Merge pull request ceph#59194 from rhcs-dashboard/add-ssl-prometheus-federate

mgr/dashboard: Add ssl prometheus federate

Reviewed-by: Redouane Kachach <[email protected]>

Author: aaSharma14

src/pybind/mgr/cephadm/module.py

@@ -12,6 +12,7 @@
 from functools import wraps
 from tempfile import TemporaryDirectory, NamedTemporaryFile
 from urllib.error import HTTPError
+from urllib.parse import urlparse
 from threading import Event
 
 from ceph.deployment.service_spec import PrometheusSpec
@@ -3248,13 +3249,25 @@ def set_custom_prometheus_alerts(self, alerts_file: str) -> str:
 
     @handle_orch_error
     def set_prometheus_target(self, url: str) -> str:
+        try:
+            parsed_url = urlparse(url)
+            host = parsed_url.hostname
+            port = parsed_url.port
+            if not host:
+                return 'Invalid URL. Hostname is missing.'
+            ipaddress.ip_address(host)
+            url = f"{host}:{port}" if port else host
+        except ValueError as e:
+            return f'Invalid url. {str(e)}'
         prometheus_spec = cast(PrometheusSpec, self.spec_store['prometheus'].spec)
+        if not prometheus_spec:
+            return "Service prometheus not found\n"
+        # Add the target URL if it does not already exist
         if url not in prometheus_spec.targets:
             prometheus_spec.targets.append(url)
         else:
             return f"Target '{url}' already exists.\n"
-        if not prometheus_spec:
-            return "Service prometheus not found\n"
+        # Redeploy daemons after applying the configuration
         daemons: List[orchestrator.DaemonDescription] = self.cache.get_daemons_by_type('prometheus')
         spec = ServiceSpec.from_json(prometheus_spec.to_json())
         self.apply([spec], no_overwrite=False)
@@ -3294,6 +3307,12 @@ def get_prometheus_access_info(self) -> Dict[str, str]:
                 'password': password,
                 'certificate': self.cert_mgr.get_root_ca()}
 
+    @handle_orch_error
+    def get_security_config(self) -> Dict[str, bool]:
+        security_enabled, mgmt_gw_enabled, _ = self._get_security_config()
+        return {'security_enabled': security_enabled,
+                'mgmt_gw_enabled': mgmt_gw_enabled}
+
     @handle_orch_error
     def get_alertmanager_access_info(self) -> Dict[str, str]:
         security_enabled, _, _ = self._get_security_config()

src/pybind/mgr/cephadm/services/monitoring.py

@@ -507,7 +507,17 @@ def generate_config(
 
         alertmanager_user, alertmanager_password = self.mgr._get_alertmanager_credentials()
         prometheus_user, prometheus_password = self.mgr._get_prometheus_credentials()
+        federate_path = self.get_target_cluster_federate_path(targets)
+        cluster_credentials: Dict[str, Any] = {}
+        cluster_credentials_files: Dict[str, Any] = {'files': {}}
         FSID = self.mgr._cluster_fsid
+        if targets:
+            if 'dashboard' in self.mgr.get('mgr_map')['modules']:
+                cluster_credentials_files, cluster_credentials = self.mgr.remote(
+                    'dashboard', 'get_cluster_credentials_files', targets
+                )
+            else:
+                logger.error("dashboard module not found")
 
         # generate the prometheus configuration
         context = {
@@ -526,7 +536,9 @@ def generate_config(
             'external_prometheus_targets': targets,
             'cluster_fsid': FSID,
             'nfs_sd_url': nfs_sd_url,
-            'smb_sd_url': smb_sd_url
+            'smb_sd_url': smb_sd_url,
+            'clusters_credentials': cluster_credentials,
+            'federate_path': federate_path
         }
 
         ip_to_bind_to = ''
@@ -563,6 +575,7 @@ def generate_config(
                 'web_config': '/etc/prometheus/web.yml',
                 'use_url_prefix': mgmt_gw_enabled
             }
+            r['files'].update(cluster_credentials_files['files'])
         else:
             r = {
                 'files': {
@@ -674,6 +687,12 @@ def ok_to_stop(self,
             return HandleCommandResult(-errno.EBUSY, '', warn_message)
         return HandleCommandResult(0, warn_message, '')
 
+    def get_target_cluster_federate_path(self, targets: List[str]) -> str:
+        for target in targets:
+            if ':' in target:
+                return '/federate'
+        return '/prometheus/federate'
+
 
 class NodeExporterService(CephadmService):
     TYPE = 'node-exporter'

src/pybind/mgr/cephadm/templates/services/prometheus/prometheus.yml.j2

@@ -2,10 +2,8 @@
 global:
   scrape_interval: 10s
   evaluation_interval: 10s
-{% if not security_enabled %}
   external_labels:
     cluster: {{ cluster_fsid }}
-{% endif %}
 
 rule_files:
   - /etc/prometheus/alerting/*
@@ -39,15 +37,18 @@ alerting:
 
 scrape_configs:
   - job_name: 'ceph'
+    relabel_configs:
+    - source_labels: [__address__]
+      target_label: cluster
+      replacement: {{ cluster_fsid }}
+    - source_labels: [instance]
+      target_label: instance
+      replacement: 'ceph_cluster'
 {% if security_enabled %}
     scheme: https
     tls_config:
       ca_file: root_cert.pem
     honor_labels: true
-    relabel_configs:
-    - source_labels: [instance]
-      target_label: instance
-      replacement: 'ceph_cluster'
     http_sd_configs:
     - url: {{ mgr_prometheus_sd_url }}
       basic_auth:
@@ -57,19 +58,16 @@ scrape_configs:
         ca_file: root_cert.pem
 {% else %}
     honor_labels: true
-    relabel_configs:
-    - source_labels: [__address__]
-      target_label: cluster
-      replacement: {{ cluster_fsid }}
-    - source_labels: [instance]
-      target_label: instance
-      replacement: 'ceph_cluster'
     http_sd_configs:
     - url: {{ mgr_prometheus_sd_url }}
 {% endif %}
 
 {% if node_exporter_sd_url %}
   - job_name: 'node'
+    relabel_configs:
+    - source_labels: [__address__]
+      target_label: cluster
+      replacement: {{ cluster_fsid }}
 {% if security_enabled %}
     scheme: https
     tls_config:
@@ -86,15 +84,15 @@ scrape_configs:
 {% else %}
     http_sd_configs:
     - url: {{ node_exporter_sd_url }}
-    relabel_configs:
-    - source_labels: [__address__]
-      target_label: cluster
-      replacement: {{ cluster_fsid }}
 {% endif %}
 {% endif %}
 
 {% if haproxy_sd_url %}
   - job_name: 'haproxy'
+    relabel_configs:
+    - source_labels: [__address__]
+      target_label: cluster
+      replacement: {{ cluster_fsid }}
 {% if security_enabled %}
     scheme: https
     tls_config:
@@ -109,15 +107,15 @@ scrape_configs:
 {% else %}
     http_sd_configs:
     - url: {{ haproxy_sd_url }}
-    relabel_configs:
-    - source_labels: [__address__]
-      target_label: cluster
-      replacement: {{ cluster_fsid }}
 {% endif %}
 {% endif %}
 
 {% if ceph_exporter_sd_url %}
   - job_name: 'ceph-exporter'
+    relabel_configs:
+    - source_labels: [__address__]
+      target_label: cluster
+      replacement: {{ cluster_fsid }}
 {% if security_enabled %}
     honor_labels: true
     scheme: https
@@ -132,10 +130,6 @@ scrape_configs:
         ca_file: root_cert.pem
 {% else %}
     honor_labels: true
-    relabel_configs:
-    - source_labels: [__address__]
-      target_label: cluster
-      replacement: {{ cluster_fsid }}
     http_sd_configs:
     - url: {{ ceph_exporter_sd_url }}
 {% endif %}
@@ -201,17 +195,30 @@ scrape_configs:
 {% endif %}
 {% endif %}
 
-{% if not security_enabled %}
-  - job_name: 'federate'
+{% for url, details in clusters_credentials.items() %}
+  - job_name: 'federate_{{ loop.index }}'
     scrape_interval: 15s
     honor_labels: true
-    metrics_path: '/federate'
+    metrics_path: {{ federate_path }}
+    relabel_configs:
+    - source_labels: [__address__]
+      target_label: cluster
+      replacement: {{ cluster_fsid }}
+{% if security_enabled %}
+    scheme: https
+    tls_config:
+      ca_file: {{ details['cert_file_name'] }}
+    basic_auth:
+      username: {{ details['user'] }}
+      password: {{ details['password'] }}
+{% endif %}
     params:
       'match[]':
         - '{job="ceph"}'
         - '{job="node"}'
         - '{job="haproxy"}'
         - '{job="ceph-exporter"}'
     static_configs:
-    - targets: {{ external_prometheus_targets }}
-{% endif %}
+    - targets: ['{{ url }}']
+{% endfor %}
+

src/pybind/mgr/cephadm/tests/test_cephadm.py

@@ -159,6 +159,36 @@ def test_get_unique_name(self, cephadm_module):
         new_mgr = cephadm_module.get_unique_name('mgr', 'myhost', existing)
         match_glob(new_mgr, 'myhost.*')
 
+    @mock.patch("cephadm.serve.CephadmServe._run_cephadm", _run_cephadm('[]'))
+    def test_valid_url(self, cephadm_module):
+        # Test with valid IPv4 and IPv6 urls
+        test_cases = [
+            ("http://192.168.100.100:9090", "prometheus multi-cluster targets updated"),  # Valid IPv4
+            ("https://192.168.100.100/prometheus", "prometheus multi-cluster targets updated"),       # Valid IPv4 without port
+            ("http://[2001:0db8:85a3::8a2e:0370:7334]:9090", "prometheus multi-cluster targets updated"),  # Valid IPv6 with port
+            ("https://[2001:0db8:85a3::8a2e:0370:7334]/prometheus", "prometheus multi-cluster targets updated"),  # Valid IPv6 without port
+        ]
+        with with_host(cephadm_module, 'test'):
+            with with_service(cephadm_module, ServiceSpec(service_type='prometheus'), CephadmOrchestrator.apply_prometheus, 'test'):
+                for url, expected_output in test_cases:
+                    c = cephadm_module.set_prometheus_target(url)
+                    assert wait(cephadm_module, c) == expected_output
+
+    @mock.patch("cephadm.serve.CephadmServe._run_cephadm", _run_cephadm('[]'))
+    def test_invalid_url(self, cephadm_module):
+        # Test with invalid IPv4 and IPv6 urls
+        test_cases = [
+            ("https://192.168.100.100:99999", "Invalid url. Port out of range 0-65535"),  # Port out of range
+            ("http://[2001:0db8:85a3::8a2e:0370:7334]:99999", "Invalid url. Port out of range 0-65535"),  # IPv6 with invalid port
+            ("https://192.168.100.999:9090", "Invalid url. '192.168.100.999' does not appear to be an IPv4 or IPv6 address"),  # Invalid IPv4
+            ("http://[fe80:2030:31:24]:9090", "Invalid url. 'fe80:2030:31:24' does not appear to be an IPv4 or IPv6 address")  # Invalid IPv6
+        ]
+        with with_host(cephadm_module, 'test'):
+            with with_service(cephadm_module, ServiceSpec(service_type='prometheus'), CephadmOrchestrator.apply_prometheus, 'test'):
+                for url, expected_output in test_cases:
+                    c = cephadm_module.set_prometheus_target(url)
+                    assert wait(cephadm_module, c) == expected_output
+
     @mock.patch("cephadm.serve.CephadmServe._run_cephadm", _run_cephadm('[]'))
     def test_host(self, cephadm_module):
         assert wait(cephadm_module, cephadm_module.get_hosts()) == []