From 350401ea0ad129c52f1e2b0adb4747d84cb65dcf Mon Sep 17 00:00:00 2001 From: Redouane Kachach Date: Tue, 27 Feb 2024 15:52:25 +0100 Subject: [PATCH] doc: adding documentation for secure monitoring stack configuration Fixes: https://tracker.ceph.com/issues/64596 Signed-off-by: Redouane Kachach --- doc/cephadm/services/monitoring.rst | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/doc/cephadm/services/monitoring.rst b/doc/cephadm/services/monitoring.rst index 33bffdc0157..985661469ff 100644 --- a/doc/cephadm/services/monitoring.rst +++ b/doc/cephadm/services/monitoring.rst @@ -83,6 +83,33 @@ steps below: ceph orch apply grafana +Enabling security for the monitoring stack +---------------------------------------------- + +By default, in a cephadm managed cluster, the monitoring components are set up and configured without incorporating any security measures. +While this setup might suffice for certain deployments, other users with stricter security needs may find it necessary to protect their +monitoring stack against unauthorized access to metrics and data. In such cases, cephadm relies on a specific configuration parameter, +`mgr/cephadm/secure_monitoring_stack`, which toggles the security settings for all monitoring components. To activate security +measures, users must set this variable to true, as following: + + .. prompt:: bash # + + ceph config set mgr mgr/cephadm/secure_monitoring_stack true + +This configuration change will trigger a sequence of reconfigurations across all monitoring daemons, typically requiring +few minutes until all components are fully operational. The updated secure configuration includes the following modifications: + +#. Prometheus: basic authentication is requiered to access the web portal and TLS is enabled for secure communication. +#. Alertmanager: basic authentication is requiered to access the web portal and TLS is enabled for secure communication. +#. Node Exporter: TLS is enabled for secure communication. +#. Grafana: TLS is enabled and authentication is requiered to access the datasource information. + +In this secure setup, users will need to setup authentication (username/password) for both Prometheus and Alertmanager. By default user/password are +set to admin/admin. The user can change these value through the commands `orch prometheus set-credentials` and `orch alertmanager set-credentials` +respectively. These commands offer the flexibility to input the username/password either as parameters or via a JSON file, which enhances security. Additionally, +Cephadm provides commands such as `orch prometheus get-credentials` and `orch alertmanager get-credentials` to retrieve the currently configured credentials such +as default values. + .. _cephadm-monitoring-centralized-logs: Centralized Logging in Ceph -- 2.39.5