Bug 1994251

Summary: [RFE][GSS] Need ssl between node-exporter, Prometheus and mgr module
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Lijo Stephen Thomas <lithomas>
Component: CephadmAssignee: Redouane Kachach Elhichou <rkachach>
Status: CLOSED ERRATA QA Contact: Sayalee <saraut>
Severity: medium Docs Contact: Rivka Pollack <rpollack>
Priority: high    
Version: 5.0CC: adking, akraj, ceph-eng-bugs, dwojewod, flucifre, gjose, jolmomar, kdreyer, mhackett, mmuench, nia, rkachach, sangadi, saraut, tserlin
Target Milestone: ---Keywords: FutureFeature
Target Release: 7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ceph-18.2.0-45.el9cp Doc Type: Enhancement
Doc Text:
.TLS is enabled across all monitoring components, enhancing security for Prometheus With this enhancement, to safeguard data integrity, confidentiality, and alignment with the security best practices, TLS is enabled across the monitoring stack. The enhanced security feature for Prometheus, Alert manager and Node exporter adds an additional layer of protection by using secure communication across the monitoring stack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-13 15:18:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2237662    

Description Lijo Stephen Thomas 2021-08-17 07:01:38 UTC 
Description of problem:
Customer needs ssl between node-exporter, mgr module and Prometheus.


Version-Release number of selected component (if applicable):
RHCS 5.x

Additional info:
As we do not have such capability, we would like to have this in future RHCS 5.x releases
Comment 3 Juan Miguel Olmo 2021-09-07 10:15:36 UTC 
Rook part:
==========

I am currently working in bringing the complete monitoring stack we are using in baremetal installations to the k8s world:

https://github.com/rook/rook/issues/6519

Prometheus and Alert manager:
Deployed using the Prometheus operator (still in Beta) and both of them support TLS.
https://github.com/prometheus-operator/prometheus-operator

Node exporter
Deployed as a daemonset in k8s using the Node exporter built-in TLS feature

Grafana:
Deployed using grafana operator but using the Grafana built-in TLS feature
https://github.com/grafana-operator/grafana-operator


Prometheus manager module:
As Ernesto has pointed .. needed to implement the TLS support.
Comment 10 Ernesto Puerta 2021-12-13 19:33:03 UTC 
*** Bug 2028338 has been marked as a duplicate of this bug. ***
Comment 24 Redouane Kachach Elhichou 2023-01-09 09:43:39 UTC 
The following PR (Under review on Upstream) introduces several security enhancements related to monitoring:

https://github.com/ceph/ceph/pull/46601
Comment 47 errata-xmlrpc 2023-12-13 15:18:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7780