]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: db3db9c)
mgr/cephadm: fixing config files for prometheus and alertmanager 60828/head
authorRedouane Kachach <rkachach@ibm.com>
Fri, 22 Nov 2024 10:51:07 +0000 (11:51 +0100)
committerRedouane Kachach <rkachach@ibm.com>
Fri, 29 Nov 2024 14:17:12 +0000 (15:17 +0100)
when mgmt-gateway is enabled mTLS is enforced and all the
communication peers (monitoring daemons in this case) have to
provide a valid certificate (signed by cephadm Root CA).

Fixes: https://tracker.ceph.com/issues/69018
Signed-off-by: Redouane Kachach <rkachach@ibm.com>
src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2 patch | blob | history
src/pybind/mgr/cephadm/templates/services/mgmt-gateway/nginx.conf.j2 patch | blob | history
src/pybind/mgr/cephadm/templates/services/prometheus/prometheus.yml.j2 patch | blob | history
src/pybind/mgr/cephadm/tests/test_services.py patch | blob | history

diff --git a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2 b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
index de993cb6ce369be9f6043098069af08b5cff6be0..b6955caf616b56e0dd706a4b19ab8591e3b189c6 100644 (file)
--- a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
+++ b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
@@ -8,6 +8,8 @@ global:
     tls_config:
 {% if security_enabled %}
       ca_file: root_cert.pem
+      cert_file: alertmanager.crt
+      key_file: alertmanager.key
 {% else %}
       insecure_skip_verify: true
 {% endif %}
diff --git a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/nginx.conf.j2 b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/nginx.conf.j2
index b9773ceeeb3c9ba693bc694d867c1608fd15859c..14af0fd48ca8de5c04fb680dd90dfef1ee243914 100644 (file)
--- a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/nginx.conf.j2
+++ b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/nginx.conf.j2
@@ -9,6 +9,7 @@ events {
 http {
 
     #access_log /dev/stdout;
+    error_log /dev/stderr info;
     client_header_buffer_size 32K;
     large_client_header_buffers 4 32k;
     proxy_busy_buffers_size 512k;
diff --git a/src/pybind/mgr/cephadm/templates/services/prometheus/prometheus.yml.j2 b/src/pybind/mgr/cephadm/templates/services/prometheus/prometheus.yml.j2
index ecfd899af71a49e7cd0b6642e9379638491dcce8..961da145dac639ec8ad3ce22b142dcdfe742b378 100644 (file)
--- a/src/pybind/mgr/cephadm/templates/services/prometheus/prometheus.yml.j2
+++ b/src/pybind/mgr/cephadm/templates/services/prometheus/prometheus.yml.j2
@@ -28,6 +28,8 @@ alerting:
             password: {{ service_discovery_password }}
           tls_config:
             ca_file: root_cert.pem
+            cert_file: prometheus.crt
+            key_file:  prometheus.key
 {% else %}
     - scheme: http
       http_sd_configs:
@@ -56,6 +58,8 @@ scrape_configs:
         password: {{ service_discovery_password }}
       tls_config:
         ca_file: root_cert.pem
+        cert_file: prometheus.crt
+        key_file:  prometheus.key
 {% else %}
     honor_labels: true
     http_sd_configs:
@@ -81,6 +85,8 @@ scrape_configs:
         password: {{ service_discovery_password }}
       tls_config:
         ca_file: root_cert.pem
+        cert_file: prometheus.crt
+        key_file:  prometheus.key
 {% else %}
     http_sd_configs:
     - url: {{ node_exporter_sd_url }}
@@ -104,6 +110,8 @@ scrape_configs:
         password: {{ service_discovery_password }}
       tls_config:
         ca_file: root_cert.pem
+        cert_file: prometheus.crt
+        key_file:  prometheus.key
 {% else %}
     http_sd_configs:
     - url: {{ haproxy_sd_url }}
@@ -128,6 +136,8 @@ scrape_configs:
         password: {{ service_discovery_password }}
       tls_config:
         ca_file: root_cert.pem
+        cert_file: prometheus.crt
+        key_file:  prometheus.key
 {% else %}
     honor_labels: true
     http_sd_configs:
@@ -149,6 +159,8 @@ scrape_configs:
         password: {{ service_discovery_password }}
       tls_config:
         ca_file: root_cert.pem
+        cert_file: prometheus.crt
+        key_file:  prometheus.key
 {% else %}
     http_sd_configs:
     - url: {{ nvmeof_sd_url }}
@@ -169,6 +181,8 @@ scrape_configs:
         password: {{ service_discovery_password }}
       tls_config:
         ca_file: root_cert.pem
+        cert_file: prometheus.crt
+        key_file:  prometheus.key
 {% else %}
     http_sd_configs:
     - url: {{ nfs_sd_url }}
@@ -189,6 +203,8 @@ scrape_configs:
         password: {{ service_discovery_password }}
       tls_config:
         ca_file: root_cert.pem
+        cert_file: prometheus.crt
+        key_file:  prometheus.key
 {% else %}
     http_sd_configs:
     - url: {{ smb_sd_url }}
diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
index 824e37cf4d4937a16d6f9acf2ff0518fdb7f02ae..2ef4e5aeec29748f12ada25b8dda019ff6096dde 100644 (file)
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -632,6 +632,8 @@ class TestMonitoring:
                   http_config:
                     tls_config:
                       ca_file: root_cert.pem
+                      cert_file: alertmanager.crt
+                      key_file: alertmanager.key
 
                 route:
                   receiver: 'default'
@@ -726,6 +728,8 @@ class TestMonitoring:
                   http_config:
                     tls_config:
                       ca_file: root_cert.pem
+                      cert_file: alertmanager.crt
+                      key_file: alertmanager.key
 
                 route:
                   receiver: 'default'
@@ -1150,6 +1154,8 @@ class TestMonitoring:
                             password: sd_password
                           tls_config:
                             ca_file: root_cert.pem
+                            cert_file: prometheus.crt
+                            key_file:  prometheus.key
 
                 scrape_configs:
                   - job_name: 'ceph'
@@ -1171,6 +1177,8 @@ class TestMonitoring:
                         password: sd_password
                       tls_config:
                         ca_file: root_cert.pem
+                        cert_file: prometheus.crt
+                        key_file:  prometheus.key
 
                   - job_name: 'node'
                     relabel_configs:
@@ -1189,6 +1197,8 @@ class TestMonitoring:
                         password: sd_password
                       tls_config:
                         ca_file: root_cert.pem
+                        cert_file: prometheus.crt
+                        key_file:  prometheus.key
 
                   - job_name: 'haproxy'
                     relabel_configs:
@@ -1205,6 +1215,8 @@ class TestMonitoring:
                         password: sd_password
                       tls_config:
                         ca_file: root_cert.pem
+                        cert_file: prometheus.crt
+                        key_file:  prometheus.key
 
                   - job_name: 'ceph-exporter'
                     relabel_configs:
@@ -1222,6 +1234,8 @@ class TestMonitoring:
                         password: sd_password
                       tls_config:
                         ca_file: root_cert.pem
+                        cert_file: prometheus.crt
+                        key_file:  prometheus.key
 
                   - job_name: 'nvmeof'
                     honor_labels: true
@@ -1235,6 +1249,8 @@ class TestMonitoring:
                         password: sd_password
                       tls_config:
                         ca_file: root_cert.pem
+                        cert_file: prometheus.crt
+                        key_file:  prometheus.key
 
                   - job_name: 'nfs'
                     honor_labels: true
@@ -1248,6 +1264,8 @@ class TestMonitoring:
                         password: sd_password
                       tls_config:
                         ca_file: root_cert.pem
+                        cert_file: prometheus.crt
+                        key_file:  prometheus.key
 
                   - job_name: 'smb'
                     honor_labels: true
@@ -1261,6 +1279,8 @@ class TestMonitoring:
                         password: sd_password
                       tls_config:
                         ca_file: root_cert.pem
+                        cert_file: prometheus.crt
+                        key_file:  prometheus.key
 
                 """).lstrip()
 
@@ -3834,6 +3854,7 @@ class TestMgmtGateway:
                                          http {
 
                                              #access_log /dev/stdout;
+                                             error_log /dev/stderr info;
                                              client_header_buffer_size 32K;
                                              large_client_header_buffers 4 32k;
                                              proxy_busy_buffers_size 512k;
@@ -4080,6 +4101,7 @@ class TestMgmtGateway:
                                          http {
 
                                              #access_log /dev/stdout;
+                                             error_log /dev/stderr info;
                                              client_header_buffer_size 32K;
                                              large_client_header_buffers 4 32k;
                                              proxy_busy_buffers_size 512k;
Unnamed repository; edit this file 'description' to name the repository.