mgr/prometheus: improve how we check security configuration status

rkachach · rkachach · commit 9f554ee8adc5 · 2025-06-09T14:25:24.000+02:00
So far we have been using some indirect methods for that. Let's be more explicit about the check and use the new API offered by the cephadm for that. Fixes: https://tracker.ceph.com/issues/71599 Signed-off-by: Redouane Kachach <rkachach@ibm.com>
diff --git a/src/pybind/mgr/prometheus/module.py b/src/pybind/mgr/prometheus/module.py
@@ -1761,21 +1761,17 @@ def self_test(self) -> None:
         self.get_file_sd_config()
 
     def configure(self, server_addr: str, server_port: int) -> None:
-        # TODO(redo): this new check is hacky, we should provide an explit cmd
-        # from cephadm to get/check the security status
-
-        # if cephadm is configured with security then TLS must be used
-        cmd = {'prefix': 'orch prometheus get-credentials'}
+        cmd = {'prefix': 'orch get-security-config'}
         ret, out, _ = self.mon_command(cmd)
         if ret == 0 and out is not None:
-            access_info = json.loads(out)
-            if access_info:
-                try:
+            try:
+                security_config = json.loads(out)
+                if security_config.get('security_enabled', False):
                     self.setup_tls_using_cephadm(server_addr, server_port)
                     return
-                except Exception as e:
-                    self.log.exception(f'Failed to setup cephadm based secure monitoring stack: {e}\n',
-                                       'Falling back to default configuration')
+            except Exception as e:
+                self.log.exception(f'Failed to setup cephadm based secure monitoring stack: {e}\n',
+                                   'Falling back to default configuration')
 
         # In any error fallback to plain http mode
         self.setup_default_config(server_addr, server_port)
diff --git a/src/pybind/mgr/rook/module.py b/src/pybind/mgr/rook/module.py
@@ -531,6 +531,10 @@ def _get_pool_params(self) -> Tuple[int, str]:
                 break
         return num_replicas, leaf_type
 
+    @handle_orch_error
+    def get_security_config(self) -> Dict[str, bool]:
+        return {}
+
     @handle_orch_error
     def remove_service(self, service_name: str, force: bool = False) -> str:
         if service_name == 'rbd-mirror':
