16379: Adds basic auth to the prometheus UI.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>

diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_prometheus_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_prometheus_configuration.sls
index dbb069cdbfd43d077574f4df0be6bd785416979f..d654d6ed0bd4368c2a2f7da617a6d6a1eb687319 100644 (file)
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_prometheus_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_prometheus_configuration.sls
@@ -58,5 +58,7 @@ nginx:
             {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
             - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
             {%- endif %}
+            - auth_basic: '"Restricted Area"'
+            - auth_basic_user_file: htpasswd
             - access_log: /var/log/nginx/prometheus.__CLUSTER__.__DOMAIN__.access.log combined
             - error_log: /var/log/nginx/prometheus.__CLUSTER__.__DOMAIN__.error.log

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/nginx_prometheus_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/states/nginx_prometheus_configuration.sls
new file mode 100644 (file)
index 0000000..f7eaab1
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/states/nginx_prometheus_configuration.sls
@@ -0,0 +1,21 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- if salt['pillar.get']('nginx:servers:managed:prometheus-ssl') %}
+
+extra_nginx_prometheus_conf_user___PROMETHEUS_UI_USERNAME__:
+  webutil.user_exists:
+    - name: __PROMETHEUS_UI_USERNAME__
+    - password: {{ "__PROMETHEUS_UI_PASSWORD__" | yaml_dquote }}
+    - htpasswd_file: /etc/nginx/htpasswd
+    - options: d
+    - force: true
+    - require:
+      - pkg: extra_nginx_prometheus_conf_pkgs
+
+extra_nginx_prometheus_conf_pkgs:
+  pkg.installed:
+    - name: apache2-utils
+
+{%- endif %}
\ No newline at end of file

diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index 17e937f2e317a7cf44e291065f634cda689732ff..cfbd74dfa5f951de114038bd01b935dc35c09095 100644 (file)
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -123,6 +123,10 @@ SSL_KEY_ENCRYPTED="no"
 SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
 SSL_KEY_AWS_REGION="us-east-1"
 
+# Customize Prometheus web UI access credentials
+PROMETHEUS_UI_USERNAME=${INITIAL_USER}
+PROMETHEUS_UI_PASSWORD=${INITIAL_USER_PASSWORD}
+
 # The directory to check for the config files (pillars, states) you want to use.
 # There are a few examples under 'config_examples'.
 # CONFIG_DIR="local_config_dir"

diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 031f490a357e22950187fc9dad647b124438e5e4..92763d0208185aa44ece81f48d5d00ce6eec04d5 100755 (executable)
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -444,7 +444,9 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
        s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
        s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
        s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
-       s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
+       s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g;
+       s#__PROMETHEUS_UI_USERNAME__#${PROMETHEUS_UI_USERNAME}#g;
+       s#__PROMETHEUS_UI_PASSWORD__#${PROMETHEUS_UI_PASSWORD}#g" \
   "${f}" > "${P_DIR}"/$(basename "${f}")
 done
 
@@ -518,7 +520,9 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then
          s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
          s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
          s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
-         s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
+         s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g;
+         s#__PROMETHEUS_UI_USERNAME__#${PROMETHEUS_UI_USERNAME}#g;
+         s#__PROMETHEUS_UI_PASSWORD__#${PROMETHEUS_UI_PASSWORD}#g" \
     "${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
   done
 fi
@@ -707,16 +711,16 @@ else
       "monitoring")
         ### States ###
         grep -q "nginx" ${S_DIR}/top.sls || echo "    - nginx" >> ${S_DIR}/top.sls
+        grep -q "extra.nginx_prometheus_configuration" ${S_DIR}/top.sls || echo "    - extra.nginx_prometheus_configuration" >> ${S_DIR}/top.sls
         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
           grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
           if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then
             grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
           fi
         elif [ "${SSL_MODE}" = "bring-your-own" ]; then
-          copy_custom_cert ${CUSTOM_CERTS_DIR} ${R}
-          if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
-            grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo "    - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
-          fi
+          for SVC in prometheus; do
+            copy_custom_cert ${CUSTOM_CERTS_DIR} ${SVC}
+          done
         fi
         ### Pillars ###
         grep -q "prometheus_server" ${P_DIR}/top.sls || echo "    - prometheus_server" >> ${P_DIR}/top.sls