mgr/cephadm: remove ssl_frontend_ssl_key from RGWSpec

Since this didn't work anyway, stop collecting and passing through the
private key portion of the certificate.  Instead, users should include
both in the first option.  This is simpler, and provides consistency
across civetweb and beast rgw backends (for whatever that is worth).

NOTE: dashboard changes are not included here.

Signed-off-by: Sage Weil <sage@newdream.net>

diff --git a/src/cephadm/samples/rgw_ssl.json b/src/cephadm/samples/rgw_ssl.json
index d3c45111a90d89d96f71dc0e6034c72ba1e7433d..3fe6fea1c327521952c1dc5c8b5d2ceead55007d 100644 (file)
--- a/src/cephadm/samples/rgw_ssl.json
+++ b/src/cephadm/samples/rgw_ssl.json
@@ -44,9 +44,7 @@
       "kWpZ2ypBDH45h2o3LyqvGjsu/BFkeG6JpEDCWbClKWcjKxOrLVDufhSDduffDjja",
       "zOsgQJg0Yf//Ubb5p0c54GjHM/XDXEcV3m3sEtbmMYz6xGwuag4bx8P2E/QY8sFp",
       "JxgIdS8vdl6YhDCjKJ2XzI30JwCdftgDIAiWSE0ivoDc+8+gG1nb11GT52HFzA==",
-      "-----END CERTIFICATE-----"
-       ],
-  "rgw_frontend_ssl_key": [
+      "-----END CERTIFICATE-----",
       "-----BEGIN PRIVATE KEY-----",
       "MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKbRiedt0JBG3N",
       "+82vIrgk2oY9Ga+ocvk6El/1X3c8Y4mB7g9j4mWciQe7dnjqogPLEOTeddxFLX9m",

diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
index 2510e45afda2b53f5969a71220bd68228d62ebf4..4606247997345b63885e81946918186fd18536b1 100644 (file)
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -714,25 +714,10 @@ class RgwService(CephService):
                     % spec.rgw_frontend_ssl_certificate)
             ret, out, err = self.mgr.check_mon_command({
                 'prefix': 'config-key set',
-                'key': f'rgw/cert/{spec.service_name()}.crt',
+                'key': f'rgw/cert/{spec.service_name()}.crt',  # NOTE: actually a .pem!
                 'val': cert_data,
             })
 
-        if spec.rgw_frontend_ssl_key:
-            if isinstance(spec.rgw_frontend_ssl_key, list):
-                key_data = '\n'.join(spec.rgw_frontend_ssl_key)
-            elif isinstance(spec.rgw_frontend_ssl_certificate, str):
-                key_data = spec.rgw_frontend_ssl_key
-            else:
-                raise OrchestratorError(
-                    'Invalid rgw_frontend_ssl_key: %s'
-                    % spec.rgw_frontend_ssl_key)
-            ret, out, err = self.mgr.check_mon_command({
-                'prefix': 'config-key set',
-                'key': f'rgw/cert/{spec.service_name()}.key',
-                'val': key_data,
-            })
-
         # TODO: fail, if we don't have a spec
         logger.info('Saving service %s spec with placement %s' % (
             spec.service_name(), spec.placement.pretty_str()))
@@ -750,7 +735,6 @@ class RgwService(CephService):
         if spec.ssl:
             args.append(f"ssl_port={daemon_spec.ports[0]}")
             args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}.crt")
-            args.append(f"ssl_private_key=config://rgw/cert/{spec.service_name()}.key")
         else:
             args.append(f"port={daemon_spec.ports[0]}")
         frontend = f'beast {" ".join(args)}'

diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 339dbe0a48340662e690904cec2ab96c8431348c..1c45780778c496d71fe2b7f89c43e7df10f8f81b 100644 (file)
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -707,7 +707,6 @@ class RGWSpec(ServiceSpec):
                  rgw_zone: Optional[str] = None,
                  rgw_frontend_port: Optional[int] = None,
                  rgw_frontend_ssl_certificate: Optional[List[str]] = None,
-                 rgw_frontend_ssl_key: Optional[List[str]] = None,
                  unmanaged: bool = False,
                  ssl: bool = False,
                  preview_only: bool = False,
@@ -729,7 +728,6 @@ class RGWSpec(ServiceSpec):
         self.rgw_zone = rgw_zone
         self.rgw_frontend_port = rgw_frontend_port
         self.rgw_frontend_ssl_certificate = rgw_frontend_ssl_certificate
-        self.rgw_frontend_ssl_key = rgw_frontend_ssl_key
         self.ssl = ssl
 
     def get_port_start(self) -> Optional[int]: