dashboard: remove "certificate is valid for" error

When deploying dashboard with ssl certificates generated by
ceph-ansible, we enforce the CN to 'ceph-dashboard' which can makes
application such alertmanager complain like following:

`err="Post https://mgr0:8443/api/prometheus_receiver: x509: certificate is valid for ceph-dashboard, not mgr0" context_err="context deadline exceeded"`

The idea here is to add alternative names matching all mgr/mon instances
in the certificate so this error won't appear in logs.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1978869

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 72a0336c71)
pull/6691/head
Guillaume Abrioux 2021-07-06 14:18:51 +02:00
parent b3dde31a06
commit 867376c30b
5 changed files with 28 additions and 20 deletions

View File

@ -658,6 +658,7 @@ dummy:
# We only need this for SSL (https) connections # We only need this for SSL (https) connections
#dashboard_crt: '' #dashboard_crt: ''
#dashboard_key: '' #dashboard_key: ''
#dashboard_certificate_cn: ceph-dashboard
#dashboard_tls_external: false #dashboard_tls_external: false
#dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}" #dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
#dashboard_rgw_api_user_id: ceph-dashboard #dashboard_rgw_api_user_id: ceph-dashboard

View File

@ -658,6 +658,7 @@ ceph_docker_registry_auth: true
# We only need this for SSL (https) connections # We only need this for SSL (https) connections
#dashboard_crt: '' #dashboard_crt: ''
#dashboard_key: '' #dashboard_key: ''
#dashboard_certificate_cn: ceph-dashboard
#dashboard_tls_external: false #dashboard_tls_external: false
#dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}" #dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
#dashboard_rgw_api_user_id: ceph-dashboard #dashboard_rgw_api_user_id: ceph-dashboard

View File

@ -8,6 +8,16 @@
set_fact: set_fact:
ceph_cmd: "{{ hostvars[groups[mon_group_name][0]]['container_binary'] + ' run --interactive --net=host --rm -v /etc/ceph:/etc/ceph:z --entrypoint=ceph ' + ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }}" ceph_cmd: "{{ hostvars[groups[mon_group_name][0]]['container_binary'] + ' run --interactive --net=host --rm -v /etc/ceph:/etc/ceph:z --entrypoint=ceph ' + ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }}"
- name: get current mgr backend - ipv4
set_fact:
dashboard_server_addr: "{{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(dashboard_network.split(',')) | first }}"
when: ip_version == 'ipv4'
- name: get current mgr backend - ipv6
set_fact:
dashboard_server_addr: "{{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(dashboard_network.split(',')) | last }}"
when: ip_version == 'ipv6'
- name: disable SSL for dashboard - name: disable SSL for dashboard
when: dashboard_protocol == "http" when: dashboard_protocol == "http"
delegate_to: "{{ groups[mon_group_name][0] }}" delegate_to: "{{ groups[mon_group_name][0] }}"
@ -55,10 +65,19 @@
- name: generate and copy self-signed certificate - name: generate and copy self-signed certificate
when: dashboard_key | length == 0 or dashboard_crt | length == 0 when: dashboard_key | length == 0 or dashboard_crt | length == 0
block: block:
- name: set_fact subj_alt_names
set_fact:
subj_alt_names: >
{% for host in groups[mgr_group_name] | default(groups[mon_group_name]) -%}
subjectAltName={{ hostvars[host]['ansible_facts']['hostname'] }}/subjectAltName={{ hostvars[host]['dashboard_server_addr'] }}/subjectAltName={{ hostvars[host]['ansible_facts']['fqdn'] }}
{%- if loop.last %}/{% endif %}
{%- endfor -%}
run_once: true
- name: generate a Self Signed OpenSSL certificate for dashboard - name: generate a Self Signed OpenSSL certificate for dashboard
shell: | shell: |
test -f /etc/ceph/ceph-dashboard.key -a -f /etc/ceph/ceph-dashboard.crt || \ test -f /etc/ceph/ceph-dashboard.key -a -f /etc/ceph/ceph-dashboard.crt || \
openssl req -new -nodes -x509 -subj '/O=IT/CN=ceph-dashboard' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca openssl req -new -nodes -x509 -subj '/O=IT/CN={{ dashboard_certificate_cn }}/{{ subj_alt_names | trim }}' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca
run_once: True run_once: True
- name: slurp self-signed generated certificate for dashboard - name: slurp self-signed generated certificate for dashboard
@ -108,10 +127,12 @@
changed_when: false changed_when: false
failed_when: false # Do not fail if the option does not exist, it only exists post-14.2.0 failed_when: false # Do not fail if the option does not exist, it only exists post-14.2.0
- include_tasks: configure_dashboard_backends.yml - name: config the current dashboard backend
command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/{{ hostvars[item]['ansible_facts']['hostname'] }}/server_addr {{ hostvars[item]['dashboard_server_addr'] }}"
delegate_to: "{{ groups[mon_group_name][0] }}"
changed_when: false
run_once: true
with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}' with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}'
vars:
dashboard_backend: '{{ item }}'
- name: disable mgr dashboard module (restart) - name: disable mgr dashboard module (restart)
command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} mgr module disable dashboard" command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} mgr module disable dashboard"

View File

@ -1,16 +0,0 @@
---
- name: get current mgr backend - ipv4
set_fact:
dashboard_server_addr: "{{ hostvars[dashboard_backend]['ansible_facts']['all_ipv4_addresses'] | ips_in_ranges(dashboard_network.split(',')) | first }}"
when: ip_version == 'ipv4'
- name: get current mgr backend - ipv6
set_fact:
dashboard_server_addr: "{{ hostvars[dashboard_backend]['ansible_facts']['all_ipv6_addresses'] | ips_in_ranges(dashboard_network.split(',')) | last }}"
when: ip_version == 'ipv6'
- name: config the current dashboard backend
command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/{{ hostvars[dashboard_backend]['ansible_facts']['hostname'] }}/server_addr {{ dashboard_server_addr }}"
delegate_to: "{{ groups[mon_group_name][0] }}"
changed_when: false
run_once: true

View File

@ -650,6 +650,7 @@ dashboard_admin_user_ro: false
# We only need this for SSL (https) connections # We only need this for SSL (https) connections
dashboard_crt: '' dashboard_crt: ''
dashboard_key: '' dashboard_key: ''
dashboard_certificate_cn: ceph-dashboard
dashboard_tls_external: false dashboard_tls_external: false
dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}" dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
dashboard_rgw_api_user_id: ceph-dashboard dashboard_rgw_api_user_id: ceph-dashboard