feat: add configuration for tls and basic auth

antmelekhin · Jun 26, 2023 · bc07a8a · bc07a8a
1 parent aad8813
commit bc07a8a
Show file tree

Hide file tree

Showing 8 changed files with 164 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -25,6 +25,9 @@ Role Variables
 - `windows_exporter_log_level` Windows Exporter logging level (default: `info`).
 - `windows_exporter_collectors_enabled` Comma-separated list of collectors to use (default: `[defaults]`).
 - `windows_exporter_collector` Flags for collectors (default: `''`).
+- `windows_exporter_tls_server_config` Certificate and key files for server to use to authenticate to client.
+- `windows_exporter_http_server_config` Enable HTTP/2 support. Note that HTTP/2 is only supported with TLS.
+- `windows_exporter_basic_auth_users` Users and password for basic authentication. Passwords are automatically hashed with bcrypt.
 
 Dependencies
 ------------

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -13,3 +13,8 @@ windows_exporter_log_level: 'info'
 # See available collector-flags: https://github.com/prometheus-community/windows_exporter#collectors
 windows_exporter_collectors_enabled: '[defaults]'
 windows_exporter_collector: ''
+
+# Windows Exporter TLS and basic authentication settings: https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md
+windows_exporter_tls_server_config: {}
+windows_exporter_http_server_config: {}
+windows_exporter_basic_auth_users: {}
diff --git a/molecule/tls-and-basic-auth/converge.yml b/molecule/tls-and-basic-auth/converge.yml
@@ -0,0 +1,31 @@
+---
+- name: 'Converge'
+  hosts: all
+  vars:
+    windows_exporter_tls_server_config:
+      cert_file: 'C:\Program Files\windows_exporter\ssl\windows_exporter.cert'
+      key_file: 'C:\Program Files\windows_exporter\ssl\windows_exporter.key'
+    windows_exporter_basic_auth_users:
+      newuser1: newpassword1
+
+  pre_tasks:
+    - name: 'Create certificate directories'
+      ansible.builtin.win_file:
+        path: '{{ windows_exporter_tls_server_config.cert_file | win_dirname }}'
+        state: directory
+
+    - name: 'Copy certificate and key'
+      ansible.builtin.copy:
+        src: '{{ cert.src }}'
+        dest: '{{ cert.dest }}'
+        mode: 0644
+      loop:
+        - src: '/tmp/certificate.cert'
+          dest: '{{ windows_exporter_tls_server_config.cert_file }}'
+        - src: '/tmp/certificate.key'
+          dest: '{{ windows_exporter_tls_server_config.key_file }}'
+      loop_control:
+        loop_var: cert
+
+  roles:
+    - role: antmelekhin.windows_exporter
diff --git a/molecule/tls-and-basic-auth/molecule.yml b/molecule/tls-and-basic-auth/molecule.yml
@@ -0,0 +1,33 @@
+---
+dependency:
+  name: galaxy
+  enabled: true
+driver:
+  name: vagrant
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+platforms:
+  - name: instance
+    box: 'jborean93/WindowsServer2019'
+    interfaces:
+      - network_name: forwarded_port
+        guest: 9182
+        host: 9182
+provisioner:
+  name: ansible
+  inventory:
+    host_vars:
+      instance:
+        ansible_host: 127.0.0.1
+        ansible_port: 55986
+        ansible_user: vagrant
+        ansible_password: vagrant
+        ansible_connection: winrm
+        ansible_winrm_scheme: https
+        ansible_winrm_transport: ntlm
+        ansible_winrm_server_cert_validation: ignore
+        ansible_become: false
+verifier:
+  name: ansible
diff --git a/molecule/tls-and-basic-auth/prepare.yml b/molecule/tls-and-basic-auth/prepare.yml
@@ -0,0 +1,27 @@
+---
+- name: 'Prepare'
+  hosts: localhost
+  gather_facts: false
+
+  tasks:
+    - name: 'Install dependencies for basic auth and certificate generation'
+      ansible.builtin.pip:
+        name:
+          - 'cryptography'
+          - 'passlib[bcrypt]'
+
+    - name: 'Create private key (RSA, 4096 bits)'
+      openssl_privatekey:
+        path: '/tmp/certificate.key'
+
+    - name: 'Generate an OpenSSL Certificate Signing Request'
+      openssl_csr:
+        path: '/tmp/certificate.csr'
+        privatekey_path: '/tmp/certificate.key'
+
+    - name: 'Generate a Self Signed OpenSSL certificate'
+      openssl_certificate:
+        path: '/tmp/certificate.cert'
+        privatekey_path: '/tmp/certificate.key'
+        csr_path: '/tmp/certificate.csr'
+        provider: selfsigned
diff --git a/molecule/tls-and-basic-auth/verify.yml b/molecule/tls-and-basic-auth/verify.yml
@@ -0,0 +1,27 @@
+---
+- name: 'Verify'
+  hosts: all
+  gather_facts: false
+
+  tasks:
+    - name: 'Check if a windows_exporter service is installed'
+      win_service:
+        name: windows_exporter
+      register: _windows_exporter_service
+
+    - name: 'Assert that windows_exporter service is enabled and running'
+      ansible.builtin.assert:
+        that: _windows_exporter_service.state == 'running'
+
+    - name: 'Verify windows_exporter is responding to requests'
+      ansible.builtin.uri:
+        url: 'https://{{ ansible_host }}:9182/metrics'
+        user: newuser1
+        password: newpassword1
+        force_basic_auth: true
+        validate_certs: false
+      delegate_to: localhost
+      register: _result
+      until: _result.status == 200
+      retries: 120
+      delay: 5
diff --git a/tasks/configure.yml b/tasks/configure.yml
@@ -5,10 +5,28 @@
     dest: 'C:\Program Files\windows_exporter\config.yml'
   notify: Restart Windows Exporter
 
+- name: 'Configure web config file for Windows Exporter'
+  win_template:
+    src: 'web_config.yml.j2'
+    dest: 'C:\Program Files\windows_exporter\web_config.yml'
+  notify: Restart Windows Exporter
+  when:
+    - windows_exporter_tls_server_config | length or
+      windows_exporter_http_server_config | length or
+      windows_exporter_basic_auth_users | length
+
+- name: 'Set arguments'
+  ansible.builtin.set_fact:
+    _windows_exporter_arguments: >-
+      --config.file="C:\Program Files\windows_exporter\config.yml"
+      {%- if windows_exporter_tls_server_config | length or windows_exporter_http_server_config | length or windows_exporter_basic_auth_users | length %}
+      --web.config.file "C:\Program Files\windows_exporter\web_config.yml"
+      {%- endif %}
+
 - name: 'Ensure Windows Exporter is running and enabled at boot'
   win_service:
     name: windows_exporter
-    path: '"C:\Program Files\windows_exporter\windows_exporter.exe" --config.file="C:\Program Files\windows_exporter\config.yml"'
+    path: '"C:\Program Files\windows_exporter\windows_exporter.exe" {{ _windows_exporter_arguments }}'
     dependencies:
       - 'Winmgmt'
     start_mode: delayed

diff --git a/templates/web_config.yml.j2 b/templates/web_config.yml.j2
@@ -0,0 +1,19 @@
+---
+{{ ansible_managed | comment }}
+
+{% if windows_exporter_tls_server_config | length %}
+tls_server_config:
+{{ windows_exporter_tls_server_config | to_nice_yaml | indent(2, true) }}
+{% endif %}
+
+{% if windows_exporter_http_server_config | length %}
+http_server_config:
+{{ windows_exporter_http_server_config | to_nice_yaml | indent(2, true) }}
+{% endif %}
+
+{% if windows_exporter_basic_auth_users | length %}
+basic_auth_users:
+{% for k, v in windows_exporter_basic_auth_users.items() %}
+  {{ k }}: {{ v | string | ansible.builtin.password_hash('bcrypt', ('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890' | shuffle(seed=inventory_hostname) | join)[:22], rounds=9) }}
+{% endfor %}
+{% endif %}