From 72a0336c71cee8bd0a375ac47cb45a292844edc8 Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Tue, 6 Jul 2021 14:18:51 +0200 Subject: [PATCH] dashboard: remove "certificate is valid for" error When deploying dashboard with ssl certificates generated by ceph-ansible, we enforce the CN to 'ceph-dashboard' which can makes application such alertmanager complain like following: `err="Post https://mgr0:8443/api/prometheus_receiver: x509: certificate is valid for ceph-dashboard, not mgr0" context_err="context deadline exceeded"` The idea here is to add alternative names matching all mgr/mon instances in the certificate so this error won't appear in logs. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1978869 Signed-off-by: Guillaume Abrioux --- group_vars/all.yml.sample | 1 + group_vars/rhcs.yml.sample | 1 + .../tasks/configure_dashboard.yml | 29 ++++++++++++++++--- .../tasks/configure_dashboard_backends.yml | 16 ---------- roles/ceph-defaults/defaults/main.yml | 1 + 5 files changed, 28 insertions(+), 20 deletions(-) delete mode 100644 roles/ceph-dashboard/tasks/configure_dashboard_backends.yml diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index f318d28e8..eac3b3988 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -654,6 +654,7 @@ dummy: # We only need this for SSL (https) connections #dashboard_crt: '' #dashboard_key: '' +#dashboard_certificate_cn: ceph-dashboard #dashboard_tls_external: false #dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}" #dashboard_rgw_api_user_id: ceph-dashboard diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index ad73a8bc0..f369bf41e 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -654,6 +654,7 @@ containerized_deployment: true # We only need this for SSL (https) connections #dashboard_crt: '' #dashboard_key: '' +#dashboard_certificate_cn: ceph-dashboard #dashboard_tls_external: false #dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}" #dashboard_rgw_api_user_id: ceph-dashboard diff --git a/roles/ceph-dashboard/tasks/configure_dashboard.yml b/roles/ceph-dashboard/tasks/configure_dashboard.yml index 38ed17605..6fd7a211e 100644 --- a/roles/ceph-dashboard/tasks/configure_dashboard.yml +++ b/roles/ceph-dashboard/tasks/configure_dashboard.yml @@ -8,6 +8,16 @@ set_fact: ceph_cmd: "{{ hostvars[groups[mon_group_name][0]]['container_binary'] + ' run --interactive --net=host --rm -v /etc/ceph:/etc/ceph:z --entrypoint=ceph ' + ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }}" +- name: get current mgr backend - ipv4 + set_fact: + dashboard_server_addr: "{{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(dashboard_network.split(',')) | first }}" + when: ip_version == 'ipv4' + +- name: get current mgr backend - ipv6 + set_fact: + dashboard_server_addr: "{{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(dashboard_network.split(',')) | last }}" + when: ip_version == 'ipv6' + - name: disable SSL for dashboard when: dashboard_protocol == "http" delegate_to: "{{ groups[mon_group_name][0] }}" @@ -55,10 +65,19 @@ - name: generate and copy self-signed certificate when: dashboard_key | length == 0 or dashboard_crt | length == 0 block: + - name: set_fact subj_alt_names + set_fact: + subj_alt_names: > + {% for host in groups[mgr_group_name] | default(groups[mon_group_name]) -%} + subjectAltName={{ hostvars[host]['ansible_facts']['hostname'] }}/subjectAltName={{ hostvars[host]['dashboard_server_addr'] }}/subjectAltName={{ hostvars[host]['ansible_facts']['fqdn'] }} + {%- if loop.last %}/{% endif %} + {%- endfor -%} + run_once: true + - name: generate a Self Signed OpenSSL certificate for dashboard shell: | test -f /etc/ceph/ceph-dashboard.key -a -f /etc/ceph/ceph-dashboard.crt || \ - openssl req -new -nodes -x509 -subj '/O=IT/CN=ceph-dashboard' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca + openssl req -new -nodes -x509 -subj '/O=IT/CN={{ dashboard_certificate_cn }}/{{ subj_alt_names | trim }}' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca run_once: True - name: slurp self-signed generated certificate for dashboard @@ -108,10 +127,12 @@ changed_when: false failed_when: false # Do not fail if the option does not exist, it only exists post-14.2.0 -- include_tasks: configure_dashboard_backends.yml +- name: config the current dashboard backend + command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/{{ hostvars[item]['ansible_facts']['hostname'] }}/server_addr {{ hostvars[item]['dashboard_server_addr'] }}" + delegate_to: "{{ groups[mon_group_name][0] }}" + changed_when: false + run_once: true with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}' - vars: - dashboard_backend: '{{ item }}' - name: disable mgr dashboard module (restart) ceph_mgr_module: diff --git a/roles/ceph-dashboard/tasks/configure_dashboard_backends.yml b/roles/ceph-dashboard/tasks/configure_dashboard_backends.yml deleted file mode 100644 index d094e446f..000000000 --- a/roles/ceph-dashboard/tasks/configure_dashboard_backends.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: get current mgr backend - ipv4 - set_fact: - dashboard_server_addr: "{{ hostvars[dashboard_backend]['ansible_facts']['all_ipv4_addresses'] | ips_in_ranges(dashboard_network.split(',')) | first }}" - when: ip_version == 'ipv4' - -- name: get current mgr backend - ipv6 - set_fact: - dashboard_server_addr: "{{ hostvars[dashboard_backend]['ansible_facts']['all_ipv6_addresses'] | ips_in_ranges(dashboard_network.split(',')) | last }}" - when: ip_version == 'ipv6' - -- name: config the current dashboard backend - command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/{{ hostvars[dashboard_backend]['ansible_facts']['hostname'] }}/server_addr {{ dashboard_server_addr }}" - delegate_to: "{{ groups[mon_group_name][0] }}" - changed_when: false - run_once: true diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index 1919a98b9..d55ce0fce 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -646,6 +646,7 @@ dashboard_admin_user_ro: false # We only need this for SSL (https) connections dashboard_crt: '' dashboard_key: '' +dashboard_certificate_cn: ceph-dashboard dashboard_tls_external: false dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}" dashboard_rgw_api_user_id: ceph-dashboard