Add basic authentication on prometheus endpoint in infra

Author: jpraynaud

mithril-infra/assets/docker/docker-compose-monitoring.yaml

@@ -18,6 +18,8 @@ services:
       - 'traefik.http.routers.prometheus.rule=Host(`${PROMETHEUS_HOST}`)'
       - 'traefik.http.routers.prometheus.tls=true'
       - 'traefik.http.routers.prometheus.tls.certresolver=lets-encrypt'
+      - "traefik.http.routers.prometheus.middlewares=test-auth"
+      - "traefik.http.middlewares.test-auth.basicauth.users=${AUTH_USER_PASSWORD}"
 
   promtail:
     image: grafana/promtail:1.4.1

mithril-infra/main.dns.tf

@@ -42,6 +42,6 @@ locals {
     format("https://%s", "mithril-signer-${key}.${trimsuffix(google_dns_managed_zone.mithril-api-zone.dns_name, ".")}")
   ]
   prometheus_host         = trimsuffix(google_dns_record_set.prometheus-endpoint.name, ".")
-  prometheus_endpoint_url = format("https://%s", "prometheus.${trimsuffix(google_dns_managed_zone.mithril-api-zone.dns_name, ".")}")
+  prometheus_endpoint_url = format("https://%s%s", local.prometheus_credentials, local.prometheus_host)
 
 }

mithril-infra/mithril.monitoring.tf

@@ -5,8 +5,10 @@ resource "null_resource" "mithril_monitoring" {
   ]
 
   triggers = {
-    image_id    = var.mithril_image_id,
-    vm_instance = google_compute_instance.vm_instance.id
+    image_id                 = var.mithril_image_id,
+    vm_instance              = google_compute_instance.vm_instance.id,
+    prometheus_auth_username = var.prometheus_auth_username,
+    prometheus_auth_password = var.prometheus_auth_password
   }
 
   connection {
@@ -19,6 +21,7 @@ resource "null_resource" "mithril_monitoring" {
   provisioner "remote-exec" {
     inline = [
       "export PROMETHEUS_HOST=${local.prometheus_host}",
+      "export AUTH_USER_PASSWORD=$(htpasswd -nb ${var.prometheus_auth_username} ${var.prometheus_auth_password})",
       "docker-compose -f /home/curry/docker/docker-compose-monitoring.yaml --profile all up -d",
     ]
   }

mithril-infra/variables.tf

@@ -172,9 +172,22 @@ variable "mithril_aggregator_auth_password" {
   default     = ""
 }
 
+variable "prometheus_auth_username" {
+  type        = string
+  description = "The username for authentication on prometheus"
+  default     = ""
+}
+
+variable "prometheus_auth_password" {
+  type        = string
+  description = "The password for authentication on prometheus"
+  default     = ""
+}
+
 locals {
   mithril_aggregator_type        = var.mithril_aggregator_auth_username == "" ? "noauth" : "auth"
   mithril_aggregator_credentials = var.mithril_aggregator_auth_username == "" ? "" : format("%s:%s@", var.mithril_aggregator_auth_username, var.mithril_aggregator_auth_password)
+  prometheus_credentials         = var.prometheus_auth_username == "" ? "" : format("%s:%s@", var.prometheus_auth_username, var.prometheus_auth_password)
 }
 
 variable "mithril_genesis_verification_key_url" {