From f1eca0ea18fa4ba37f17019440b7882ada6db92e Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 10 Apr 2023 16:00:21 +0100
Subject: [PATCH] Automate configuration of prometheus allow list for discourse

---
 cookbooks/community/recipes/default.rb                 | 7 ++++++-
 cookbooks/community/templates/default/web_only.yml.erb | 4 ++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/cookbooks/community/recipes/default.rb b/cookbooks/community/recipes/default.rb
index 76b8a97b6..224cb975d 100644
--- a/cookbooks/community/recipes/default.rb
+++ b/cookbooks/community/recipes/default.rb
@@ -25,6 +25,10 @@ include_recipe "ssl"
 passwords = data_bag_item("community", "passwords")
 license_keys = data_bag_item("geoipupdate", "license-keys") unless kitchen?
 
+prometheus_servers = search(:node, "recipes:prometheus\\:\\:server").map do |server|
+  server.ipaddresses(:role => :external)
+end.flatten
+
 # Disable any default installed apache2 service. Web server is embedded within the discourse docker container
 service "apache2" do
   action [:disable, :stop]
@@ -82,7 +86,8 @@ template "/srv/community.openstreetmap.org/docker/containers/web_only.yml" do
   owner "root"
   group "root"
   mode "640"
-  variables :license_keys => license_keys, :passwords => passwords
+  variables :license_keys => license_keys, :passwords => passwords,
+            :prometheus_servers => prometheus_servers
   notifies :run, "notify_group[discourse_container_new_web_only]"
 end
 
diff --git a/cookbooks/community/templates/default/web_only.yml.erb b/cookbooks/community/templates/default/web_only.yml.erb
index 6324baeb9..d5ce8a60a 100644
--- a/cookbooks/community/templates/default/web_only.yml.erb
+++ b/cookbooks/community/templates/default/web_only.yml.erb
@@ -66,8 +66,8 @@ env:
   DISCOURSE_MAXMIND_LICENSE_KEY: '<%= @license_keys[node[:geoipupdate][:account]] %>'
 <% end -%>
 
-  # FIXME: hardcoded IPs should be replaced by chef node search
-  DISCOURSE_PROMETHEUS_TRUSTED_IP_ALLOWLIST_REGEX: '^(140\.211\.167\.99|2605:bc80:3010:700::8cd3:a763)$'
+  # Allow list for prometheus metric collection
+  DISCOURSE_PROMETHEUS_TRUSTED_IP_ALLOWLIST_REGEX: '^<%= @prometheus_servers.map { |a| Regexp.escape(a) }.join("|") %>$'
 
   # Increase base SIDEKIQ memory limit to 1GB
   UNICORN_SIDEKIQ_MAX_RSS: 1000
-- 
2.39.5