Add TLS configuration to systemd_exporter role

This adds the systemd_exporter_tls_server_config variable, equivalent to
the one in node_exporter and others, enabling the use of TLS for the
systemd exporter.

Signed-off-by: Håvard Pettersson <haavard.pettersson@gmail.com>

roles/systemd_exporter/README.md

@@ -27,6 +27,14 @@ Use it in a playbook as follows:
     - prometheus.prometheus.systemd_exporter
 ```
 
+### TLS config
+
+See node_exporter README for more extensive example:
+
+    systemd_exporter_tls_server_config:
+      cert_file: /etc/systemd_exporter/tls.cert
+      key_file: /etc/systemd_exporter/tls.key
+
 ## Local Testing
 
 The preferred way of locally testing the role is to use Docker and [molecule](https://github.com/ansible-community/molecule) (v3.x). You will have to install Docker on your system. See "Get started" for a Docker package suitable to for your system. Running your tests is as simple as executing `molecule test`.

roles/systemd_exporter/defaults/main.yml

@@ -7,6 +7,8 @@ systemd_exporter_checksums_url: "https://github.com/{{ _systemd_exporter_repo }}
 systemd_exporter_skip_install: false
 systemd_exporter_web_listen_address: "0.0.0.0:9558"
 
+systemd_exporter_tls_server_config: {}
+
 systemd_exporter_enable_restart_count: false
 systemd_exporter_enable_ip_accounting: false
 systemd_exporter_enable_file_descriptor_size: false

roles/systemd_exporter/meta/argument_specs.yml

@@ -29,6 +29,11 @@ argument_specs:
       systemd_exporter_web_listen_address:
         description: Address on which systemd exporter will listen"
         default: "0.0.0.0:9558"
+      systemd_exporter_tls_server_config:
+        description:
+          - "Configuration for TLS authentication."
+          - "Keys and values are the same as in L(Prometheus docs,https://prometheus.io/docs/prometheus/latest/configuration/https/)."
+        type: "dict"
       systemd_exporter_enable_restart_count:
         description: Enables service restart count metrics. This feature only works with systemd 235 and above"
         type: "bool"

roles/systemd_exporter/molecule/alternative/molecule.yml

@@ -7,3 +7,6 @@ provisioner:
         systemd_exporter_web_listen_address: "127.0.0.1:9000"
         go_arch: amd64
         systemd_exporter_version: 0.4.0
+        systemd_exporter_tls_server_config:
+          cert_file: /etc/systemd_exporter/tls.cert
+          key_file: /etc/systemd_exporter/tls.key

roles/systemd_exporter/molecule/alternative/prepare.yml

@@ -55,3 +55,26 @@
         csr_path: "/tmp/tls.csr"
         privatekey_path: "/tmp/tls.key"
         provider: selfsigned
+
+- name: Run target preparation
+  hosts: all
+  any_errors_fatal: true
+  tasks:
+    - name: Create systemd_exporter cert dir
+      ansible.builtin.file:
+        path: "{{ systemd_exporter_tls_server_config.cert_file | dirname }}"
+        state: directory
+        owner: root
+        group: root
+        mode: u+rwX,g+rwX,o=rX
+
+    - name: Copy cert and key
+      ansible.builtin.copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode | default('0644') }}"
+      loop:
+        - src: "/tmp/tls.cert"
+          dest: "{{ systemd_exporter_tls_server_config.cert_file }}"
+        - src: "/tmp/tls.key"
+          dest: "{{ systemd_exporter_tls_server_config.key_file }}"

roles/systemd_exporter/tasks/configure.yml

@@ -8,6 +8,23 @@
     mode: 0644
   notify: restart systemd_exporter
 
+- name: Create systemd_exporter config directory
+  ansible.builtin.file:
+    path: "/etc/systemd_exporter"
+    state: directory
+    owner: root
+    group: root
+    mode: u+rwX,g+rwX,o=rX
+
+- name: Copy the systemd_exporter config file
+  ansible.builtin.template:
+    src: config.yaml.j2
+    dest: /etc/systemd_exporter/config.yaml
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart systemd_exporter
+
 - name: Allow systemd_exporter port in SELinux on RedHat OS family
   community.general.seport:
     ports: "{{ systemd_exporter_web_listen_address.split(':')[-1] }}"

roles/systemd_exporter/tasks/preflight.yml

@@ -25,6 +25,31 @@
     that:
       - "':' in systemd_exporter_web_listen_address"
 
+- name: Assert that TLS config is correct
+  when: systemd_exporter_tls_server_config | length > 0
+  block:
+    - name: Assert that TLS key and cert path are set
+      ansible.builtin.assert:
+        that:
+          - "systemd_exporter_tls_server_config.cert_file is defined"
+          - "systemd_exporter_tls_server_config.key_file is defined"
+
+    - name: Check existence of TLS cert file
+      ansible.builtin.stat:
+        path: "{{ systemd_exporter_tls_server_config.cert_file }}"
+      register: __systemd_exporter_cert_file
+
+    - name: Check existence of TLS key file
+      ansible.builtin.stat:
+        path: "{{ systemd_exporter_tls_server_config.key_file }}"
+      register: __systemd_exporter_key_file
+
+    - name: Assert that TLS key and cert are present
+      ansible.builtin.assert:
+        that:
+          - "{{ __systemd_exporter_cert_file.stat.exists }}"
+          - "{{ __systemd_exporter_key_file.stat.exists }}"
+
 - name: Assert that systemd version is >= 235 when enabling ip accounting or measuring restart count
   ansible.builtin.assert:
     that:

roles/systemd_exporter/templates/config.yaml.j2

@@ -0,0 +1,6 @@
+---
+{{ ansible_managed | comment }}
+{% if node_exporter_tls_server_config | length > 0 %}
+tls_server_config:
+{{ node_exporter_tls_server_config | to_nice_yaml | indent(2, true) }}
+{% endif %}

roles/systemd_exporter/templates/systemd_exporter.service.j2

@@ -23,6 +23,9 @@ ExecStart={{ systemd_exporter_binary_install_dir }}/systemd_exporter \
 {% endif %}
 {% if systemd_exporter_unit_exclude != "" %}
     --systemd.collector.unit-exclude={{ systemd_exporter_unit_exclude }} \
+{% endif %}
+{% if systemd_exporter_tls_server_config | length > 0 %}
+    --web.config.file=/etc/systemd_exporter/config.yaml \
 {% endif %}
     --web.listen-address={{ systemd_exporter_web_listen_address }}