Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for TLS dashboard #5155

Merged
merged 2 commits into from Apr 7, 2020
Merged

Fix for TLS dashboard #5155

merged 2 commits into from Apr 7, 2020

Conversation

thotypous
Copy link
Contributor

Setting up a TLS dashboard currently causes some issues, as initially reported in #5053. Problems were partially fixed by #5055, but some issues remain:

  • Setting dashboard_protocol to https causes the dashboard to try accessing Prometheus API though https too. However, Prometheus does not support TLS natively. Setting up a reverse proxy such as nginx would be needed for this. For now, we just fix the protocol as plain http, which is what Prometheus supports.

  • People are currently using ceph dashboard set-grafana-api-ssl-verify False as a workaround to get Grafana to work with TLS. In order to get the certificate to validate correctly, we can allow the user to override grafana_server_addr with a FQDN listed in the certificate's CN or altsubjects.

Just for reference, I'm deploying with the following config:

dashboard_protocol: https
dashboard_admin_user: admin
dashboard_admin_password: ommited
dashboard_crt: 'ceph.crt'
dashboard_key: 'ceph.key'
grafana_admin_user: admin
grafana_admin_password: ommited
grafana_crt: 'ceph.crt'
grafana_key: 'ceph.key'
grafana_server_addr: somedomain.ufscar.br

guits
guits requested changes Apr 2, 2020
View reviewed changes
group_vars/all.yml.sample Outdated Show resolved Hide resolved
guits
guits requested changes Apr 2, 2020
View reviewed changes
roles/ceph-facts/tasks/grafana.yml Outdated Show resolved Hide resolved
@thotypous
Prometheus APIs are only available through plain http
a081f73 
Trying to access these APIs through TLS produces "Could not reach
external API" errors in Ceph dashboard.

Signed-off-by: Paulo Matias <matias@ufscar.br>
@guits
Copy link
Collaborator

guits commented Apr 2, 2020

@fmount @fultonj @gfidente FYI

@fmount
Copy link
Contributor

fmount commented Apr 2, 2020
edited

@thotypous how can you deal with multiple grafana instances?
One of the main supported scenarios which is the reason to properly compute the grafana_server_addr fact is to allow users defining multiple grafana servers and configuring the ini file using the correct fact computed on the current node in which grafana is deployed.

@thotypous
Allow user to specify grafana_server_fqdn
9479565 
This is needed to get a TLS certificate to validate correctly.

If unspecified, auto-detected grafana_server_addr is used.

Signed-off-by: Paulo Matias <matias@ufscar.br>
@thotypous
Copy link
Contributor Author

Sorry for the delay. I had several issues with the cluster I was using for tests and only got to test the patch against master a few minutes ago.

The previous approach was completely incorrect, sorry. I was originally testing against cae24dd, then took too long to send the PR and messed up when rebasing. I didn't pay attention to the new grafana_server_addrs fact.

@fmount Please take a look at the new approach.

@thotypous thotypous requested a review from guits April 3, 2020 01:57
@guits guits merged commit 38ce02c into ceph:master Apr 7, 2020
@mergify mergify bot mentioned this pull request Apr 7, 2020
Merged
@guits guits mentioned this pull request Aug 6, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guits guits guits approved these changes

Assignees
No one assigned
Labels
backport-stable-4.0 backport-stable-5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@thotypous @guits @fmount