From e583d4ef1ac23a7473d50d253e0edf70580542ae Mon Sep 17 00:00:00 2001
From: Adam King <adking@redhat.com>
Date: Wed, 6 Apr 2022 10:32:22 -0400
Subject: [PATCH] mgr/cephadm: allow setting insecure_skip_verify for
 alertmanager

Add a "secure" parameter to alertmanager spec that will cause it
to deploy alertmanagers with insecure_skip_verify as true or false
depending on the value given for "secure".

NOTE: alertmanager must still be reconfigured after applying a yaml
with this option changed.

Fixes: https://tracker.ceph.com/issues/55272
Fixes: https://tracker.ceph.com/issues/55333

Signed-off-by: Adam King <adking@redhat.com>
---
 doc/cephadm/services/monitoring.rst           | 20 +++++++++++++++++++
 src/pybind/mgr/cephadm/services/monitoring.py |  5 +++++
 .../services/alertmanager/alertmanager.yml.j2 |  5 +++++
 src/pybind/mgr/cephadm/tests/test_services.py |  3 +++
 .../ceph/deployment/service_spec.py           |  2 ++
 5 files changed, 35 insertions(+)

diff --git a/doc/cephadm/services/monitoring.rst b/doc/cephadm/services/monitoring.rst
index 5cb1537dbb4..a17beba6d1e 100644
--- a/doc/cephadm/services/monitoring.rst
+++ b/doc/cephadm/services/monitoring.rst
@@ -387,6 +387,26 @@ added to the default receivers' ``<webhook_configs>`` configuration.
 
 Run ``reconfig`` on the service to update its configuration:
 
+.. prompt:: bash #
+
+  ceph orch reconfig alertmanager
+
+Turn on Certificate Validation
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you are using certificates for alertmanager and want to make sure
+these certs are verified, you should set the "secure" option to
+true in your alertmanager spec (this defaults to false).
+
+.. code-block:: yaml
+
+    service_type: alertmanager
+    spec:
+      secure: true
+
+If you already had alertmanager daemons running before applying the spec
+you must reconfigure them to update their configuration
+
 .. prompt:: bash #
 
   ceph orch reconfig alertmanager
diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py
index 387f135ce74..6bde0cc3e8c 100644
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -131,6 +131,10 @@ class AlertmanagerService(CephadmService):
         default_webhook_urls: List[str] = []
 
         spec = cast(AlertManagerSpec, self.mgr.spec_store[daemon_spec.service_name].spec)
+        try:
+            secure = spec.secure
+        except AttributeError:
+            secure = False
         user_data = spec.user_data
         if 'default_webhook_urls' in user_data and isinstance(
                 user_data['default_webhook_urls'], list):
@@ -175,6 +179,7 @@ class AlertmanagerService(CephadmService):
             'dashboard_urls': dashboard_urls,
             'default_webhook_urls': default_webhook_urls,
             'snmp_gateway_urls': snmp_gateway_urls,
+            'secure': secure,
         }
         yml = self.mgr.template.render('services/alertmanager/alertmanager.yml.j2', context)
 
diff --git a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2 b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
index 4a8f313a71a..4e394106f05 100644
--- a/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
+++ b/src/pybind/mgr/cephadm/templates/services/alertmanager/alertmanager.yml.j2
@@ -3,6 +3,11 @@
 
 global:
   resolve_timeout: 5m
+{% if not secure %}
+  http_config:
+    tls_config:
+      insecure_skip_verify: true
+{% endif %}
 
 route:
   receiver: 'default'
diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
index ce4af46da24..e401c5b93d0 100644
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -251,6 +251,9 @@ class TestMonitoring:
 
                 global:
                   resolve_timeout: 5m
+                  http_config:
+                    tls_config:
+                      insecure_skip_verify: true
 
                 route:
                   receiver: 'default'
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index e7b6885ab1e..c23783c5da0 100644
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -1112,6 +1112,7 @@ class AlertManagerSpec(MonitoringSpec):
                  config: Optional[Dict[str, str]] = None,
                  networks: Optional[List[str]] = None,
                  port: Optional[int] = None,
+                 secure: bool = False,
                  extra_container_args: Optional[List[str]] = None,
                  ):
         assert service_type == 'alertmanager'
@@ -1136,6 +1137,7 @@ class AlertManagerSpec(MonitoringSpec):
         #                        added to the default receivers'
         #                        <webhook_configs> configuration.
         self.user_data = user_data or {}
+        self.secure = secure
 
     def get_port_start(self) -> List[int]:
         return [self.get_port(), 9094]