]> git.openstreetmap.org Git - chef.git/commitdiff
Restrict alertmanager web interface to admin users
authorTom Hughes <tom@compton.nu>
Wed, 17 Nov 2021 22:24:19 +0000 (22:24 +0000)
committerTom Hughes <tom@compton.nu>
Wed, 17 Nov 2021 22:24:19 +0000 (22:24 +0000)
cookbooks/prometheus/recipes/server.rb
cookbooks/prometheus/templates/default/apache.erb

index 9c215778e202a0ee035d9ccf60601f0105b9a330..675a206ec1f06613a4861dafcbe5c5a89ae8378b 100644 (file)
@@ -24,6 +24,7 @@ include_recipe "timescaledb"
 
 passwords = data_bag_item("prometheus", "passwords")
 tokens = data_bag_item("prometheus", "tokens")
 
 passwords = data_bag_item("prometheus", "passwords")
 tokens = data_bag_item("prometheus", "tokens")
+admins = data_bag_item("apache", "admins")
 
 prometheus_exporter "fastly" do
   port 8080
 
 prometheus_exporter "fastly" do
   port 8080
@@ -335,6 +336,7 @@ end
 
 apache_site "prometheus.openstreetmap.org" do
   template "apache.erb"
 
 apache_site "prometheus.openstreetmap.org" do
   template "apache.erb"
+  variables :admin_hosts => admins["hosts"]
 end
 
 template "/etc/cron.daily/prometheus-backup" do
 end
 
 template "/etc/cron.daily/prometheus-backup" do
index 00760ed436659ccba6466d2d0a53ab1b7ee1ef20..edc1647af906fcbe20de0ea7e498bb82cf6338ae 100644 (file)
        ProxyPass /alertmanager http://localhost:9093/alertmanager
        ProxyPass / http://localhost:3000/
        ProxyPreserveHost on
        ProxyPass /alertmanager http://localhost:9093/alertmanager
        ProxyPass / http://localhost:3000/
        ProxyPreserveHost on
+
+       <Location /alertmanager>
+<% @admin_hosts.each do |host| -%>
+               Require ip <%= host %>
+<% end -%>
+       </Location>
 </VirtualHost>
 </VirtualHost>