Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for TLS dashboard #5155

Merged
merged 2 commits into from Apr 7, 2020
Merged

Fix for TLS dashboard #5155

merged 2 commits into from Apr 7, 2020

Conversation

thotypous
Copy link
Contributor

Setting up a TLS dashboard currently causes some issues, as initially reported in #5053. Problems were partially fixed by #5055, but some issues remain:

  • Setting dashboard_protocol to https causes the dashboard to try accessing Prometheus API though https too. However, Prometheus does not support TLS natively. Setting up a reverse proxy such as nginx would be needed for this. For now, we just fix the protocol as plain http, which is what Prometheus supports.

  • People are currently using ceph dashboard set-grafana-api-ssl-verify False as a workaround to get Grafana to work with TLS. In order to get the certificate to validate correctly, we can allow the user to override grafana_server_addr with a FQDN listed in the certificate's CN or altsubjects.

Just for reference, I'm deploying with the following config:

dashboard_protocol: https
dashboard_admin_user: admin
dashboard_admin_password: ommited
dashboard_crt: 'ceph.crt'
dashboard_key: 'ceph.key'
grafana_admin_user: admin
grafana_admin_password: ommited
grafana_crt: 'ceph.crt'
grafana_key: 'ceph.key'
grafana_server_addr: somedomain.ufscar.br

group_vars/all.yml.sample Outdated Show resolved Hide resolved
roles/ceph-facts/tasks/grafana.yml Outdated Show resolved Hide resolved
Trying to access these APIs through TLS produces "Could not reach
external API" errors in Ceph dashboard.

Signed-off-by: Paulo Matias <matias@ufscar.br>
@guits
Copy link
Collaborator

guits commented Apr 2, 2020

@fmount @fultonj @gfidente FYI

@fmount
Copy link
Contributor

fmount commented Apr 2, 2020

@thotypous how can you deal with multiple grafana instances?
One of the main supported scenarios which is the reason to properly compute the grafana_server_addr fact is to allow users defining multiple grafana servers and configuring the ini file using the correct fact computed on the current node in which grafana is deployed.

This is needed to get a TLS certificate to validate correctly.

If unspecified, auto-detected grafana_server_addr is used.

Signed-off-by: Paulo Matias <matias@ufscar.br>
@thotypous
Copy link
Contributor Author

Sorry for the delay. I had several issues with the cluster I was using for tests and only got to test the patch against master a few minutes ago.

The previous approach was completely incorrect, sorry. I was originally testing against cae24dd, then took too long to send the PR and messed up when rebasing. I didn't pay attention to the new grafana_server_addrs fact.

@fmount Please take a look at the new approach.

@thotypous thotypous requested a review from guits April 3, 2020 01:57
@guits guits merged commit 38ce02c into ceph:master Apr 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants