ceph dashboard #10

Supports: bionic focal groovy hirsute

Description

Enable the ceph dashboard on the ceph mon units


Overview

The ceph-dashboard charm deploys the Ceph Dashboard, a built-in web-based Ceph management and monitoring application. It works in conjunction with the openstack-loadbalancer charm, which in turn utilises the hacluster charm.

Note: The ceph-dashboard charm is currently in tech-preview.

Usage

Configuration

This section covers common and/or important configuration options. See file config.yaml for the full list of options, along with their descriptions and default values. See the Juju documentation for details on configuring applications.

grafana-api-url

Sets the URL of the Grafana API when using embedded graphs. See Embedded Grafana dashboards.

public-hostname

Sets the hostname or address of the public endpoint used to access the dashboard.

enable-password-policy

Sets whether certain password restrictions are enforced when a user is created or changes their password.

password-*

There are a number of password-* options which impose constraints on which passwords can be used. These options are ignored unless enable-password-policy is set to 'True'.

Deployment

We are assuming a pre-existing Ceph cluster.

Deploy the ceph-dashboard as a subordinate to the ceph-mon charm.

juju deploy ceph-dashboard
juju add-relation ceph-dashboard:dashboard ceph-mon:dashboard

TLS is a requirement for this charm. Enable it by adding a relation to the vault application:

juju add-relation ceph-dashboard:certificates vault:certificates

See Managing TLS certificates in the OpenStack Charms Deployment Guide for more information on TLS.

Note: This charm also supports TLS configuration via charm options ssl_cert, ssl_key, and ssl_ca.

Load balancer

The dashboard is accessed via a load balancer using VIPs and implemented via the openstack-loadbalancer and hacluster charms:

juju deploy -n 3 --config vip=10.5.20.200 cs:~openstack-charmers/openstack-loadbalancer
juju deploy hacluster openstack-loadbalancer-hacluster
juju add-relation openstack-loadbalancer:ha openstack-loadbalancer-hacluster:ha

Now add a relation between the openstack-loadbalancer and ceph-dashboard applications:

juju add-relation ceph-dashboard:loadbalancer openstack-loadbalancer:loadbalancer

Dashboard user

Credentials are needed to log in to the dashboard. Set these up by applying an action to any ceph-dashboard unit. For example, to create an administrator user called 'admin':

juju run-action --wait ceph-dashboard/0 add-user username=admin role=administrator

The command's output will include a generated password.

The dashboard can then be accessed on the configured VIP and on port 8443:

https://10.5.20.200:8443

Embedded Grafana dashboards

To embed Grafana dashboards within the Ceph dashboard some additional relations are required (Grafana, Telegraf, and Prometheus are assumed to be pre-existing):

juju add-relation ceph-dashboard:grafana-dashboard grafana:dashboards
juju add-relation ceph-dashboard:prometheus prometheus:website
juju add-relation ceph-mon:prometheus prometheus:target
juju add-relation ceph-osd:juju-info telegraf:juju-info
juju add-relation ceph-mon:juju-info telegraf:juju-info

Grafana, Telegraf, and Prometheus should be related in the standard way:

juju add-relation grafana:grafana-source prometheus:grafana-source
juju add-relation telegraf:prometheus-client prometheus:target
juju add-relation telegraf:dashboards grafana:dashboards

When Grafana is integrated with the Ceph Dashboard it requires TLS, so add a relation to Vault (the grafana charm also supports TLS configuration via ssl_* charm options):

juju add-relation grafana:certificates vault:certificates

Important: Ceph Dashboard will (silently) fail to display Grafana output if the client browser cannot validate the Grafana server's TLS certificate. Either ensure the signing CA certificate is known to the browser or, if in a testing environment, contact the Grafana dashboard directly and have the browser accept the unverified certificate.

Grafana should be configured with the following charm options:

juju config grafana anonymous=True
juju config grafana allow_embedding=True

The grafana charm also requires the vonage-status-panel and grafana-piechart-panel plugins. The install_plugins configuration option should be set to include URLs from which these plugins can be downloaded. They are currently available from https://storage.googleapis.com/plugins-community. For example:

juju config grafana install_plugins="https://storage.googleapis.com/plugins-community/vonage-status-panel/release/1.0.11/vonage-status-panel-1.0.11.zip,https://storage.googleapis.com/plugins-community/grafana-piechart-panel/release/1.6.2/grafana-piechart-panel-1.6.2.zip"

Telegraf should be configured with the following charm option:

juju config telegraf hostname="{host}"

Note: The above command is to be invoked verbatim; no substitution is required.

Currently the dashboard does not autodetect the API endpoint of the Grafana service. It needs to be provided via a configuration option:

juju config ceph-dashboard grafana-api-url="https://<IP of grafana unit>:3000"

Prometheus alerting

To enable alerting for an existing Prometheus service add the following relations:

juju add-relation ceph-dashboard:prometheus prometheus:website
juju add-relation ceph-mon:prometheus prometheus:target
juju add-relation ceph-dashboard:alertmanager-service prometheus-alertmanager:alertmanager-service
juju add-relation prometheus:alertmanager-service prometheus-alertmanager:alertmanager-service

Ceph Object storage

To enable Object storage management of an existing Ceph RADOS Gateway service add the following relation:

juju add-relation ceph-dashboard:radosgw-dashboard ceph-radosgw:radosgw-user

Note: For Ceph versions older than Pacific the dashboard can only be related to a single ceph-radosgw application.

Actions

This section lists Juju actions supported by the charm. Actions allow specific operations to be performed on a per-unit basis. To display action descriptions run juju actions --schema ceph-dashboard. If the charm is not deployed then see file actions.yaml.

  • add-user
  • delete-user

Documentation

The OpenStack Charms project maintains two documentation guides:

Bugs

Please report bugs on Launchpad.


Configuration

audit-api-enabled
(boolean) Log requests made to the dashboard REST API to the Ceph audit log.
audit-api-log-payload
(boolean) Include payload in Ceph audit logs. audit-api-enabled must be set to True to enable this.,
True
debug
(boolean) Control debug mode. It is recommended that debug be disabled in production deployments.
enable-password-policy
(boolean) Enable password policy
True
grafana-api-url
(string) URL of grafana api. The url must be using https.
motd
(string) Message of the day settings. Should be in the format "severity|expires|message". Set to "" to disable.
password-policy-check-complexity
(boolean) Check password meets a complexity score of password-policy-min-complexity. See https://docs.ceph.com/en/latest/mgr/dashboard/#password-policy
True
password-policy-check-exclusion-list
(boolean) Reject password if it contains a word from a forbidden list.
True
password-policy-check-length
(boolean) Reject password if it is shorter then password-policy-min-length
True
password-policy-check-oldpwd
(boolean) Reject password if it matches previous password.
True
password-policy-check-repetitive-chars
(boolean) Reject password if password contains consecutive repeating charachters.
True
password-policy-check-sequential-chars
(boolean) Reject password if it contains a sequence of sequential characters. e.g. a password containing '123' or 'efg' would be rejected.
True
password-policy-check-username
(boolean) Reject password if username is included in password.
True
password-policy-min-complexity
(int) Set minimum password complexity score. See https://docs.ceph.com/en/latest/mgr/dashboard/#password-policy
10
password-policy-min-length
(int) Set minimum password length.
8
public-hostname
(string) The hostname or address of the public endpoints created for the dashboard
ssl_ca
(string) SSL CA to use with the certificate and key provided - this is only required if you are providing a privately signed ssl_cert and ssl_key.
ssl_cert
(string) SSL certificate to install and use for API ports. Setting this value and ssl_key will enable reverse proxying, point Neutron's entry in the Keystone catalog to use https, and override any certificate and key issued by Keystone (if it is configured to do so).
ssl_key
(string) SSL key to use with certificate specified as ssl_cert.