node_exporter: make scrape password optional

This change makes the requirement of http basic auth
credentials to read the node_exporter endpoint optional.

You can disable it by setting the user and password
to null in the host_vars for a host.

Change-Id: I058e61c46bbf8d74f3a22e0954def66c2ba10830
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/ansible-playbooks/+/46518

3 files changed, 6 insertions, 1 deletions

diff --git a/host_vars/gerrit.forge.aws.linaro.com b/host_vars/gerrit.forge.aws.linaro.com
index 62b74506..12c03602 100644
--- a/host_vars/gerrit.forge.aws.linaro.com
+++ b/host_vars/gerrit.forge.aws.linaro.com
@@ -24,6 +24,9 @@ ssh_ldap_uri: ldaps://login.linaro.org
 
 skip_dovecot: true
 
+prometheus_scrape_user: null
+prometheus_scrape_password: null
+
 login_groups:
   - systems
   - its
diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml
index 6d85e8d1..c3781e1b 100644
--- a/roles/node_exporter/tasks/main.yml
+++ b/roles/node_exporter/tasks/main.yml
@@ -57,7 +57,7 @@
     port: "{{ ne_port }}"
     src: "{{ item }}"
   with_items: "{{ prometheus_scrape_ips }}"
-  when: ne_push is not defined
+  when: ne_push is not defined and ne_ufw is defined
 
 - name: Install push script
   template:
diff --git a/roles/node_exporter/templates/web-config.j2 b/roles/node_exporter/templates/web-config.j2
index 5655a8c1..83963659 100644
--- a/roles/node_exporter/templates/web-config.j2
+++ b/roles/node_exporter/templates/web-config.j2
@@ -2,5 +2,7 @@
 http_server_config:
     http2: false
 
+{% if prometheus_scrape_user != None and prometheus_scrape_password != None %}
 basic_auth_users:
     {{ prometheus_scrape_user }}: {{ prometheus_scrape_password | password_hash('bcrypt') }}
+{% endif %}