From c39e7cb1516eebd57a2d5ca99e8e5aeefc77a980 Mon Sep 17 00:00:00 2001
From: Dimitri Savineau <dsavinea@redhat.com>
Date: Fri, 23 Jul 2021 10:27:55 -0400
Subject: [PATCH] alertmanager: allow disable dashboard tls verify

When using self-signed/untrusted CA certificates, alertmanager displays
an error in logs. With this commit this should make those messages
disappear.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1936299

Co-authored-by: Guillaume Abrioux <gabrioux@redhat.com>

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
(cherry picked from commit 9f77b929d145512e0d8886b96caf6047c5072a68)
---
 group_vars/all.yml.sample                           | 1 +
 group_vars/rhcs.yml.sample                          | 1 +
 roles/ceph-defaults/defaults/main.yml               | 1 +
 roles/ceph-prometheus/templates/alertmanager.yml.j2 | 5 +++++
 4 files changed, 8 insertions(+)

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 7a6ff86d5..06a46d5e8 100644
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -821,6 +821,7 @@ dummy:
 #alertmanager_port: 9093
 #alertmanager_cluster_port: 9094
 #alertmanager_conf_overrides: {}
+#alertmanager_dashboard_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not dashboard_crt and not dashboard_key else false }}"
 # igw
 #
 # `igw_network` variable is intended for allowing dashboard deployment with iSCSI node not residing in the same subnet than what is defined in `public_network`.
diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index 43e90ae52..7e9fe30e9 100644
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -821,6 +821,7 @@ alertmanager_container_image: registry.redhat.io/openshift4/ose-prometheus-alert
 #alertmanager_port: 9093
 #alertmanager_cluster_port: 9094
 #alertmanager_conf_overrides: {}
+#alertmanager_dashboard_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not dashboard_crt and not dashboard_key else false }}"
 # igw
 #
 # `igw_network` variable is intended for allowing dashboard deployment with iSCSI node not residing in the same subnet than what is defined in `public_network`.
diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index fe4408ae9..4a8c55721 100644
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -813,6 +813,7 @@ alertmanager_conf_dir: /etc/alertmanager
 alertmanager_port: 9093
 alertmanager_cluster_port: 9094
 alertmanager_conf_overrides: {}
+alertmanager_dashboard_api_no_ssl_verify: "{{ true if dashboard_protocol == 'https' and not dashboard_crt and not dashboard_key else false }}"
 # igw
 #
 # `igw_network` variable is intended for allowing dashboard deployment with iSCSI node not residing in the same subnet than what is defined in `public_network`.
diff --git a/roles/ceph-prometheus/templates/alertmanager.yml.j2 b/roles/ceph-prometheus/templates/alertmanager.yml.j2
index 2ca58f417..63dfbf701 100644
--- a/roles/ceph-prometheus/templates/alertmanager.yml.j2
+++ b/roles/ceph-prometheus/templates/alertmanager.yml.j2
@@ -12,4 +12,9 @@ receivers:
   webhook_configs:
 {% for host in groups['mgrs'] | default(groups['mons']) %}
   - url: '{{ dashboard_protocol }}://{{ hostvars[host]['ansible_facts']['fqdn'] }}:{{ dashboard_port }}/api/prometheus_receiver'
+{% if dashboard_protocol == 'https' and alertmanager_dashboard_api_no_ssl_verify | bool %}
+    http_config:
+      tls_config:
+        insecure_skip_verify: true
+{% endif %}
 {% endfor %}