mgr/cephadm: remove ssl_frontend_ssl_key from RGWSpec

Since this didn't work anyway, stop collecting and passing through the
private key portion of the certificate.  Instead, users should include
both in the first option.  This is simpler, and provides consistency
across civetweb and beast rgw backends (for whatever that is worth).

NOTE: dashboard changes are not included here.

Signed-off-by: Sage Weil <sage@newdream.net>
(cherry picked from commit 4fe35117ce2349adc023604ead1c37c8680b90c4)

diff --git a/src/cephadm/samples/rgw_ssl.json b/src/cephadm/samples/rgw_ssl.json
index d3c45111a90d89d96f71dc0e6034c72ba1e7433d..3fe6fea1c327521952c1dc5c8b5d2ceead55007d 100644 (file)
--- a/src/cephadm/samples/rgw_ssl.json
+++ b/src/cephadm/samples/rgw_ssl.json
@@ -44,9 +44,7 @@
       "kWpZ2ypBDH45h2o3LyqvGjsu/BFkeG6JpEDCWbClKWcjKxOrLVDufhSDduffDjja",
       "zOsgQJg0Yf//Ubb5p0c54GjHM/XDXEcV3m3sEtbmMYz6xGwuag4bx8P2E/QY8sFp",
       "JxgIdS8vdl6YhDCjKJ2XzI30JwCdftgDIAiWSE0ivoDc+8+gG1nb11GT52HFzA==",
-      "-----END CERTIFICATE-----"
-       ],
-  "rgw_frontend_ssl_key": [
+      "-----END CERTIFICATE-----",
       "-----BEGIN PRIVATE KEY-----",
       "MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKbRiedt0JBG3N",
       "+82vIrgk2oY9Ga+ocvk6El/1X3c8Y4mB7g9j4mWciQe7dnjqogPLEOTeddxFLX9m",

diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
index af435af542ea2a496940070754b3840bcf5d3945..c9e84c8b2d5b0bc668b65022893e0397264f7dab 100644 (file)
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -714,25 +714,10 @@ class RgwService(CephService):
                     % spec.rgw_frontend_ssl_certificate)
             ret, out, err = self.mgr.check_mon_command({
                 'prefix': 'config-key set',
-                'key': f'rgw/cert/{spec.service_name()}.crt',
+                'key': f'rgw/cert/{spec.service_name()}.crt',  # NOTE: actually a .pem!
                 'val': cert_data,
             })
 
-        if spec.rgw_frontend_ssl_key:
-            if isinstance(spec.rgw_frontend_ssl_key, list):
-                key_data = '\n'.join(spec.rgw_frontend_ssl_key)
-            elif isinstance(spec.rgw_frontend_ssl_certificate, str):
-                key_data = spec.rgw_frontend_ssl_key
-            else:
-                raise OrchestratorError(
-                    'Invalid rgw_frontend_ssl_key: %s'
-                    % spec.rgw_frontend_ssl_key)
-            ret, out, err = self.mgr.check_mon_command({
-                'prefix': 'config-key set',
-                'key': f'rgw/cert/{spec.service_name()}.key',
-                'val': key_data,
-            })
-
         # TODO: fail, if we don't have a spec
         logger.info('Saving service %s spec with placement %s' % (
             spec.service_name(), spec.placement.pretty_str()))
@@ -750,7 +735,6 @@ class RgwService(CephService):
         if spec.ssl:
             args.append(f"ssl_port={daemon_spec.ports[0]}")
             args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}.crt")
-            args.append(f"ssl_private_key=config://rgw/cert/{spec.service_name()}.key")
         else:
             args.append(f"port={daemon_spec.ports[0]}")
         frontend = f'beast {" ".join(args)}'

diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index b6a3869a8603e40ac5cb98f7ba5217a5a4ac8ea1..66e4a5f07c19a97e4070330d8ace064c0d28b8b7 100644 (file)
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -703,7 +703,6 @@ class RGWSpec(ServiceSpec):
                  rgw_zone: Optional[str] = None,
                  rgw_frontend_port: Optional[int] = None,
                  rgw_frontend_ssl_certificate: Optional[List[str]] = None,
-                 rgw_frontend_ssl_key: Optional[List[str]] = None,
                  unmanaged: bool = False,
                  ssl: bool = False,
                  preview_only: bool = False,
@@ -725,7 +724,6 @@ class RGWSpec(ServiceSpec):
         self.rgw_zone = rgw_zone
         self.rgw_frontend_port = rgw_frontend_port
         self.rgw_frontend_ssl_certificate = rgw_frontend_ssl_certificate
-        self.rgw_frontend_ssl_key = rgw_frontend_ssl_key
         self.ssl = ssl
 
     def get_port_start(self) -> Optional[int]: