From: dudy <dudydev@proton.me>
Date: Thu, 30 Oct 2025 19:57:37 +0000 (+0100)
Subject: doc/cephadm/services: Clarify service discovery auth in monitoring.rst
X-Git-Tag: testing/wip-vshankar-testing-20251102.170524-debug~5^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=4195243a4a5e26ffeb98b6c4f61e1ee669851826;p=ceph-ci.git

doc/cephadm/services: Clarify service discovery auth in monitoring.rst

Signed-off-by: Dudy <dudythegoat@proton.me>
---

diff --git a/doc/cephadm/services/monitoring.rst b/doc/cephadm/services/monitoring.rst
index e88c7fc7cfe..63a91708fd6 100644
--- a/doc/cephadm/services/monitoring.rst
+++ b/doc/cephadm/services/monitoring.rst
@@ -103,6 +103,7 @@ few minutes until all components are fully operational. The updated secure confi
 #. Alertmanager: basic authentication is required to access the web portal and TLS is enabled for secure communication.
 #. Node Exporter: TLS is enabled for secure communication.
 #. Grafana: TLS is enabled and authentication is requiered to access the datasource information.
+#. Cephadm service discovery endpoint: basic authentication is required to access service discovery information, and TLS is enabled for secure communication.
 
 In this secure setup, users will need to setup authentication
 (username/password) for both Prometheus and Alertmanager. By default the
@@ -114,6 +115,32 @@ file, which enhances security. Additionally, Cephadm provides the commands
 ``orch prometheus get-credentials`` and ``orch alertmanager get-credentials`` to
 retrieve the current credentials.
 
+.. note::
+
+   The credentials used for the cephadm service discovery endpoint (the
+   endpoint that listens on ``https://<mgr-ip>:8765/sd/`` when security is
+   enabled) can be retrieved and updated using the following config-key
+   commands. For example, to retrieve the current credentials run:
+
+   .. prompt:: bash #
+
+     ceph config-key get mgr/cephadm/service_discovery/root/username
+     ceph config-key get mgr/cephadm/service_discovery/root/password
+
+   To update the credentials (username/password) for service discovery,
+   run:
+
+   .. prompt:: bash #
+
+     ceph config-key set mgr/cephadm/service_discovery/root/username <username>
+     ceph config-key set mgr/cephadm/service_discovery/root/password <password>
+
+   After changing these credentials, redeploy the Manager so the changes take effect.
+
+   .. prompt:: bash #
+
+     ceph orch redeploy mgr
+
 .. _cephadm-monitoring-centralized-logs:
 
 Centralized Logging in Ceph
@@ -417,8 +444,12 @@ Here's an example Prometheus job definition that uses the cephadm service discov
 
      - job_name: 'ceph-exporter'  
        http_sd_configs:  
-       - url: http://<mgr-ip>:8765/sd/prometheus/sd-config?service=ceph-exporter
-
+       - url: https://<mgr-ip>:8765/sd/prometheus/sd-config?service=ceph-exporter
+         basic_auth:  
+           username: '<username>'  
+           password: '<password>'  
+         tls_config:  
+           ca_file: '/path/to/ca.crt'  
 
 * To enable the dashboard's Prometheus-based alerting, see :ref:`dashboard-alerting`.