Bug 2028335

Summary: [RFE][cephadm] Allow the configuration of prometheus authentication using cephadm
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: James Biao <jbiao>
Component: CephadmAssignee: Redouane Kachach Elhichou <rkachach>
Status: CLOSED ERRATA QA Contact: Sayalee <saraut>
Severity: high Docs Contact: Rivka Pollack <rpollack>
Priority: high    
Version: 5.1CC: adking, akraj, gjose, kdreyer, lithomas, mmuench, rkachach, saraut, sunnagar, vereddy
Target Milestone: ---Keywords: FutureFeature
Target Release: 7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ceph-18.2.0-1 Doc Type: Enhancement
Doc Text:
.Enhanced security of the monitoring stack With this enhancement, to safeguard data integrity, confidentiality, and to align with the security best practices, the authentication feature for Prometheus, Alert manager, and the Node exporter is implemented. This enhances the security of the whole monitoring stack by enabling TLS in all the monitoring components and requiring users to provide valid credentials before accessing Prometheus and Alert Manager data. By using this new feature, an additional layer of protection is provided by using secure communication and preventing the unauthorized access to sensitive metrics and monitoring data. With TLS enabled in all the monitoring stack components and authentication in place, users must authenticate before accessing monitoring and metrics data, enhancing overall security and control over data access.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-13 15:18:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2237662    

Comment 1 Sebastian Wagner 2021-12-02 09:34:31 UTC 
Ok this gets complicated. 

cephadm doesn't support SSL at this point. See https://bugzilla.redhat.com/show_bug.cgi?id=1994251

cephadm doesn't support deploying additional files for existing daemon types. See https://prometheus.io/docs/guides/basic-auth/#creating-web-yml and 

---

For now you can manually deploy your own Prometheus and Grafana. Does this help?
Comment 2 Sebastian Wagner 2021-12-02 12:17:25 UTC 
relates to https://bugzilla.redhat.com/show_bug.cgi?id=2028173
Comment 13 Redouane Kachach Elhichou 2023-03-13 09:55:59 UTC 
Support for the first part (basic auth) has been add by the following upstream PR: https://github.com/ceph/ceph/pull/46601. More changes
are needed to make the authentication configurable.
Comment 33 errata-xmlrpc 2023-12-13 15:18:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7780