git.apps.os.sepia.ceph.com Git

author	Matthew Oliver <moliver@suse.com>
	Tue, 21 Apr 2020 03:38:46 +0000 (13:38 +1000)
committer	Matthew Oliver <moliver@suse.com>
	Thu, 30 Apr 2020 05:31:52 +0000 (05:31 +0000)
commit	4c942d05949f0cb79963258b6f75093bb5d1d4d9
tree	25e27c89d8985e9d6399a3bf1cf06c657e5ffd92	tree \| snapshot
parent	84fbf1c5cddc096817472377fab4bed0d9434b6f	commit \| diff

cephadm: Make ceph-iscsi SSL aware

Ceph-iscsi's `rbd-target-api.py` supports listening over SSL if you
provide an SSL cert and key. Originally the script is opinionated and
requires these files to be named `/etc/ceph/iscsi-gateway.{crt,key}`.

When dealing with containers, having to place files inside a container to
enable SSL isn't very clean. To make things easier, like RGW, you can
now place the SSL cert and key data in the mon config-key store.

This will mean there are 2 ways to enable SSL in ceph-iscsi via orch/cephadm.

1. Push the SSL key and cert into the mon config-key under the keys, and
   then make sure api_secure is enabled (requires json):

  iscsi/{clientname}/iscsi-gateway.crt
  iscsi/{clientname}/iscsi-gateway.key

2. Provide the SSL key and cert in the json you pass the orchestrator and
   it'll push them up for you.

Also lockdown the caps so the container can only access iscsi ssl
key/certs.

Signed-off-by: Matthew Oliver <moliver@suse.com>

src/pybind/mgr/cephadm/module.py		diff \| blob \| history
src/python-common/ceph/deployment/service_spec.py		diff \| blob \| history