mgr/cephadm: adding mTLS for ceph mgmt-gateway and backend services communication#58402
Merged
mgr/cephadm: adding mTLS for ceph mgmt-gateway and backend services communication#58402
Conversation
1eb4636 to
2265162
Compare
Contributor
Author
|
jenkins test dashboard |
nizamial09
reviewed
Jul 11, 2024
Member
nizamial09
left a comment
There was a problem hiding this comment.
small review on the dashboard code.
Comment on lines
+42
to
+45
| for f in [ca_cert_file, cert_file, key_file]: | ||
| if f: | ||
| f.close() | ||
| os.unlink(f.name) |
Member
There was a problem hiding this comment.
this is duplicated below as well so shall we have a separate function to do this?
Comment on lines
+93
to
+95
| cert_file = tempfile.NamedTemporaryFile(delete=False) | ||
| cert_file.write(cert.encode('utf-8')) | ||
| cert_file.flush() # cert_tmp must not be gc'ed |
Member
There was a problem hiding this comment.
probably this could be also in its own function as its used repeatedely the same way in the code.
109ca08 to
97dcd81
Compare
adk3798
reviewed
Jul 11, 2024
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
432f183 to
b2f17a3
Compare
0fc76cf to
b351690
Compare
cert_mgr will be the unique responsible of managing all certificates generated and maintained by cephadm. Cephadm in addition now provides a new cmd to generate certificates for external modules. Signed-off-by: Redouane Kachach <rkachach@ibm.com>
this new Cephadm cmd introduces the ability to generate self-signed certificates for external modules, signed by Cephadm as the root CA. This feature is essential for implementing mTLS. Previously, if the user did not provide a certificate and key, the dashboard would generate its own. With this update, the dashboard now calls Cephadm to generate self-signed certificates, enabling secure mTLS communication with other backend applications. Prometheus module also makes use of this new functionality to generate self-signed certificates. Signed-off-by: Redouane Kachach <rkachach@ibm.com>
Contributor
Author
|
jenkins test make check |
1 similar comment
Contributor
Author
|
jenkins test make check |
Signed-off-by: Redouane Kachach <rkachach@ibm.com>
This commit adds SSL support to the ceph-exporter deployment made by cephadm. When `secure_monitoring_stack` is set to `True`, the `ceph-exporter` container is restarted with SSL enabled. Signed-off-by: Guillaume Abrioux <gabrioux@ibm.com> Signed-off-by: Redouane Kachach <rkachach@ibm.com>
Contributor
|
jenkins test make check |
Contributor
|
jenkins test windows |
it seems that with Grafana 10.4.0 the domain parameter is taken into account while building the final url (earlier versions didn't seem to behave the same way). This change sets the domain to the hostname where Grafana daemon is running instead of '*.lab'. serve_from_sub_path is removed as it's no needed and when add it causes some undesirable redirections that could break monitoring HA. Signed-off-by: Redouane Kachach <rkachach@ibm.com>
Contributor
Author
|
jenkins retest this please |
adk3798
approved these changes
Aug 1, 2024
Contributor
Author
|
jenkins test rook e2e |
Contributor
Author
|
jenkins test dashboard cephadm |
18 tasks
14 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR builds on top of the PR #57535 which introduced the mgmt-gateway. In this PR mTLS support is introduced. Cephadm is acting as the root CA that generates and signs all the certificates to be used by all the backend applications (dashboard, monitoring, etc).
Changes included in this PR:
cert_mgrnew class to centralize certificates management in cephadmceph orch certmgr generate-certificates)mgmt-gatewayand backend applications internal communicationmgmt-gatewayserviceKnown issues:
The following diagram represents the legacy Ceph mgmt backend architecture:
The new architecture takes benefit of the
mgmt-gateway(introduced by #57535) and addsmTLSto improve the security for internal communications between the nginx reverse proxy and the backend applications (Ceph dashboard, Prometheus, Alertmanager, etc..). Direct connections between most of the applications are replaced by requests that are routed through the nginx reverse proxy to an upstream that represents the new end-point of the corresponding service. This way all the routing goes through the internal server of the nginx and we can benefit from its high availability support.Note:
Please notice that there're still direct connections between Prometheus and mgr-prometheus module and with alertmanager as well. This is because in this case we are using the service-discovery feature and we rely on Prometheus support to handle multiple targets. Following diagram depicts a simplified view of the new architecture:
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
xbetween the brackets:[x]. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windowsjenkins test rook e2e