From: Redouane Kachach <rkachach@ibm.com>
Date: Thu, 9 Oct 2025 10:17:52 +0000 (+0200)
Subject: mgr/cephadm: Fix alertmanager TLS and global security handling
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9b3a96fc0f83ae8d3ab0911f02b84dd6140c4339;p=ceph-ci.git

mgr/cephadm: Fix alertmanager TLS and global security handling

Refines the cephadm-managed Alertmanager template to clearly separate
global TLS behavior (secure) from a per-Dashboard override (enable_mtls).

Fixes: https://tracker.ceph.com/issues/69325

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
---

diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py
index 3dc54f667a9..c130679de36 100644
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -342,7 +342,7 @@ class AlertmanagerService(CephadmService):
                                      port=dd.ports[0], path='/alerts'))
 
         context = {
-            'security_enabled': security_enabled,
+            'enable_mtls': mgmt_gw_enabled,
             'dashboard_urls': dashboard_urls,
             'webhook_urls': webhook_urls,
             'snmp_gateway_urls': snmp_gateway_urls,
diff --git a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2 b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
index 671778601ed..4f32b091c49 100644
--- a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
+++ b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
@@ -6,14 +6,8 @@ global:
 {% if not secure %}
   http_config:
     tls_config:
-{% if security_enabled %}
-      ca_file: root_cert.pem
-      cert_file: alertmanager.crt
-      key_file: alertmanager.key
-{% else %}
       insecure_skip_verify: true
 {% endif %}
-{% endif %}
 
 route:
   receiver: 'default'
@@ -53,6 +47,14 @@ receivers:
   webhook_configs:
 {% for url in dashboard_urls %}
   - url: '{{ url }}/api/prometheus_receiver'
+  {% if enable_mtls %}
+    http_config:
+      tls_config:
+        insecure_skip_verify: false
+        ca_file: root_cert.pem
+        cert_file: alertmanager.crt
+        key_file: alertmanager.key
+  {% endif %}
 {% endfor %}
 {% if snmp_gateway_urls %}
 - name: 'snmp-gateway'
diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
index c990129e769..56ef831cf6b 100644
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -809,9 +809,7 @@ class TestMonitoring:
                   resolve_timeout: 5m
                   http_config:
                     tls_config:
-                      ca_file: root_cert.pem
-                      cert_file: alertmanager.crt
-                      key_file: alertmanager.key
+                      insecure_skip_verify: true
 
                 route:
                   receiver: 'default'
@@ -830,6 +828,12 @@ class TestMonitoring:
                 - name: 'ceph-dashboard'
                   webhook_configs:
                   - url: 'https://host_fqdn:29443/internal/dashboard/api/prometheus_receiver'
+                    http_config:
+                      tls_config:
+                        insecure_skip_verify: false
+                        ca_file: root_cert.pem
+                        cert_file: alertmanager.crt
+                        key_file: alertmanager.key
                 """).lstrip()
 
                 web_config = dedent("""
@@ -911,9 +915,7 @@ class TestMonitoring:
                   resolve_timeout: 5m
                   http_config:
                     tls_config:
-                      ca_file: root_cert.pem
-                      cert_file: alertmanager.crt
-                      key_file: alertmanager.key
+                      insecure_skip_verify: true
 
                 route:
                   receiver: 'default'