Merge pull request #45860 from adk3798/alertmanager-skip-verify

mgr/cephadm: allow setting insecure_skip_verify for alertmanager Reviewed-by: Francesco Pantano <fpantano@redhat.com> Reviewed-by: Patrick Seidensal <pseidensal@suse.com>
2024-12-29 15:03:33 +00:00 · 2022-04-18 08:57:14 -04:00 · 2022-04-18 08:57:14 -04:00 · b6f42e6db3
commit b6f42e6db3
parent 73e806b7da e583d4ef1a
5 changed files with 35 additions and 0 deletions
--- a/doc/cephadm/services/monitoring.rst
+++ b/doc/cephadm/services/monitoring.rst
@ -387,6 +387,26 @@ added to the default receivers' ``<webhook_configs>`` configuration.

 Run ``reconfig`` on the service to update its configuration:

+.. prompt:: bash #
+
+  ceph orch reconfig alertmanager
+
+Turn on Certificate Validation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you are using certificates for alertmanager and want to make sure
+these certs are verified, you should set the "secure" option to
+true in your alertmanager spec (this defaults to false).
+
+.. code-block:: yaml
+
+    service_type: alertmanager
+    spec:
+      secure: true
+
+If you already had alertmanager daemons running before applying the spec
+you must reconfigure them to update their configuration
+
 .. prompt:: bash #

  ceph orch reconfig alertmanager
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@ -131,6 +131,10 @@ class AlertmanagerService(CephadmService):
        default_webhook_urls: List[str] = []

        spec = cast(AlertManagerSpec, self.mgr.spec_store[daemon_spec.service_name].spec)
+        try:
+            secure = spec.secure
+        except AttributeError:
+            secure = False
        user_data = spec.user_data
        if 'default_webhook_urls' in user_data and isinstance(
                user_data['default_webhook_urls'], list):
@ -175,6 +179,7 @@ class AlertmanagerService(CephadmService):
            'dashboard_urls': dashboard_urls,
            'default_webhook_urls': default_webhook_urls,
            'snmp_gateway_urls': snmp_gateway_urls,
+            'secure': secure,
        }
        yml = self.mgr.template.render('services/alertmanager/alertmanager.yml.j2', context)

--- a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
+++ b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
@ -3,6 +3,11 @@

 global:
  resolve_timeout: 5m
+{% if not secure %}
+  http_config:
+    tls_config:
+      insecure_skip_verify: true
+{% endif %}

 route:
  receiver: 'default'
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@ -251,6 +251,9 @@ class TestMonitoring:

                global:
                  resolve_timeout: 5m
+                  http_config:
+                    tls_config:
+                      insecure_skip_verify: true

                route:
                  receiver: 'default'
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@ -1112,6 +1112,7 @@ class AlertManagerSpec(MonitoringSpec):
                 config: Optional[Dict[str, str]] = None,
                 networks: Optional[List[str]] = None,
                 port: Optional[int] = None,
+                 secure: bool = False,
                 extra_container_args: Optional[List[str]] = None,
                 ):
        assert service_type == 'alertmanager'
@ -1136,6 +1137,7 @@ class AlertManagerSpec(MonitoringSpec):
        #                        added to the default receivers'
        #                        <webhook_configs> configuration.
        self.user_data = user_data or {}
+        self.secure = secure

    def get_port_start(self) -> List[int]:
        return [self.get_port(), 9094]