mgr/cephadm: Fix alertmanager TLS and global security handling

Refines the cephadm-managed Alertmanager template to clearly separate
global TLS behavior (secure) from a per-Dashboard override (enable_mtls).

Fixes: https://tracker.ceph.com/issues/69325
Signed-off-by: Redouane Kachach <rkachach@ibm.com>

diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py
index 3dc54f667a93c35f2602cdb1b6360adcaa8b0bab..c130679de36d1d276ad7e0a81798e191c6166c0f 100644 (file)
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -342,7 +342,7 @@ class AlertmanagerService(CephadmService):
                                      port=dd.ports[0], path='/alerts'))
 
         context = {
-            'security_enabled': security_enabled,
+            'enable_mtls': mgmt_gw_enabled,
             'dashboard_urls': dashboard_urls,
             'webhook_urls': webhook_urls,
             'snmp_gateway_urls': snmp_gateway_urls,

diff --git a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2 b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
index 671778601ed173982515a6934f37d645c042451a..4f32b091c492514617fb0532d36d2656bf0c67d6 100644 (file)
--- a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
+++ b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
@@ -6,14 +6,8 @@ global:
 {% if not secure %}
   http_config:
     tls_config:
-{% if security_enabled %}
-      ca_file: root_cert.pem
-      cert_file: alertmanager.crt
-      key_file: alertmanager.key
-{% else %}
       insecure_skip_verify: true
 {% endif %}
-{% endif %}
 
 route:
   receiver: 'default'
@@ -53,6 +47,14 @@ receivers:
   webhook_configs:
 {% for url in dashboard_urls %}
   - url: '{{ url }}/api/prometheus_receiver'
+  {% if enable_mtls %}
+    http_config:
+      tls_config:
+        insecure_skip_verify: false
+        ca_file: root_cert.pem
+        cert_file: alertmanager.crt
+        key_file: alertmanager.key
+  {% endif %}
 {% endfor %}
 {% if snmp_gateway_urls %}
 - name: 'snmp-gateway'

diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
index c990129e769d08d4fd146d22699ea73e01132bf2..56ef831cf6b4ccdc85d5bef849cbf140388c1d33 100644 (file)
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -809,9 +809,7 @@ class TestMonitoring:
                   resolve_timeout: 5m
                   http_config:
                     tls_config:
-                      ca_file: root_cert.pem
-                      cert_file: alertmanager.crt
-                      key_file: alertmanager.key
+                      insecure_skip_verify: true
 
                 route:
                   receiver: 'default'
@@ -830,6 +828,12 @@ class TestMonitoring:
                 - name: 'ceph-dashboard'
                   webhook_configs:
                   - url: 'https://host_fqdn:29443/internal/dashboard/api/prometheus_receiver'
+                    http_config:
+                      tls_config:
+                        insecure_skip_verify: false
+                        ca_file: root_cert.pem
+                        cert_file: alertmanager.crt
+                        key_file: alertmanager.key
                 """).lstrip()
 
                 web_config = dedent("""
@@ -911,9 +915,7 @@ class TestMonitoring:
                   resolve_timeout: 5m
                   http_config:
                     tls_config:
-                      ca_file: root_cert.pem
-                      cert_file: alertmanager.crt
-                      key_file: alertmanager.key
+                      insecure_skip_verify: true
 
                 route:
                   receiver: 'default'