dashboard: remove "certificate is valid for" error

When deploying dashboard with ssl certificates generated by
ceph-ansible, we enforce the CN to 'ceph-dashboard' which can makes
application such alertmanager complain like following:

`err="Post https://mgr0:8443/api/prometheus_receiver: x509: certificate is valid for ceph-dashboard, not mgr0" context_err="context deadline exceeded"`

The idea here is to add alternative names matching all mgr/mon instances
in the certificate so this error won't appear in logs.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1978869

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit 72a0336c71)

group_vars/all.yml.sample

@@ -750,6 +750,7 @@ dummy:
 # We only need this for SSL (https) connections
 #dashboard_crt: ''
 #dashboard_key: ''
+#dashboard_certificate_cn: ceph-dashboard
 #dashboard_tls_external: false
 #dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
 #dashboard_rgw_api_user_id: ceph-dashboard

group_vars/rhcs.yml.sample

@@ -750,6 +750,7 @@ ceph_docker_registry_auth: true
 # We only need this for SSL (https) connections
 #dashboard_crt: ''
 #dashboard_key: ''
+#dashboard_certificate_cn: ceph-dashboard
 #dashboard_tls_external: false
 #dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
 #dashboard_rgw_api_user_id: ceph-dashboard

roles/ceph-dashboard/tasks/configure_dashboard.yml

@@ -8,6 +8,16 @@
   set_fact:
     ceph_cmd: "{{ hostvars[groups[mon_group_name][0]]['container_binary'] + ' run --interactive --net=host --rm -v /etc/ceph:/etc/ceph:z --entrypoint=ceph ' + ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }}"
 
+- name: get current mgr backend - ipv4
+  set_fact:
+    mgr_server_addr: "{{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(public_network.split(',')) | first }}"
+  when: ip_version == 'ipv4'
+
+- name: get current mgr backend - ipv6
+  set_fact:
+    mgr_server_addr: "{{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(public_network.split(',')) | last }}"
+  when: ip_version == 'ipv6'
+
 - name: disable SSL for dashboard
   command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/ssl false"
   delegate_to: "{{ groups[mon_group_name][0] }}"
@@ -47,10 +57,19 @@
     - name: generate and copy self-signed certificate
       when: dashboard_key | length == 0 or dashboard_crt | length == 0
       block:
+        - name: set_fact subj_alt_names
+          set_fact:
+            subj_alt_names: >
+              {% for host in groups[mgr_group_name] | default(groups[mon_group_name]) -%}
+              subjectAltName={{ hostvars[host]['ansible_facts']['hostname'] }}/subjectAltName={{ hostvars[host]['mgr_server_addr'] }}/subjectAltName={{ hostvars[host]['ansible_facts']['fqdn'] }}
+              {%- if loop.last %}/{% endif %}
+              {%- endfor -%}
+          run_once: true
+
         - name: generate a Self Signed OpenSSL certificate for dashboard
           shell: |
             test -f /etc/ceph/ceph-dashboard.key -a -f /etc/ceph/ceph-dashboard.crt || \
-            openssl req -new -nodes -x509 -subj '/O=IT/CN=ceph-dashboard' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca
+            openssl req -new -nodes -x509 -subj '/O=IT/CN={{ dashboard_certificate_cn }}/{{ subj_alt_names | trim }}' -days 3650 -keyout /etc/ceph/ceph-dashboard.key -out /etc/ceph/ceph-dashboard.crt -extensions v3_ca
           run_once: True
 
         - name: slurp self-signed generated certificate for dashboard
@@ -100,10 +119,12 @@
   changed_when: false
   failed_when: false # Do not fail if the option does not exist, it only exists post-14.2.0
 
-- include_tasks: configure_dashboard_backends.yml
+- name: config the current dashboard backend
+  command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/{{ hostvars[item]['ansible_facts']['hostname'] }}/server_addr {{ hostvars[item]['mgr_server_addr'] }}"
+  delegate_to: "{{ groups[mon_group_name][0] }}"
+  changed_when: false
+  run_once: true
   with_items: '{{ groups[mgr_group_name] | default(groups[mon_group_name]) }}'
-  vars:
-    dashboard_backend: '{{ item }}'
 
 - name: disable mgr dashboard module (restart)
   command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} mgr module disable dashboard"

roles/ceph-dashboard/tasks/configure_dashboard_backends.yml

@@ -1,16 +0,0 @@
----
-- name: get current mgr backend - ipv4
-  set_fact:
-    mgr_server_addr: "{{ hostvars[dashboard_backend]['ansible_facts']['all_ipv4_addresses'] | ips_in_ranges(public_network.split(',')) | first }}"
-  when: ip_version == 'ipv4'
-
-- name: get current mgr backend - ipv6
-  set_fact:
-    mgr_server_addr: "{{ hostvars[dashboard_backend]['ansible_facts']['all_ipv6_addresses'] | ips_in_ranges(public_network.split(',')) | last }}"
-  when: ip_version == 'ipv6'
-
-- name: config the current dashboard backend
-  command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config set mgr mgr/dashboard/{{ hostvars[dashboard_backend]['ansible_facts']['hostname'] }}/server_addr {{ mgr_server_addr }}"
-  delegate_to: "{{ groups[mon_group_name][0] }}"
-  changed_when: false
-  run_once: true

roles/ceph-defaults/defaults/main.yml

@@ -742,6 +742,7 @@ dashboard_admin_user_ro: false
 # We only need this for SSL (https) connections
 dashboard_crt: ''
 dashboard_key: ''
+dashboard_certificate_cn: ceph-dashboard
 dashboard_tls_external: false
 dashboard_grafana_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not grafana_crt and not grafana_key else false }}"
 dashboard_rgw_api_user_id: ceph-dashboard