Merge pull request #2654 from etkecc/honoroit-buscarron-protected-metrics

buscarron and honoroit - add basic auth for metrics

roles/custom/matrix-bot-buscarron/defaults/main.yml

@@ -14,6 +14,10 @@ matrix_bot_buscarron_hostname: ''
 # This value must either be `/` or not end with a slash (e.g. `/buscarron`).
 matrix_bot_buscarron_path_prefix: /
 
+# The path at which Buscarron will expose metrics
+# This value must either be `/` or not end with a slash (e.g. `/metrics`).
+matrix_bot_buscarron_metrics_path: /metrics
+
 matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron"
 matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config"
 matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data"
@@ -36,6 +40,15 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_bot_buscarron_container_additional_networks: []
 
+# enable basic auth for metrics
+matrix_bot_buscarron_basicauth_enabled: false
+# temporary file name on the host that runs ansible
+matrix_bot_buscarron_basicauth_file: "/tmp/matrix_bot_buscarron_htpasswd"
+# username
+matrix_bot_buscarron_basicauth_user: ''
+# password
+matrix_bot_buscarron_basicauth_password: ''
+
 # matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
@@ -46,6 +59,8 @@ matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron
 # The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`).
 matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}"
 matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_bot_buscarron_container_labels_traefik_metrics_path: "{{ matrix_bot_buscarron_metrics_path }}"
+matrix_bot_buscarron_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_buscarron_container_labels_traefik_metrics_path }}`)"
 matrix_bot_buscarron_container_labels_traefik_priority: 0
 matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure
 matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}"

roles/custom/matrix-bot-buscarron/tasks/setup_install.yml

@@ -40,6 +40,20 @@
     - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true}
   when: "item.when | bool"
 
+- name: Determine basicauth filename
+  set_fact:
+    matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}"
+  when: matrix_bot_buscarron_basicauth_enabled | bool
+
+- name: Generate basic auth file
+  community.general.htpasswd:
+    path: "{{ matrix_bot_buscarron_basicauth_file }}"
+    name: "{{ matrix_bot_buscarron_basicauth_user }}"
+    password: "{{ matrix_bot_buscarron_basicauth_password }}"
+  become: false
+  delegate_to: 127.0.0.1
+  when: matrix_bot_buscarron_basicauth_enabled | bool
+
 - name: Ensure buscarron support files installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"
@@ -51,6 +65,14 @@
     - env
     - labels
 
+- name: Ensure temporary basic auth file is removed
+  ansible.builtin.file:
+    path: "{{ matrix_bot_buscarron_basicauth_file }}"
+    state: absent
+  become: false
+  delegate_to: 127.0.0.1
+  when: matrix_bot_buscarron_basicauth_enabled | bool
+
 - name: Ensure buscarron image is pulled
   community.docker.docker_image:
     name: "{{ matrix_bot_buscarron_docker_image }}"

roles/custom/matrix-bot-buscarron/templates/labels.j2

@@ -6,6 +6,7 @@ traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_n
 {% endif %}
 
 {% set middlewares = [] %}
+{% set middlewares_metrics = [] %}
 
 {% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$
@@ -18,6 +19,11 @@ traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes=
 {% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %}
 {% endif %}
 
+{% if matrix_bot_buscarron_basicauth_enabled %}
+traefik.http.middlewares.matrix-bot-buscarron-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_buscarron_basicauth_file) }}
+{% set middlewares_metrics = middlewares + ['matrix-bot-buscarron-auth'] %}
+{% endif %}
+
 {% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
 {% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %}
 traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
@@ -38,8 +44,23 @@ traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_
 {% if matrix_bot_buscarron_container_labels_traefik_tls %}
 traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }}
 {% endif %}
-
 traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080
+
+{% if middlewares_metrics | length > 0 %}
+traefik.http.routers.matrix-bot-buscarron-metrics.rule={{ matrix_bot_buscarron_container_labels_traefik_metrics_rule }}
+{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-bot-buscarron-metrics.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-bot-buscarron-metrics.service=matrix-bot-buscarron
+traefik.http.routers.matrix-bot-buscarron-metrics.middlewares={{ middlewares_metrics | join(',') }}
+traefik.http.routers.matrix-bot-buscarron-metrics.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-bot-buscarron-metrics.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }}
+{% if matrix_bot_buscarron_container_labels_traefik_tls %}
+traefik.http.routers.matrix-bot-buscarron-metrics.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.services.matrix-bot-buscarron-metrics.loadbalancer.server.port=8080
+{% endif %}
+
 {% endif %}
 
 {{ matrix_bot_buscarron_container_labels_additional_labels }}

roles/custom/matrix-bot-honoroit/defaults/main.yml

@@ -11,6 +11,10 @@ matrix_bot_honoroit_hostname: ''
 # This value must either be `/` or not end with a slash (e.g. `/honoroit`).
 matrix_bot_honoroit_path_prefix: /
 
+# The path at which honoroit will expose metrics
+# This value must either be `/` or not end with a slash (e.g. `/metrics`).
+matrix_bot_honoroit_metrics_path: /metrics
+
 matrix_bot_honoroit_container_image_self_build: false
 matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
 matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
@@ -34,6 +38,15 @@ matrix_bot_honoroit_container_network: matrix-bot-honoroit
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_bot_honoroit_container_additional_networks: []
 
+# enable basic auth for metrics
+matrix_bot_honoroit_basicauth_enabled: false
+# temporary file name on the host that runs ansible
+matrix_bot_honoroit_basicauth_file: "/tmp/matrix_bot_honoroit_htpasswd"
+# username
+matrix_bot_honoroit_basicauth_user: ''
+# password
+matrix_bot_honoroit_basicauth_password: ''
+
 # matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
@@ -44,6 +57,8 @@ matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_h
 # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`).
 matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}"
 matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}"
+matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)"
 matrix_bot_honoroit_container_labels_traefik_priority: 0
 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure
 matrix_bot_honoroit_container_labels_traefik_tls: "{{ matrix_bot_honoroit_container_labels_traefik_entrypoints != 'web' }}"

roles/custom/matrix-bot-honoroit/tasks/setup_install.yml

@@ -40,6 +40,20 @@
     - {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true}
   when: "item.when | bool"
 
+- name: Determine basicauth filename
+  set_fact:
+    matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}"
+  when: matrix_bot_honoroit_basicauth_enabled | bool
+
+- name: Generate basic auth file
+  community.general.htpasswd:
+    path: "{{ matrix_bot_honoroit_basicauth_file }}"
+    name: "{{ matrix_bot_honoroit_basicauth_user }}"
+    password: "{{ matrix_bot_honoroit_basicauth_password }}"
+  become: false
+  delegate_to: 127.0.0.1
+  when: matrix_bot_honoroit_basicauth_enabled | bool
+
 - name: Ensure honoroit support files installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"
@@ -51,6 +65,14 @@
     - env
     - labels
 
+- name: Ensure temporary basic auth file is removed
+  ansible.builtin.file:
+    path: "{{ matrix_bot_honoroit_basicauth_file }}"
+    state: absent
+  become: false
+  delegate_to: 127.0.0.1
+  when: matrix_bot_honoroit_basicauth_enabled | bool
+
 - name: Ensure honoroit image is pulled
   community.docker.docker_image:
     name: "{{ matrix_bot_honoroit_docker_image }}"
@@ -86,6 +108,11 @@
       pull: true
   when: "matrix_bot_honoroit_container_image_self_build | bool"
 
+- name: Ensure honoroit container network is created
+  community.general.docker_network:
+    name: "{{ matrix_bot_honoroit_container_network }}"
+    driver: bridge
+
 - name: Ensure matrix-bot-honoroit.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2"

roles/custom/matrix-bot-honoroit/templates/labels.j2

@@ -6,6 +6,7 @@ traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_ne
 {% endif %}
 
 {% set middlewares = [] %}
+{% set middlewares_metrics = [] %}
 
 {% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.regex=({{ matrix_bot_honoroit_container_labels_traefik_path_prefix | quote }})$
@@ -25,6 +26,11 @@ traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseh
 {% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %}
 {% endif %}
 
+{% if matrix_bot_honoroit_basicauth_enabled %}
+traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_honoroit_basicauth_file) }}
+{% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %}
+{% endif %}
+
 traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }}
 {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
@@ -38,8 +44,23 @@ traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_la
 {% if matrix_bot_honoroit_container_labels_traefik_tls %}
 traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
 {% endif %}
-
 traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080
+
+{% if middlewares_metrics | length > 0 %}
+traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }}
+{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit
+traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }}
+traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
+{% if matrix_bot_honoroit_container_labels_traefik_tls %}
+traefik.http.routers.matrix-bot-honoroit-metrics.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.services.matrix-bot-honoroit-metrics.loadbalancer.server.port=8080
+{% endif %}
+
 {% endif %}
 
 {{ matrix_bot_honoroit_container_labels_additional_labels }}