From: Redouane Kachach <rkachach@ibm.com>
Date: Mon, 9 Jun 2025 11:55:39 +0000 (+0200)
Subject: mgr/prometheus: improve how we check security configuration status
X-Git-Tag: v20.1.0~51^2~3
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=543cf7832d3ae453cde11ae770ce4e989ce8c8f5;p=ceph.git

mgr/prometheus: improve how we check security configuration status

So far we have been using some indirect methods for that. Let's be
more explicit about the check and use the new API offered by the
cephadm for that.

Fixes: https://tracker.ceph.com/issues/71599

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
(cherry picked from commit 9f554ee8adc5bdf11f39146d73bc6438c0caecb1)
---

diff --git a/src/pybind/mgr/prometheus/module.py b/src/pybind/mgr/prometheus/module.py
index 273610f2ef7c..d3a7058e0547 100644
--- a/src/pybind/mgr/prometheus/module.py
+++ b/src/pybind/mgr/prometheus/module.py
@@ -1761,21 +1761,17 @@ class Module(MgrModule, OrchestratorClientMixin):
         self.get_file_sd_config()
 
     def configure(self, server_addr: str, server_port: int) -> None:
-        # TODO(redo): this new check is hacky, we should provide an explit cmd
-        # from cephadm to get/check the security status
-
-        # if cephadm is configured with security then TLS must be used
-        cmd = {'prefix': 'orch prometheus get-credentials'}
+        cmd = {'prefix': 'orch get-security-config'}
         ret, out, _ = self.mon_command(cmd)
         if ret == 0 and out is not None:
-            access_info = json.loads(out)
-            if access_info:
-                try:
+            try:
+                security_config = json.loads(out)
+                if security_config.get('security_enabled', False):
                     self.setup_tls_using_cephadm(server_addr, server_port)
                     return
-                except Exception as e:
-                    self.log.exception(f'Failed to setup cephadm based secure monitoring stack: {e}\n',
-                                       'Falling back to default configuration')
+            except Exception as e:
+                self.log.exception(f'Failed to setup cephadm based secure monitoring stack: {e}\n',
+                                   'Falling back to default configuration')
 
         # In any error fallback to plain http mode
         self.setup_default_config(server_addr, server_port)
diff --git a/src/pybind/mgr/rook/module.py b/src/pybind/mgr/rook/module.py
index 34ed15bc67b3..0236004f02e1 100644
--- a/src/pybind/mgr/rook/module.py
+++ b/src/pybind/mgr/rook/module.py
@@ -531,6 +531,10 @@ class RookOrchestrator(MgrModule, orchestrator.Orchestrator):
                 break
         return num_replicas, leaf_type
 
+    @handle_orch_error
+    def get_security_config(self) -> Dict[str, bool]:
+        return {}
+
     @handle_orch_error
     def remove_service(self, service_name: str, force: bool = False) -> str:
         if service_name == 'rbd-mirror':