loki/promtail: Use a bearer token instead of basic auth

It simplifies it a bit.

loki/promtail: Use a bearer token instead of basic auth
563c3c5c · Kristian Klausen · 896ab5b0 · 563c3c5c · 896ab5b0 · 563c3c5c
Verified Commit 563c3c5c authored 3 years ago by Kristian Klausen
--- a/group_vars/all/vault_loki.yml
+++ b/group_vars/all/vault_loki.yml
 $ANSIBLE_VAULT;1.1;AES256
-32393361373264633531353264623563303635643964323839616366656632363933626233386538
-3037343264613038613164303261626232333761336534340a313033636232643864663033656563
-32313164646232663663343235316361336163373265313639313032623239646339383530343039
-3236613365643235650a333066633439633964303532396466613464623166383162373161656566
-66666336623138363266393034376532313465633032363433383731613133656437323563346334
-34623433613437333861376638396461373439376463383830343531626666333935393262323636
-39343566336266316630373463633562643761353932613163663836613761383565373230326361
-34333433343330353831303233613236343132303239396666626437633832363433656532376236
-3062
+37643130346638613539323431666164623435666264346231643964626232343534666338646335
+3834376365383264306438316137313163613262323630370a666637316461396132383864633539
+37653062643062663563353635376462396237616634626633633762366334373665306563643366
+3139316239303165380a653166623863366130346231313465336666383365646264396337303334
+30383231653734613230376139326137306137333037616636336663656532316637633531313538
+63643330643031663563643430666165323933633933363436306334643166313231616664666664
+653339626466616537613738636465346538
--- a/roles/loki/defaults/main.yml
+++ b/roles/loki/defaults/main.yml
-loki_nginx_htpasswd: /etc/nginx/auth/loki
--- a/roles/loki/tasks/main.yml
+++ b/roles/loki/tasks/main.yml
@@ -6,23 +6,11 @@
  copy: src=loki.yaml dest=/etc/loki/ owner=root group=root mode=0644
  notify: restart loki

- name: install python-passlib
-  pacman: name=python-passlib
-
- name: create htpasswd for nginx loki endpoint
-  htpasswd:
-    path: "{{ loki_nginx_htpasswd }}"
-    name: "{{ vault_loki_nginx_user }}"
-    password: "{{ vault_loki_nginx_passwd }}"
-    owner: root
-    group: http
-    mode: 0640
-
 - name: make nginx log dir
  file: path=/var/log/nginx/loki state=directory owner=root group=root mode=0755

 - name: set up nginx
-  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=644
+  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=640
  notify: reload nginx
  tags: ['nginx']


--- a/roles/loki/templates/nginx.d.conf.j2
+++ b/roles/loki/templates/nginx.d.conf.j2
@@ -12,8 +12,9 @@ server {
    error_log    /var/log/nginx/loki/error.log;

    location = /loki/api/v1/push {
-        auth_basic "Loki :)";
-        auth_basic_user_file {{ loki_nginx_htpasswd }};
+        if ($http_authorization != "Bearer {{ vault_loki_token }}") {
+            return 403;
+        }

        proxy_pass http://127.0.0.1:3100$request_uri;
    }

--- a/roles/promtail/templates/promtail.yaml.j2
+++ b/roles/promtail/templates/promtail.yaml.j2
@@ -9,9 +9,7 @@ positions:

 clients:
  - url: http://{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}/loki/api/v1/push
-    basic_auth:
-      username: '{{ vault_loki_nginx_user }}'
-      password: '{{ vault_loki_nginx_passwd }}'
+    bearer_token: '{{ vault_loki_token }}'

 scrape_configs:
  - job_name: journal