nodeexporter_auth_password }}
tls_server_config:
cert_file: /cert.pem
key_file: /key.pem

22
templates/docker-compose.yml
View file

@ -8,21 +8,25 @@ services:
- /proc:/host/proc:ro - /proc:/host/proc:ro
- /sys:/host/sys:ro - /sys:/host/sys:ro
- /:/rootfs:ro - /:/rootfs:ro
{% if docker_nodeexporter_enable_tlsauth %}
- ./config.yml:/config.yml
- ./key.pem:/key.pem
- ./cert.pem:/cert.pem
{% endif %}
command: command:
- '--path.procfs=/host/proc' - '--path.procfs=/host/proc'
- '--path.rootfs=/rootfs' - '--path.rootfs=/rootfs'
- '--path.sysfs=/host/sys' - '--path.sysfs=/host/sys'
- '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc|run)($$|/)' - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc|run)($$|/)'
{% if docker_nodeexporter_enable_tlsauth %}
- '--web.config.file=/config.yml'
{% endif %}
restart: always restart: always
labels: labels:
org.label-schema.group: "monitoring" org.label-schema.group: monitoring
traefik.enable: true
traefik.docker.network: traefik
traefik.http.routers.nodeexporter.entrypoints: nodeexporter
traefik.http.routers.nodeexporter.tls: true
traefik.http.routers.nodeexporter.rule: Host(`{{ ansible_fqdn }}`)
traefik.http.services.nodeexporter.loadbalancer.server.port: 9100
traefik.http.routers.nodeexporter.middlewares: nodeexporter_auth
traefik.http.middlewares.nodeexporter_auth.basicauth.users: "{{ docker_nodeexporter_auth_user }}:{{ docker_nodeexporter_auth_password }}"
ports: ports:
- {{ docker_nodeexporter_port }}:9100 - {{ docker_nodeexporter_port }}:9100
networks:
traefik:
external: true