mirror of https://github.com/ceph/ceph-ansible.git
dashboard: remove "certificate is valid for" error
When deploying dashboard with ssl certificates generated by ceph-ansible, we enforce the CN to 'ceph-dashboard' which can makes application such alertmanager complain like following: `err="Post https://mgr0:8443/api/prometheus_receiver: x509: certificate is valid for ceph-dashboard, not mgr0" context_err="context deadline exceeded"` The idea here is to add alternative names matching all mgr/mon instances in the certificate so this error won't appear in logs. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1978869 Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>pull/6687/head
parent
c5a2239e5e
commit
72a0336c71
|
@ -654,6 +654,7 @@ dummy:
|
|||
# We only need this for SSL (https) connections
|
||||
#dashboard_crt: ''
|
||||
#dashboard_key: ''
|
||||
#dashboard_certificate_cn: ceph-dashboard
|
||||
#dashboard_tls_external: false
|
||||
#dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
|
||||
#dashboard_rgw_api_user_id: ceph-dashboard
|
||||
|
|
|
@ -654,6 +654,7 @@ containerized_deployment: true
|
|||
# We only need this for SSL (https) connections
|
||||
#dashboard_crt: ''
|
||||
#dashboard_key: ''
|
||||
#dashboard_certificate_cn: ceph-dashboard
|
||||
#dashboard_tls_external: false
|
||||
#dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
|
||||
#dashboard_rgw_api_user_id: ceph-dashboard
|
||||
|
|
|
@ -8,6 +8,16 @@
|
|||
set_fact:
|
||||
ceph_cmd: "{{ hostvars[groups[mon_group_name][0]]['container_binary'] + ' run --interactive --net=host --rm -v /etc/ceph:/etc/ceph:z --entrypoint=ceph ' + ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }}"
|
||||
|
||||
- name: get current mgr backend - ipv4
|
||||
set_fact:
|
||||
dashboard_server_addr: "{{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(dashboard_network.split(',')) | first }}"
|
||||
when: ip_version == 'ipv4'
|
||||
|
||||
- name: get current mgr backend - ipv6
|
||||
set_fact:
|
||||
dashboard_server_addr: "{{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(dashboard_network.split(',')) | last }}"
|
||||
when: ip_version == 'ipv6'
|
||||
|
||||
- name: disable SSL for dashboard
|
||||
when: dashboard_protocol == "http"
|
||||
delegate_to: "{{ groups[mon_group_name][0] }}"
|
||||
|
@ -55,10 +65,19 @@
|
|||
- name: generate and copy self-signed certificate
|
||||
when: dashboard_key | length == 0 or dashboard_crt | length == 0
|
||||
block:
|
||||
- name: set_fact subj_alt_names
|
||||
set_fact:
|
||||
subj_alt_names: >
|
||||
{% for host in groups[mgr_group_name] | default(groups[mon_group_name]) -%}
|
||||
subjectAltName={{ hostvars[host]['ansible_facts']['hostname'] }}/subjectAltName={{ hostvars[host]['dashboard_server_addr'] }}/subjectAltName={{ hostvars[host]['ansible_facts']['fqdn'] }}
|
||||
{%- if loop.last %}/{% endif %}
|
||||
{%- endfor -%}
|
||||
run_once: true
|
||||
|
||||
- name: generate a Self Signed OpenSSL certificate for dashboard
|
||||
shell: |
|
||||
test -f /etc/ceph/ceph-dashboard.key -a -f /etc/ceph/ceph-dashboard.crt || \
|
||||
openssl req -new -nodes -x509 -subj '/O=IT/CN=ceph-dashboard' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca
|
||||
openssl req -new -nodes -x509 -subj '/O=IT/CN={{ dashboard_certificate_cn }}/{{ subj_alt_names | trim }}' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca
|
||||
run_once: True
|
||||
|
||||
- name: slurp self-signed generated certificate for dashboard
|
||||
|
@ -108,10 +127,12 @@
|
|||
changed_when: false
|
||||
failed_when: false # Do not fail if the option does not exist, it only exists post-14.2.0
|
||||
|
||||
- include_tasks: configure_dashboard_backends.yml
|
||||
- name: config the current dashboard backend
|
||||
command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/{{ hostvars[item]['ansible_facts']['hostname'] }}/server_addr {{ hostvars[item]['dashboard_server_addr'] }}"
|
||||
delegate_to: "{{ groups[mon_group_name][0] }}"
|
||||
changed_when: false
|
||||
run_once: true
|
||||
with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}'
|
||||
vars:
|
||||
dashboard_backend: '{{ item }}'
|
||||
|
||||
- name: disable mgr dashboard module (restart)
|
||||
ceph_mgr_module:
|
||||
|
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
- name: get current mgr backend - ipv4
|
||||
set_fact:
|
||||
dashboard_server_addr: "{{ hostvars[dashboard_backend]['ansible_facts']['all_ipv4_addresses'] | ips_in_ranges(dashboard_network.split(',')) | first }}"
|
||||
when: ip_version == 'ipv4'
|
||||
|
||||
- name: get current mgr backend - ipv6
|
||||
set_fact:
|
||||
dashboard_server_addr: "{{ hostvars[dashboard_backend]['ansible_facts']['all_ipv6_addresses'] | ips_in_ranges(dashboard_network.split(',')) | last }}"
|
||||
when: ip_version == 'ipv6'
|
||||
|
||||
- name: config the current dashboard backend
|
||||
command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/{{ hostvars[dashboard_backend]['ansible_facts']['hostname'] }}/server_addr {{ dashboard_server_addr }}"
|
||||
delegate_to: "{{ groups[mon_group_name][0] }}"
|
||||
changed_when: false
|
||||
run_once: true
|
|
@ -646,6 +646,7 @@ dashboard_admin_user_ro: false
|
|||
# We only need this for SSL (https) connections
|
||||
dashboard_crt: ''
|
||||
dashboard_key: ''
|
||||
dashboard_certificate_cn: ceph-dashboard
|
||||
dashboard_tls_external: false
|
||||
dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
|
||||
dashboard_rgw_api_user_id: ceph-dashboard
|
||||
|
|
Loading…
Reference in New Issue