cloudera-labs · wmudge · Sep 19, 2025 · Sep 16, 2025 · Sep 17, 2025
diff --git a/roles/prometheus/README.md b/roles/prometheus/README.md
@@ -1,9 +1,5 @@
 # prometheus
 
-Install Prometheus.
-
-This role automates the installation of the Prometheus monitoring system from its official distribution archive. It sets up the necessary directories for configuration and the time-series database (TSDB), creates a dedicated system user and group for the service, and installs a basic Prometheus configuration to get started.
-
 The role will:
 - Create a dedicated system user and group (`prometheus`).
 - Create necessary directories for Prometheus configuration (`/etc/prometheus`) and TSDB storage (`/var/lib/prometheus`).
@@ -31,6 +27,10 @@ None.
 | `prometheus_directory` | `path` | `False` | `/etc/prometheus` | Prometheus configuration directory. |
 | `prometheus_tsdb_directory` | `path` | `False` | `/var/lib/prometheus` | Prometheus TSDB directory. |
 | `prometheus_tarball_file` | `str` | `False` | `prometheus.tar.gz` | Intermediate archive file name for the downloaded tarball. |
+| `prometheus_tls_enabled` | `bool` | `False` | `false` | Enable or disable TLS/SSL for Prometheus (HTTPS support). |
+| `prometheus_tls_cert_path` | `str` | `False` | `/etc/pki/tls/certs/prometheus.crt` | Path to the TLS certificate file for Prometheus. |
+| `prometheus_tls_key_path` | `str` | `False` | `/etc/pki/tls/private/prometheus.key` | Path to the TLS private key file for Prometheus. |
+| `prometheus_web_config_file` | `str` | `False` | `/etc/prometheus/web.yml` | Path to the Prometheus web config file (for TLS settings). |
 | `prometheus_user` | `str` | `False` | `prometheus` | Prometheus service user. |
 | `prometheus_group` | `str` | `False` | `prometheus` | Prometheus service group. |
 | `prometheus_service_directory` | `path` | `False` | `/etc/systemd/system/prometheus.service` | Prometheus Systemd service directory (full path to the service file). |
@@ -48,8 +48,8 @@ None.
         prometheus_tarball_url: "[https://github.com/prometheus/prometheus/releases/download/v2.49.0/prometheus-2.49.0.linux-amd64.tar.gz](https://github.com/prometheus/prometheus/releases/download/v2.49.0/prometheus-2.49.0.linux-amd64.tar.gz)"
         prometheus_directory: "/opt/prometheus/config"
         prometheus_tsdb_directory: "/data/prometheus_tsdb"
-        prometheus_user: "prom_admin"
-        prometheus_group: "prom_admin"
+        prometheus_user: "prometheus"
+        prometheus_group: "prometheus"
 ```
 
 # License

diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml
@@ -13,13 +13,16 @@
 # limitations under the License.
 
 ---
-
 prometheus_tarball_url: https://github.com/prometheus/prometheus/releases/download/v2.48.1/prometheus-2.48.1.linux-amd64.tar.gz
 prometheus_directory: /etc/prometheus
 prometheus_tsdb_directory: /var/lib/prometheus
 prometheus_tarball_file: prometheus.tar.gz
 
-prometheus_user: prometheus
-prometheus_group: prometheus
+prometheus_tls_enabled: false
+prometheus_tls_cert_path: /etc/pki/tls/certs/prometheus.crt
+prometheus_tls_key_path: /etc/pki/tls/private/prometheus.key
+prometheus_web_config_file: /etc/prometheus/web.yml
 
 prometheus_service_directory: /etc/systemd/system/prometheus.service
+prometheus_user: prometheus
+prometheus_group: prometheus
diff --git a/roles/prometheus/meta/argument_specs.yml b/roles/prometheus/meta/argument_specs.yml
@@ -15,16 +15,42 @@
 
 argument_specs:
   main:
-    short_description: Install Prometheus.
+    short_description: Install, configure, and provision Prometheus server with optional TLS/HTTPS support
     description:
-      - Install Prometheus from the distribution archive file.
-      - Set up SELinux to permissive mode (to ensure Prometheus can run without policy restrictions).
-      - Set up the local time-series database.
-      - Set up the service user and group.
-      - Install a basic configuration.
+      - Create a dedicated system user and group for Prometheus.
+      - Create necessary directories for Prometheus configuration and TSDB storage.
+      - Download the Prometheus distribution tarball from the official source.
+      - Extract the Prometheus binary and related files to the installation directory.
+      - Set SELinux to permissive mode on the target host.
+      - Install a basic prometheus.yml configuration file.
+      - Set up a systemd service for Prometheus.
+      - Enable and start the Prometheus service, ensuring it runs on system boot.
+      - Optionally enable TLS/HTTPS support for secure endpoints.
+      - Optionally configure a Prometheus web config file for TLS settings.
+      - Allow flexible configuration of scrape targets and storage locations via variables.
     author: Cloudera Labs
     version_added: "2.4.0"
     options:
+      prometheus_tls_enabled:
+        description: Enable or disable TLS/SSL for Prometheus (HTTPS support).
+        type: bool
+        required: false
+        default: false
+      prometheus_tls_cert_path:
+        description: Path to the TLS certificate file for Prometheus.
+        type: str
+        required: false
+        default: /etc/pki/tls/certs/prometheus.crt
+      prometheus_tls_key_path:
+        description: Path to the TLS private key file for Prometheus.
+        type: str
+        required: false
+        default: /etc/pki/tls/private/prometheus.key
+      prometheus_web_config_file:
+        description: Path to the Prometheus web config file (for TLS settings).
+        type: str
+        required: false
+        default: /etc/prometheus/web.yml
       prometheus_tarball_url:
         description: URL to the Prometheus distribution archive file.
         type: str

diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
@@ -69,6 +69,15 @@
     mode: "0755"
     recurse: true
 
+- name: Render Prometheus web.yml for TLS
+  when: prometheus_tls_enabled | bool
+  ansible.builtin.template:
+    src: web.yml.j2
+    dest: "{{ prometheus_web_config_file }}"
+    owner: "{{ prometheus_user }}"
+    group: "{{ prometheus_group }}"
+    mode: "0644"
+
 - name: Create Prometheus service template
   ansible.builtin.template:
     src: prometheus.service.j2

diff --git a/roles/prometheus/templates/prometheus.service.j2 b/roles/prometheus/templates/prometheus.service.j2
@@ -10,6 +10,8 @@ ExecStart={{ prometheus_directory }}/prometheus \
 --config.file {{ prometheus_directory }}/prometheus.yml \
 --storage.tsdb.path {{ prometheus_tsdb_directory }}/ \
 --web.console.templates={{ prometheus_directory }}/consoles \
---web.console.libraries={{ prometheus_directory }}/console_libraries
+--web.console.libraries={{ prometheus_directory }}/console_libraries \
+{% if prometheus_tls_enabled | bool %}--web.config.file={{ prometheus_web_config_file }}{% endif %}
+
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/prometheus/templates/web.yml.j2 b/roles/prometheus/templates/web.yml.j2
@@ -0,0 +1,4 @@
+
+tls_server_config:
+  cert_file: {{ prometheus_tls_cert_path }}
+  key_file: {{ prometheus_tls_key_path }}