ansible-role-prometheus-agent/templates/stunnel-client.conf.j2

{% if ansible_distribution_release  == 'stretch' %}
sslVersion = TLSv1.2
{% else %}
sslVersionMin = TLSv1.2
{% endif %}
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE

setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/prometheus-agent.pid

{% for i in prometheus_agent.scrapers if "nodeexporter" in prometheus_agent.scrapers[i] %}
; nodeexporter
[scraper {{ i }} nodeexporter]
client      = no
requireCert = yes
accept      = :::{{ prometheus_agent.scrapers[i].nodeexporter }}
connect     = {{ prometheus_agent.agents.nodeexporter.args['web.listen-address']|replace('[', '')|replace(']', '') }}
cert        = /etc/ssl/prometheus_agent.crt
key         = /etc/ssl/private/prometheus_agent.key
verifyPeer  = yes
CAfile      = /etc/ssl/scraper_{{ i }}.crt
{% endfor %}

{% for i in prometheus_agent.scrapers if "blackbox" in prometheus_agent.scrapers[i] and prometheus_agent.agents.blackbox.enable%}
; blackbox
[scraper {{ i }} blackbox]
client      = no
requireCert = yes
accept      = :::{{ prometheus_agent.scrapers[i].blackbox }}
connect     = {{ prometheus_agent.agents.blackbox.args['web.listen-address']|replace('[', '')|replace(']', '') }}
cert        = /etc/ssl/prometheus_agent.crt
key         = /etc/ssl/private/prometheus_agent.key
verifyPeer  = yes
CAfile      = /etc/ssl/scraper_{{ i }}.crt
{% endfor %}

; proxy
{% for i in prometheus_agent.scrapers if "proxy" in prometheus_agent.scrapers[i] %}
{% for j in prometheus_agent.scrapers[i].proxy|d({}) %}
;   {{ j }}
[scraper {{ i }} proxy {{ j }}]
client      = no
requireCert = yes
accept      = :::{{ prometheus_agent.scrapers[i].proxy[j] }}
connect     = {{ prometheus_agent.agents.proxy.mappings[j].address|replace('[', '')|replace(']', '') }}
cert        = /etc/ssl/prometheus_agent.crt
key         = /etc/ssl/private/prometheus_agent.key
verifyPeer  = yes
CAfile      = /etc/ssl/scraper_{{ i }}.crt

{% endfor %}
{% endfor %}