Feature #64318
open
cephadm has already support to enable security across all the monitoring stack (including all the components). The configuration variable is mgr/cephadm/secure_monitoring_stack maybe it's just a documentation effort in this case.
Christian Rohmann wrote:
Redouane Kachach Elhichou wrote:
But is there any TLS added? Looking at https://docs.ceph.com/en/reef/mgr/dashboard/#dashboard-ssl-tls-support I see that the dashboards does support TLS certificates. But the Prometheus module apparently does not have this capability: https://docs.ceph.com/en/reef/mgr/prometheus/#prometheus-module
That's right. Docs need to be updated to reflect how to enable security and how the components are impacted.
So the prometheus mgr module actually does support TLS? Just to serve or also for client cert auth?
Is there any issue tracking these missing docs?
No, there's not. I'm going to open ticket this week (and probably also submit the docs PR).
Also the ceph-exporter distributed to Ceph node and exposes metrics for the local Ceph daemons. But it seems there is no authentication or TLS encryption support if you look at the code and the configuration options: https://github.com/ceph/ceph/blob/main/src/exporter/ceph_exporter.cc
That's a known issue. In case of small clusters you can disable ceph-exporter by using exclude_perf_counters configuration parameter: https://docs.ceph.com/en/latest/mgr/prometheus/#confval-mgr-prometheus-exclude_perf_counters
If this is a known issue, is there an issue or Trello card to track?
I had some discussions with the developer working on ceph-exporter about the lack of SSL/TLS and we agreed that he will be opening a tracker for that. However I can't find the issue. I'll double check with him.
Anyway, I'll recommend playing with the security feature by enabling the mgr/cephadm/secure_monitoring_stack and see if that fullfill your needs or not. It's relatively a new feature and any kind of feedback will be more than welcome.
Redouane Kachach Elhichou wrote in #note-5:
Christian Rohmann wrote:
Redouane Kachach Elhichou wrote:
So the prometheus mgr module actually does support TLS? Just to serve or also for client cert auth?
Is there any issue tracking these missing docs?
No, there's not. I'm going to open ticket this week (and probably also submit the docs PR).
May I ask if you did you open a ticket about adding support for TLS (server and client certs) to mgr/prometheus?
Also available in: Atom
PDF