mgr/prometheus: improve how we check security configuration status

So far we have been using some indirect methods for that. Let's be
more explicit about the check and use the new API offered by the
cephadm for that.

Fixes: https://tracker.ceph.com/issues/71599
Signed-off-by: Redouane Kachach <rkachach@ibm.com>
(cherry picked from commit 9f554ee8adc5bdf11f39146d73bc6438c0caecb1)

diff --git a/src/pybind/mgr/prometheus/module.py b/src/pybind/mgr/prometheus/module.py
index 273610f2ef7cd61f327c4ef14f0e2d54aa432f19..d3a7058e054789f1fbfe914402886377cdb439a4 100644 (file)
--- a/src/pybind/mgr/prometheus/module.py
+++ b/src/pybind/mgr/prometheus/module.py
@@ -1761,21 +1761,17 @@ class Module(MgrModule, OrchestratorClientMixin):
         self.get_file_sd_config()
 
     def configure(self, server_addr: str, server_port: int) -> None:
-        # TODO(redo): this new check is hacky, we should provide an explit cmd
-        # from cephadm to get/check the security status
-
-        # if cephadm is configured with security then TLS must be used
-        cmd = {'prefix': 'orch prometheus get-credentials'}
+        cmd = {'prefix': 'orch get-security-config'}
         ret, out, _ = self.mon_command(cmd)
         if ret == 0 and out is not None:
-            access_info = json.loads(out)
-            if access_info:
-                try:
+            try:
+                security_config = json.loads(out)
+                if security_config.get('security_enabled', False):
                     self.setup_tls_using_cephadm(server_addr, server_port)
                     return
-                except Exception as e:
-                    self.log.exception(f'Failed to setup cephadm based secure monitoring stack: {e}\n',
-                                       'Falling back to default configuration')
+            except Exception as e:
+                self.log.exception(f'Failed to setup cephadm based secure monitoring stack: {e}\n',
+                                   'Falling back to default configuration')
 
         # In any error fallback to plain http mode
         self.setup_default_config(server_addr, server_port)

diff --git a/src/pybind/mgr/rook/module.py b/src/pybind/mgr/rook/module.py
index 34ed15bc67b3c0e94d1d57b5acf0b5852f2edd0c..0236004f02e1bd7ebd2ebd9c727912801b78bada 100644 (file)
--- a/src/pybind/mgr/rook/module.py
+++ b/src/pybind/mgr/rook/module.py
@@ -531,6 +531,10 @@ class RookOrchestrator(MgrModule, orchestrator.Orchestrator):
                 break
         return num_replicas, leaf_type
 
+    @handle_orch_error
+    def get_security_config(self) -> Dict[str, bool]:
+        return {}
+
     @handle_orch_error
     def remove_service(self, service_name: str, force: bool = False) -> str:
         if service_name == 'rbd-mirror':