# this is a redeploy of older instance that doesn't have an explicitly
# assigned port, in which case we can assume there is only 1 per host
# and it matches the spec.
- port = spec.get_port()
+ ports = spec.get_port()
+ if spec.ssl:
+ port = ports[1] if len(ports) > 1 else ports[0]
+ else:
+ port = ports[0]
if spec.generate_cert:
+ san_list = spec.zonegroup_hostnames or []
+ custom_san_list = san_list + [f"*.{h}" for h in san_list] if spec.wildcard_enabled else san_list
+
cert, key = self.mgr.cert_mgr.generate_cert(
daemon_spec.host,
self.mgr.inventory.get_addr(daemon_spec.host),
- custom_san_list=spec.zonegroup_hostnames
+ custom_san_list=custom_san_list
)
pem = ''.join([key, cert])
+ self.mgr.cert_mgr.save_cert('rgw_frontend_ssl_cert', pem, service_name=spec.service_name())
ret, out, err = self.mgr.check_mon_command({
'prefix': 'config-key set',
'key': f'rgw/cert/{daemon_spec.name()}',
self.generate_cert = generate_cert
#: Used to make RGW not do multisite replication so it can dedicate to IO
self.disable_multisite_sync_traffic = disable_multisite_sync_traffic
+ self.wildcard_enabled = wildcard_enabled
def get_port_start(self) -> List[int]:
- return [self.get_port()]
+ ports = self.get_port()
+ return ports
- def get_port(self) -> int:
+ def get_port(self) -> List[int]:
+ ports = []
if self.rgw_frontend_port:
- return self.rgw_frontend_port
- if self.ssl:
- return 443
- else:
- return 80
+ ports.append(self.rgw_frontend_port)
+
+ ssl_port = next(
+ (
+ int(arg.split('=')[1])
+ for arg in (self.rgw_frontend_extra_args or [])
+ if arg.startswith("ssl_port=")
+ ),
+ None,
+ )
+
+ if self.ssl and ssl_port:
+ ports.append(ssl_port)
+ if not ports:
+ ports.append(443 if self.ssl else 80)
+
+ return ports
def validate(self) -> None:
super(RGWSpec, self).validate()
projects / ceph.git / commitdiff