From 7e7db792d25ef5ee6f8343fda91b42c5ccdd1746 Mon Sep 17 00:00:00 2001 From: Francesco Pantano Date: Mon, 10 May 2021 16:04:52 +0200 Subject: [PATCH] Add the networks parameter to the monitoring stack components As per [1] the ceph_mkspec module accepts the networks parameter that defines where the specified daemon should be bound. This patch adds the existing parameter to the monitoring stack tasks that are supposed to apply node-exporter(s), prometheus and alertmanager when DashboardEnabled is true. In addition, due to recent changes in Ceph, both grafana and the dashboard passwords must be passed via `-i`. This change makes us able to configure the password via stdin. Finally, the tls support is added to the grafana component, which is exposed to the operators. [1] https://review.opendev.org/783305 Change-Id: I59a74797dc97540b7553a3e74f67e23e6ccc8f6d --- .../roles/tripleo_cephadm/defaults/main.yml | 1 + .../roles/tripleo_cephadm/tasks/ceph_cli.yaml | 6 ++ .../tasks/dashboard/dashboard.yaml | 21 ++++++- .../tasks/dashboard/grafana.yaml | 55 ------------------- .../roles/tripleo_cephadm/tasks/mds.yaml | 2 +- .../tripleo_cephadm/tasks/monitoring.yaml | 21 ++++++- .../roles/tripleo_cephadm/tasks/rgw.yaml | 2 +- .../tripleo_cephadm/templates/grafana.json.j2 | 39 ------------- .../tripleo_run_cephadm/tasks/prepare.yml | 1 + 9 files changed, 49 insertions(+), 99 deletions(-) delete mode 100644 tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/grafana.yaml delete mode 100644 tripleo_ansible/roles/tripleo_cephadm/templates/grafana.json.j2 diff --git a/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml b/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml index 1f112e985..9c7b6262b 100644 --- a/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml +++ b/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml @@ -47,5 +47,6 @@ tripleo_cephadm_crush_rules: [] tripleo_cephadm_internal_tls_enabled: false tripleo_cephadm_nfs_rados_export_index: 'ganesha-export-index' tripleo_cephadm_ceph_nfs_rados_backend: true +tripleo_cephadm_certs: /etc/pki/tls # todo(fultonj) add is_hci boolean for target memory # https://lists.ceph.io/hyperkitty/list/dev@ceph.io/thread/Z77XO23JPXDNHKM7IG6UN4URYKA6L7VH/ diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/ceph_cli.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/ceph_cli.yaml index af4efce19..9896bf017 100644 --- a/tripleo_ansible/roles/tripleo_cephadm/tasks/ceph_cli.yaml +++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/ceph_cli.yaml @@ -18,6 +18,12 @@ set_fact: tripleo_cephadm_ceph_cli: >- {{ tripleo_cephadm_container_cli }} run --rm {{ tripleo_cephadm_container_options }} + {% if mount_certs|default(false) %} + --volume {{ tripleo_cephadm_certs }}:/etc/pki/tls:z + {% endif %} + {% if sensitive_data|default(false) %} + --interactive + {% endif %} --volume {{ tripleo_cephadm_config_home }}:/etc/ceph:z {% if mount_spec|default(false) %} --volume {{ tripleo_cephadm_spec }}:{{ tripleo_cephadm_container_spec }}:z diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/dashboard.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/dashboard.yaml index af0e8b70b..2eccc1cb0 100644 --- a/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/dashboard.yaml +++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/dashboard.yaml @@ -18,6 +18,7 @@ include_tasks: ceph_cli.yaml vars: mount_spec: true + sensitive_data: true - name: Configure the Ceph Dashboard port become: true @@ -66,6 +67,17 @@ - name: enable mgr dashboard module (restart) command: "{{ tripleo_cephadm_ceph_cli }} mgr module enable dashboard" +- name: create dashboard admin user + become: true + ceph_dashboard_user: + name: "{{ tripleo_cephadm_dashboard_admin_user }}" + cluster: "{{ tripleo_cephadm_cluster }}" + password: "{{ tripleo_cephadm_dashboard_admin_password }}" + roles: ["{{ 'read-only' if tripleo_cephadm_dashboard_admin_user_ro | bool else 'administrator' }}"] + environment: + CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}" + CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}" + - name: Configure Monitoring Stack become: true block: @@ -78,7 +90,10 @@ - name: set grafana api user command: "{{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-username {{ tripleo_cephadm_grafana_admin_user }}" - name: set grafana api password - command: "{{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-password {{ tripleo_cephadm_grafana_admin_password }}" + command: "{{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-password -i -" + args: + stdin: "{{ tripleo_cephadm_grafana_admin_password }}" + stdin_add_newline: no - name: disable ssl verification for grafana command: "{{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-ssl-verify False" changed_when: false @@ -96,7 +111,9 @@ {{ tripleo_cephadm_ceph_cli }} dashboard set-grafana-api-url \ {{ tripleo_cephadm_dashboard_protocol }}://{{ tripleo_cephadm_dashboard_frontend_vip }}:{{ tripleo_cephadm_grafana_port }} changed_when: false - when: "{{ tripleo_cephadm_dashboard_frontend_vip is defined and tripleo_cephadm_dashboard_frontend_vip |length > 0 }}" + when: + - tripleo_cephadm_dashboard_frontend_vip is defined + - tripleo_cephadm_dashboard_frontend_vip |length > 0 - name: Restart the Ceph dashboard become: true diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/grafana.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/grafana.yaml deleted file mode 100644 index 8e3c65671..000000000 --- a/tripleo_ansible/roles/tripleo_cephadm/tasks/dashboard/grafana.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -# Copyright 2021 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# TODO: MKSPEC TO DEPLOY GRAFANA -# - name: Deploy the three, unmanaged grafana instances via the orchestrator -# mkspec: -# service_type: grafana -# service_name: grafana -# placement: -# hosts: -# - ctr1 -# - ctr2 -# - ctr3 -# unmanaged: true - -- name: Get the current mgr addr - set_fact: - grafana_addr: "{{ hostvars[dashboard_backend][tripleo_ceph_dashboard_net] }}" - vars: - tripleo_ceph_dashboard_net: "{{ service_net_map['ceph_dashboard_network'] + '_ip' }}" - delegate_to: "{{ dashboard_backend }}" - -- name: Render config files - block: - - name: Configure grafana - template: - src: grafana.json.j2 - dest: "/tmp/grafana.json" - become: true - delegate_to: "{{ dashboard_backend }}" - -- name: Reconfigure grafana component - shell: | - {{ tripleo_cephadm_bin }} \ - --image {{ tripleo_cephadm_grafana_container_image }} \ - deploy \ - --name grafana.{{ dashboard_backend }} \ - --fsid {{ tripleo_cephadm_fsid }} \ - --config-json /tmp/grafana.json - register: cephadm_grafana - become: true - delegate_to: "{{ dashboard_backend }}" diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/mds.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/mds.yaml index 66edac7ce..d4b60b5a5 100644 --- a/tripleo_ansible/roles/tripleo_cephadm/tasks/mds.yaml +++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/mds.yaml @@ -35,7 +35,7 @@ ceph_mkspec: service_type: mds apply: true - hosts: "{{ _hosts }}" + hosts: "{{ _hosts | unique }}" render_path: "{{ tripleo_cephadm_spec_home }}" register: spc environment: diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/monitoring.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/monitoring.yaml index 1dc9ff8bf..fa728388f 100644 --- a/tripleo_ansible/roles/tripleo_cephadm/tasks/monitoring.yaml +++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/monitoring.yaml @@ -38,10 +38,28 @@ apply: true host_pattern: "*" render_path: "{{ tripleo_cephadm_spec_home }}" + networks: "{{ tripleo_cephadm_monitoring_address_block }}" environment: CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}" CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}" + - name: Config ssl cert(s) and key(s) for the exposed components + block: + - name: Get ceph_cli + include_tasks: ceph_cli.yaml + vars: + mount_certs: true + + - name: import grafana certificate file + command: "{{ tripleo_cephadm_ceph_cli }} config-key set mgr/cephadm/grafana_crt -i {{ tripleo_cephadm_grafana_crt }}" + changed_when: false + + - name: import grafana certificate key + command: "{{ tripleo_cephadm_ceph_cli }} config-key set mgr/cephadm/grafana_key -i {{ tripleo_cephadm_grafana_key }}" + changed_when: false + when: tripleo_cephadm_dashboard_protocol == "https" and + tripleo_cephadm_grafana_crt | length > 0 and tripleo_cephadm_grafana_key | length > 0 + - name: Create the monitoring stack Daemon spec definition become: true ceph_mkspec: @@ -49,8 +67,9 @@ service_id: "{{ item }}" service_name: "{{ item }}" apply: true - hosts: "{{ _hosts }}" + hosts: "{{ _hosts | unique }}" render_path: "{{ tripleo_cephadm_spec_home }}" + networks: "{{ tripleo_cephadm_monitoring_address_block }}" environment: CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}" CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}" diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml index 7f7367ff2..30ea7a5ae 100644 --- a/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml +++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml @@ -34,7 +34,7 @@ ceph_mkspec: service_type: rgw apply: true - hosts: "{{ _hosts }}" + hosts: "{{ _hosts | unique }}" spec: rgw_frontend_port: "{{ radosgw_frontend_port }}" rgw_realm: 'default' diff --git a/tripleo_ansible/roles/tripleo_cephadm/templates/grafana.json.j2 b/tripleo_ansible/roles/tripleo_cephadm/templates/grafana.json.j2 deleted file mode 100644 index 4ab92977a..000000000 --- a/tripleo_ansible/roles/tripleo_cephadm/templates/grafana.json.j2 +++ /dev/null @@ -1,39 +0,0 @@ -{ - "files": { - "grafana.ini": [ - "[users]", - " default_theme = light", - "[auth.anonymous]", - " enabled = true", - " org_name = 'Main Org.'", - " org_role = 'Viewer'", - "[server]", - " protocol = {{ tripleo_cephadm_dashboard_protocol }}", - " cert_file = /etc/grafana/certs/cert_file", - " cert_key = /etc/grafana/certs/cert_key", - " http_port = {{ tripleo_cephadm_grafana_port }}", - " http_addr = {{ grafana_addr }}", - "[security]", - " admin_user = {{ tripleo_cephadm_grafana_admin_user }}", - " admin_password = {{ tripleo_cephadm_grafana_admin_password }}", - " allow_embedding = true" - ], - "provisioning/datasources/ceph-dashboard.yml": [ - "deleteDatasources:", - " - name: 'Dashboard'", - " orgId: 1", - " ", - "datasources:", - " - name: 'Dashboard'", - " type: 'prometheus'", - " access: 'proxy'", - " orgId: 1", - " url: 'http://localhost:{{ tripleo_cephadm_prometheus_port }}'", - " basicAuth: false", - " isDefault: true", - " editable: false" - ], - "certs/cert_file": [], - "certs/cert_key": [] - } -} diff --git a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml index a6fa0e76d..2609d3d6b 100644 --- a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml +++ b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml @@ -123,3 +123,4 @@ tripleo_cephadm_fqdn: "{{ ceph_spec_fqdn | bool }}" tripleo_cephadm_spec_ansible_host: "{{ tripleo_run_cephadm_spec_path }}" tripleo_cephadm_internal_tls_enabled: "{{ enable_internal_tls }}" + tripleo_cephadm_num_osd_expected: "{{ groups['ceph_osd'] | default([]) | length }}"