feat(cadvisor): add support for basic auth

Signed-off-by: Paul des Garets <pdesgarets@users.noreply.github.com>

Author: pdesgarets

roles/cadvisor/defaults/main.yml

@@ -14,10 +14,13 @@ cadvisor_whitelisted_container_labels: []
 cadvisor_store_container_labels: true
 cadvisor_docker_only: false
 
+cadvisor_basic_auth_users: {}
+
 cadvisor_system_group: "root"
 cadvisor_system_user: "{{ cadvisor_system_group }}"
 
 # Local path to stash the archive and its extraction
 cadvisor_local_cache_path: "/tmp/cadvisor-{{ ansible_facts['system'] | lower }}-{{ _cadvisor_go_ansible_arch }}/{{ cadvisor_version }}"
 
 cadvisor_binary_install_dir: "/usr/local/bin"
+cadvisor_config_dir: "/etc/cadvisor"

roles/cadvisor/meta/argument_specs.yml

@@ -73,6 +73,13 @@ argument_specs:
         description: "do not report raw cgroup metrics, except the root cgroup"
         type: "bool"
         default: false
+      cadvisor_basic_auth_users:
+        description:
+          - "Dictionary of username / password for HTTP basic authentication"
+          - >-
+            Warning : The endpoints `/api/*` and `/metrics` are exposed without authentication. See https://github.com/google/cadvisor/blob/master/docs/web.md#web-ui-authentication and https://github.com/google/cadvisor/issues/3401 for more details.
+        type: "dict"
+        default: {}
       cadvisor_system_group:
         description:
           - "I(Advanced)"
@@ -91,3 +98,6 @@ argument_specs:
       cadvisor_local_cache_path:
         description: 'Local path to stash the archive and its extraction'
         default: "/tmp/cadvisor-{{ ansible_facts['system'] | lower }}-{{ _cadvisor_go_ansible_arch }}/{{ cadvisor_version }}"
+      cadvisor_config_dir:
+        description: "Directory for cAdvisor configuration files"
+        default: "/etc/cadvisor"

roles/cadvisor/molecule/alternative/molecule.yml

@@ -16,3 +16,5 @@ provisioner:
         whitelisted_container_labels: [ "com.docker.compose.image" ]
         env_metadata_whitelist: [ "PATH" ]
         store_container_labels: false
+        cadvisor_basic_auth_users:
+          foo: bar

roles/cadvisor/molecule/alternative/tests/test_alternative.py

@@ -31,3 +31,13 @@ def test_protecthome_property(host):
 ])
 def test_socket(host, sockets):
     assert host.socket(sockets).is_listening
+
+
+def test_forbidden_access(host):
+    output = host.check_output('curl -s -o /dev/null -w "%{http_code}" -L http://127.0.0.1:8000/')
+    assert '401' in output
+
+
+def test_granted_access(host):
+    output = host.check_output('curl -s -o /dev/null -w "%{http_code}" -L http://127.0.0.1:8000/ -u foo:bar')
+    assert '200' in output

roles/cadvisor/tasks/configure.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Configure
+  ansible.builtin.include_role:
+    name: prometheus.prometheus._common
+    tasks_from: configure.yml
+  vars:
+    _common_config_dir: "{{ cadvisor_config_dir if (cadvisor_basic_auth_users | length > 0) else None }}"
+    _common_system_group: "{{ cadvisor_system_group }}"
+    _common_system_user: "{{ cadvisor_system_user }}"
+  tags:
+    - cadvisor
+    - configure
+    - cadvisor_configure
+
+- name: Generate htpasswd file
+  ansible.builtin.template:
+    src: "htpasswd.j2"
+    dest: "{{ cadvisor_config_dir }}/htpasswd"
+    owner: "{{ cadvisor_system_user }}"
+    group: "{{ cadvisor_system_group }}"
+    mode: 0640
+  become: true
+  when: cadvisor_basic_auth_users | length > 0
+  notify:
+    - Restart cadvisor
+  tags:
+    - cadvisor
+    - configure
+    - cadvisor_configure

roles/cadvisor/tasks/main.yml

@@ -34,9 +34,8 @@
     - cadvisor_configure
 
 - name: Configure
-  ansible.builtin.include_role:
-    name: prometheus.prometheus._common
-    tasks_from: configure.yml
+  ansible.builtin.include_tasks:
+    file: configure.yml
   tags:
     - cadvisor_configure
 

roles/cadvisor/templates/cadvisor.service.j2

@@ -23,6 +23,10 @@ ExecStart={{ cadvisor_binary_install_dir }}/cadvisor \
 {% endif -%}
 {% if cadvisor_env_metadata_whitelist | length > 0 %}
     '--env_metadata_whitelist={{ cadvisor_env_metadata_whitelist | join(',') }}' \
+{% endif %}
+{% if cadvisor_basic_auth_users | length > 0 %}
+    '--http_auth_file={{ cadvisor_config_dir }}/htpasswd' \
+    '--http_auth_realm=cadvisor' \
 {% endif %}
     '--store_container_labels={{ cadvisor_store_container_labels | lower }}' \
     '--listen_ip={{ cadvisor_listen_ip }}' \

roles/cadvisor/templates/htpasswd.j2

@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+{% for user, password in cadvisor_basic_auth_users.items() %}
+{{ user }}:{{ password | string | password_hash('bcrypt', ('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890' | shuffle(seed=inventory_hostname) | join)[:22], rounds=9) }}
+{% endfor %}