validate: fail if dashboard|grafana_admin_password aren't set

This commit adds a task to make sure user set a custom password for
`grafana_admin_password` and `dashboard_admin_password` variables.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1795509
Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 99328545de07d94c4a2bdd67c6ac8bc9280f23c5)

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index bbbc3b9faead47c38ebc7c7a5d85bf414dedbbd1..e9caf34c721b449ba1f454ca0573a8cbad980fc3 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -706,6 +706,7 @@ dummy:
 #dashboard_protocol: http
 #dashboard_port: 8443
 #dashboard_admin_user: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
 #dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections
 #dashboard_crt: ''
@@ -716,6 +717,7 @@ dummy:
 #node_exporter_container_image: "prom/node-exporter:v0.17.0"
 #node_exporter_port: 9100
 #grafana_admin_user: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
 #grafana_admin_password: admin
 # We only need this for SSL (https) connections
 #grafana_crt: ''

diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index 1db6fe0f98c5dc9743c2890957ea23ddee67d6be..929fb56ebed5c1411b536c05eaec76071b19b12a 100644 (file)
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -706,6 +706,7 @@ ceph_docker_registry_auth: true
 #dashboard_protocol: http
 #dashboard_port: 8443
 #dashboard_admin_user: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
 #dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections
 #dashboard_crt: ''
@@ -716,6 +717,7 @@ ceph_docker_registry_auth: true
 node_exporter_container_image: registry.redhat.io/openshift4/ose-prometheus-node-exporter:v4.1
 #node_exporter_port: 9100
 #grafana_admin_user: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
 #grafana_admin_password: admin
 # We only need this for SSL (https) connections
 #grafana_crt: ''

diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index aaa78098ded529b1867780203df1a2daf4140ff6..8cba252b3d799eff5a2d7e50dd3d371fd6c6352e 100644 (file)
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -698,7 +698,8 @@ dashboard_enabled: True
 dashboard_protocol: http
 dashboard_port: 8443
 dashboard_admin_user: admin
-dashboard_admin_password: p@ssw0rd
+# This variable must be set with a strong custom password when dashboard_enabled is True
+#dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections
 dashboard_crt: ''
 dashboard_key: ''
@@ -708,7 +709,8 @@ dashboard_rgw_api_no_ssl_verify: False
 node_exporter_container_image: "prom/node-exporter:v0.17.0"
 node_exporter_port: 9100
 grafana_admin_user: admin
-grafana_admin_password: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
+#grafana_admin_password: admin
 # We only need this for SSL (https) connections
 grafana_crt: ''
 grafana_key: ''

diff --git a/roles/ceph-validate/tasks/main.yml b/roles/ceph-validate/tasks/main.yml
index f07971943969d940498984684707760a6097920a..f99f9d6cf2d4c53b58db3b09d41d1fdef07c62c0 100644 (file)
--- a/roles/ceph-validate/tasks/main.yml
+++ b/roles/ceph-validate/tasks/main.yml
@@ -205,6 +205,13 @@
       fail:
         msg: "you must add at least one node in the [grafana-server] hosts group"
       when: groups[grafana_server_group_name] | length < 1
+
+    - name: fail when dashboard_admin_password and/or grafana_admin_password are not set
+      fail:
+        msg: "you must set dashboard_admin_password and grafana_admin_password."
+      when:
+        - dashboard_admin_password is undefined
+          or grafana_admin_password is undefined
   when: dashboard_enabled | bool
 
 - name: validate container registry credentials