git.apps.os.sepia.ceph.com Git - ceph-ci.git/commit

author	Adam King <adking@redhat.com>
	Tue, 29 Oct 2024 14:54:22 +0000 (10:54 -0400)
committer	Adam King <adking@redhat.com>
	Tue, 29 Oct 2024 20:59:35 +0000 (16:59 -0400)
commit	66e9ef16a93fc542983fb637e562278f9dc4847b
tree	9f389e41355f9f81929f2bbe6e6aa187d893a65e	tree \| snapshot
parent	a3cf84271f2af9650e7056370cb0c578cf7130ca	commit \| diff

mgr/cephadm: sign generated RGW certs

Previously the "generate_cert" field would just cause cephadm
to generate self-signed certificates. This was an issue when trying to sync
the secondary site in a multisite situation, resulting in

```
SL peer certificate or SSH remote key was not OK req_data->error_buf=SSL
certificate problem: self-signed certificate request failed: (2200) Unknown error 2200
```

This change makes it so the certificate are signed by cephadm's
root CA cert so that users may grab that cert via
"ceph orch cert-store get cert cephadm_root_ca_cert"
and set that as a trusted CA cert on their secondary cluster.

Additionally, we now generate a cert per RGW daemon so that
we can include the hostname/addr of the node we are deploying
the RGW daemon on in the cert.

Signed-off-by: Adam King <adking@redhat.com>

src/pybind/mgr/cephadm/cert_mgr.py		diff \| blob \| history
src/pybind/mgr/cephadm/services/cephadmservice.py		diff \| blob \| history
src/pybind/mgr/cephadm/ssl_cert_utils.py		diff \| blob \| history
src/python-common/ceph/deployment/service_spec.py		diff \| blob \| history