commit 53bdd720d623d805e8b8e9b865a7cf051c69b5ec
author Dmitry Kalashnik <dkalashnik@mirantis.com> Mon Apr 08 13:42:08 2019 +0400
committer Dmitry Kalashnik <dkalashnik@mirantis.com> Fri May 17 16:15:58 2019 +0400
tree 9836a167b8abc5ad52cbbacfd7f356169af6fdba
parent 066242d355d666bd7444ffdeeb689cdd6e58211b

Add Telegraf SSL support

Change-Id: Ic00f217a981d9d9724415faf0c06d1ad48f58745
PROD-related: PROD-28066

defaults/salt/init.yml

diff --git a/defaults/salt/init.yml b/defaults/salt/init.yml
index 2e19089..feb27d7 100644
--- a/defaults/salt/init.yml
+++ b/defaults/salt/init.yml
@@ -48,3 +48,11 @@
     salt_control_trusty_image: ${_param:mcp_static_images_url}/ubuntu-14-04-x64-mcp${_param:mcp_version}.qcow2
     salt_control_xenial_image: ${_param:mcp_static_images_url}/ubuntu-16-04-x64-mcp${_param:mcp_version}.qcow2
 
+    salt_master_api_permissions:
+    - '.*'
+    - '@local'
+    - '@wheel'   # to allow access to all wheel modules
+    - '@runner'  # to allow access to all runner modules
+    - '@jobs'    # to allow access to the jobs runner and/or wheel mo
+
+    salt_minion_ca_authority: salt_master_ca

docker/swarm/stack/monitoring/prometheus/init.yml

diff --git a/docker/swarm/stack/monitoring/prometheus/init.yml b/docker/swarm/stack/monitoring/prometheus/init.yml
index 65dd5b9..d7db52c 100644
--- a/docker/swarm/stack/monitoring/prometheus/init.yml
+++ b/docker/swarm/stack/monitoring/prometheus/init.yml
@@ -32,6 +32,7 @@
               volumes:
                 - ${prometheus:server:dir:config}:${_param:prometheus_server_config_directory}
                 - ${prometheus:server:dir:data}:${_param:prometheus_server_data_directory}
+                - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
               environment:
                 PROMETHEUS_CONFIG_DIR: ${_param:prometheus_server_config_directory}
                 PROMETHEUS_DATA_DIR: ${_param:prometheus_server_data_directory}

salt/minion/cert/telegraf_agent.yml

diff --git a/salt/minion/cert/telegraf_agent.yml b/salt/minion/cert/telegraf_agent.yml
new file mode 100644
index 0000000..d54520c
--- /dev/null
+++ b/salt/minion/cert/telegraf_agent.yml
@@ -0,0 +1,14 @@
+parameters:
+  salt:
+    minion:
+      cert:
+        telegraf_agent:
+          host: ${_param:salt_minion_ca_host}
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: telegraf_agent
+          signing_policy: cert_server
+          alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+          key_file: ${telegraf:agent:dir:config}/telegraf-agent.key
+          cert_file: ${telegraf:agent:dir:config}/telegraf-agent.crt
+          mode: '0444'
+          enabled: true

telegraf/agent/output/prometheus_client_ssl.yml

diff --git a/telegraf/agent/output/prometheus_client_ssl.yml b/telegraf/agent/output/prometheus_client_ssl.yml
new file mode 100644
index 0000000..f59335f
--- /dev/null
+++ b/telegraf/agent/output/prometheus_client_ssl.yml
@@ -0,0 +1,10 @@
+parameters:
+  telegraf:
+    agent:
+      output:
+        prometheus_client:
+          scheme: https
+          tls_cert: ${telegraf:agent:dir:config}/telegraf-agent.crt
+          tls_key: ${telegraf:agent:dir:config}/telegraf-agent.key
+          tls_config:
+            ca_file: /etc/ssl/certs/ca-certificates.crt