validate: fail if dashboard|grafana_admin_password aren't set

This commit adds a task to make sure user set a custom password for
`grafana_admin_password` and `dashboard_admin_password` variables.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1795509
Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 6bd2d6a8f313ee39f1a25d45d852af883644a73d..9866a58f3fa5a6de583336e0007e33e9095b0ecf 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -710,6 +710,7 @@ dummy:
 #dashboard_protocol: http
 #dashboard_port: 8443
 #dashboard_admin_user: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
 #dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections
 #dashboard_crt: ''
@@ -720,6 +721,7 @@ dummy:
 #node_exporter_container_image: "prom/node-exporter:v0.17.0"
 #node_exporter_port: 9100
 #grafana_admin_user: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
 #grafana_admin_password: admin
 # We only need this for SSL (https) connections
 #grafana_crt: ''

diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index 4ee2a5587613ab71b9d82d8e7ee4c237dd51d657..f9a2211762f6858c53a69233b96acd48796000df 100644 (file)
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -710,6 +710,7 @@ ceph_docker_registry_auth: true
 #dashboard_protocol: http
 #dashboard_port: 8443
 #dashboard_admin_user: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
 #dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections
 #dashboard_crt: ''
@@ -720,6 +721,7 @@ ceph_docker_registry_auth: true
 node_exporter_container_image: registry.redhat.io/openshift4/ose-prometheus-node-exporter:v4.1
 #node_exporter_port: 9100
 #grafana_admin_user: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
 #grafana_admin_password: admin
 # We only need this for SSL (https) connections
 #grafana_crt: ''

diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index 8eb3f737e7609a8521367819748bf236ee294d13..d4f1a96f0948a963084fb658dd1fcee34ee39c9d 100644 (file)
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -702,7 +702,8 @@ dashboard_enabled: True
 dashboard_protocol: http
 dashboard_port: 8443
 dashboard_admin_user: admin
-dashboard_admin_password: p@ssw0rd
+# This variable must be set with a strong custom password when dashboard_enabled is True
+#dashboard_admin_password: p@ssw0rd
 # We only need this for SSL (https) connections
 dashboard_crt: ''
 dashboard_key: ''
@@ -712,7 +713,8 @@ dashboard_rgw_api_no_ssl_verify: False
 node_exporter_container_image: "prom/node-exporter:v0.17.0"
 node_exporter_port: 9100
 grafana_admin_user: admin
-grafana_admin_password: admin
+# This variable must be set with a strong custom password when dashboard_enabled is True
+#grafana_admin_password: admin
 # We only need this for SSL (https) connections
 grafana_crt: ''
 grafana_key: ''

diff --git a/roles/ceph-validate/tasks/main.yml b/roles/ceph-validate/tasks/main.yml
index 90345e00ca13f5497d7b433906f6faefe36e03a1..b02c0c246de68c1b187acdd16560348a50a71484 100644 (file)
--- a/roles/ceph-validate/tasks/main.yml
+++ b/roles/ceph-validate/tasks/main.yml
@@ -217,6 +217,13 @@
       fail:
         msg: "you must add at least one node in the [grafana-server] hosts group"
       when: groups[grafana_server_group_name] | length < 1
+
+    - name: fail when dashboard_admin_password and/or grafana_admin_password are not set
+      fail:
+        msg: "you must set dashboard_admin_password and grafana_admin_password."
+      when:
+        - dashboard_admin_password is undefined
+          or grafana_admin_password is undefined
   when: dashboard_enabled | bool
 
 - name: validate container registry credentials