federation work...

defaults/main.yml

@@ -5,3 +5,6 @@ domain_name: "{{fqdn|replace((ansible_hostname + '.'),'')}}"
 alertmanagers: "{{groups['alertmanager']}}"
 blackbox_exporters: "{{groups['blackbox_exporter']}}"
 prometheus_tsdb_retention_time: 15d
+prometheus_client_cn: "prometheus.{{domain_name}}"
+prometheus_federators: []
+prometheus_federator: False

tasks/all.yml

@@ -5,16 +5,7 @@
     name: 
     - prometheus
     - nginx
-- name: alerts directory
-  file:
-    state: directory
-    path: /etc/prometheus/alerts
-- name: prometheus template
-  template:
-    src: prometheus.yml.j2
-    dest: /etc/prometheus/prometheus.yml
-  notify: restart prometheus
-  tags: prometheus_conf
+
 - name: prometheus site template
   template:
     src: prometheus_site.j2
@@ -29,26 +20,3 @@
   notify: reload nginx
   tags: nginx
 
-- name: monitoring target yml files
-  copy:
-    force: no
-    dest: '/etc/prometheus/{{item}}.yml'
-    content: '- targets:'
-  with_items:
-    - 'lxc'
-    - 'bare_metal'
-    - 'postfix'
-  tags: target_yml
-
-- name: prometheus started and enabled
-  service:
-    name: prometheus
-    state: started
-    enabled: yes
-
-
-- name: core alerts
-  copy:
-    src: core_alerts.yml
-    dest: /etc/prometheus/alerts/core.yml
-  tags: alerts

tasks/federator.yml

+---
+
+- name: prometheus template
+  template:
+    src: prometheus_federator.yml.j2
+    dest: /etc/prometheus/prometheus.yml
+  notify: restart prometheus
+  tags: prometheus_conf

tasks/main.yml

@@ -2,6 +2,13 @@
 
 - import_tasks: all.yml
 
+- import_tasks: federator.yml
+  when: prometheus_federator == True 
+- import_tasks: non_federator.yml
+  when: prometheus_federator == False
+
+- import_tasks: service.yml
+
 - include_tasks: "{{ansible_os_family|lower}}.yml"
   tags: prometheus_conf
 
@@ -14,7 +21,7 @@
     step_services:
       - 'prometheus'
     step_extkey_usage: ["clientAuth"]
-    step_cn: "prometheus.{{domain_name}}"
-    dns_names: ['{{ansible_fqdn}}', 'prometheus.{{domain_name}}']
+    step_cn: "{{prometheus_client_cn}}"
+    dns_names: ['{{ansible_fqdn}}', '{{prometheus_client_cn}}']
     step_client_renewtime: "{{'* * * * *'|split(' ')}}"
   tags: step

tasks/non_federator.yml

+---
+
+- name: alerts directory
+  file:
+    state: directory
+    path: /etc/prometheus/alerts
+- name: prometheus template
+  template:
+    src: prometheus.yml.j2
+    dest: /etc/prometheus/prometheus.yml
+  notify: restart prometheus
+  tags: prometheus_conf
+
+- name: monitoring target yml files
+  copy:
+    force: no
+    dest: '/etc/prometheus/{{item}}.yml'
+    content: '- targets:'
+  with_items:
+    - 'lxc'
+    - 'bare_metal'
+    - 'postfix'
+  tags: target_yml
+
+
+- name: core alerts
+  copy:
+    src: core_alerts.yml
+    dest: /etc/prometheus/alerts/core.yml
+  tags: alerts

tasks/service.yml

+---
+
+- name: prometheus started and enabled
+  service:
+    name: prometheus
+    state: started
+    enabled: yes

templates/prometheus_federator.yml.j2

+global:
+  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+  # scrape_timeout is set to the global default (10s).
+
+scrape_configs:
+
+

templates/prometheus_site.j2

@@ -12,6 +12,11 @@ server {
     }
 {%   endfor %}
 {% endif %}
+{% for client in prometheus_federators %}
+    if ($ssl_client_s_dn = "CN={{client}}" ){
+      set $deny_access 0;
+    }
+{% endfor %}
     if ($ssl_client_s_dn = "CN={{grafana_cn}}" ){
       set $deny_access 0;
     }