1994251 – [RFE][GSS] Need ssl between node-exporter, Prometheus and mgr module

Bug 1994251 - [RFE][GSS] Need ssl between node-exporter, Prometheus and mgr module

Summary: [RFE][GSS] Need ssl between node-exporter, Prometheus and mgr module

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Cephadm
Sub Component:
Version:	5.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	7.0
Assignee:	Redouane Kachach Elhichou
QA Contact:	Sayalee
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Duplicates (1):	2028338 (view as bug list)
Depends On:
Blocks:	2237662
TreeView+	depends on / blocked

Reported:	2021-08-17 07:01 UTC by Lijo Stephen Thomas
Modified:	2023-12-13 15:18 UTC (History)
CC List:	15 users (show)
Fixed In Version:	ceph-18.2.0-45.el9cp
Doc Type:	Enhancement
Doc Text:	.TLS is enabled across all monitoring components, enhancing security for Prometheus With this enhancement, to safeguard data integrity, confidentiality, and alignment with the security best practices, TLS is enabled across the monitoring stack. The enhanced security feature for Prometheus, Alert manager and Node exporter adds an additional layer of protection by using secure communication across the monitoring stack.
Clone Of:
Environment:
Last Closed:	2023-12-13 15:18:36 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-719	None	None	None	2021-08-17 07:02:37 UTC
Red Hat Knowledge Base (Solution)	7033374	None	None	None	2023-09-14 13:46:36 UTC
Red Hat Product Errata	RHBA-2023:7780	None	None	None	2023-12-13 15:18:41 UTC

Internal Links: 2028335

Description Lijo Stephen Thomas 2021-08-17 07:01:38 UTC

Description of problem:
Customer needs ssl between node-exporter, mgr module and Prometheus.


Version-Release number of selected component (if applicable):
RHCS 5.x

Additional info:
As we do not have such capability, we would like to have this in future RHCS 5.x releases

Comment 3 Juan Miguel Olmo 2021-09-07 10:15:36 UTC

Rook part:
==========

I am currently working in bringing the complete monitoring stack we are using in baremetal installations to the k8s world:

https://github.com/rook/rook/issues/6519

Prometheus and Alert manager:
Deployed using the Prometheus operator (still in Beta) and both of them support TLS.
https://github.com/prometheus-operator/prometheus-operator

Node exporter
Deployed as a daemonset in k8s using the Node exporter built-in TLS feature

Grafana:
Deployed using grafana operator but using the Grafana built-in TLS feature
https://github.com/grafana-operator/grafana-operator


Prometheus manager module:
As Ernesto has pointed .. needed to implement the TLS support.

Comment 10 Ernesto Puerta 2021-12-13 19:33:03 UTC

*** Bug 2028338 has been marked as a duplicate of this bug. ***

Comment 24 Redouane Kachach Elhichou 2023-01-09 09:43:39 UTC

The following PR (Under review on Upstream) introduces several security enhancements related to monitoring:

https://github.com/ceph/ceph/pull/46601

Comment 47 errata-xmlrpc 2023-12-13 15:18:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7780

Note You need to log in before you can comment on or make changes to this bug.