from cephadm.ssl_cert_utils import SSLCerts, SSLConfigException
-from typing import TYPE_CHECKING, Tuple, Union, List
+from typing import TYPE_CHECKING, Tuple, Union, List, Optional
if TYPE_CHECKING:
from cephadm.module import CephadmOrchestrator
def get_root_ca(self) -> str:
return self.ssl_certs.get_root_cert()
- def generate_cert(self, host_fqdn: Union[str, List[str]], node_ip: Union[str, List[str]]) -> Tuple[str, str]:
- return self.ssl_certs.generate_cert(host_fqdn, node_ip)
+ def generate_cert(
+ self,
+ host_fqdn: Union[str, List[str]],
+ node_ip: Union[str, List[str]],
+ custom_san_list: Optional[List[str]] = None,
+ ) -> Tuple[str, str]:
+ return self.ssl_certs.generate_cert(host_fqdn, node_ip, custom_san_list=custom_san_list)
# set rgw_realm rgw_zonegroup and rgw_zone, if present
self.set_realm_zg_zone(spec)
- if spec.generate_cert and not spec.rgw_frontend_ssl_certificate:
- # generate a self-signed cert for the rgw service
- cert, key = self.mgr.cert_mgr.ssl_certs.generate_root_cert(custom_san_list=spec.zonegroup_hostnames)
- spec.rgw_frontend_ssl_certificate = ''.join([key, cert])
- self.mgr.spec_store.save(spec)
-
if spec.rgw_frontend_ssl_certificate:
if isinstance(spec.rgw_frontend_ssl_certificate, list):
cert_data = '\n'.join(spec.rgw_frontend_ssl_certificate)
# and it matches the spec.
port = spec.get_port()
+ if spec.generate_cert:
+ cert, key = self.mgr.cert_mgr.generate_cert(
+ daemon_spec.host,
+ self.mgr.inventory.get_addr(daemon_spec.host),
+ custom_san_list=spec.zonegroup_hostnames
+ )
+ pem = ''.join([key, cert])
+ ret, out, err = self.mgr.check_mon_command({
+ 'prefix': 'config-key set',
+ 'key': f'rgw/cert/{daemon_spec.name()}',
+ 'val': pem,
+ })
+
# configure frontend
args = []
ftype = spec.rgw_frontend_type or "beast"
f"ssl_endpoint={build_url(host=daemon_spec.ip, port=port).lstrip('/')}")
else:
args.append(f"ssl_port={port}")
- args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}")
+ if spec.generate_cert:
+ args.append(f"ssl_certificate=config://rgw/cert/{daemon_spec.name()}")
+ else:
+ args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}")
else:
if daemon_spec.ip:
args.append(f"endpoint={build_url(host=daemon_spec.ip, port=port).lstrip('/')}")
args.append(f"port={build_url(host=daemon_spec.ip, port=port).lstrip('/')}s")
else:
args.append(f"port={port}s") # note the 's' suffix on port
- args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}")
+ if spec.generate_cert:
+ args.append(f"ssl_certificate=config://rgw/cert/{daemon_spec.name()}")
+ else:
+ args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}")
else:
if daemon_spec.ip:
args.append(f"port={build_url(host=daemon_spec.ip, port=port).lstrip('/')}")
'who': utils.name_to_config_section(daemon.name()),
'name': 'rgw_frontends',
})
+ self.mgr.check_mon_command({
+ 'prefix': 'config-key rm',
+ 'key': f'rgw/cert/{daemon.name()}',
+ })
def ok_to_stop(
self,
return (cert_str, key_str)
- def generate_cert(self, _hosts: Union[str, List[str]], _addrs: Union[str, List[str]]) -> Tuple[str, str]:
+ def generate_cert(
+ self,
+ _hosts: Union[str, List[str]],
+ _addrs: Union[str, List[str]],
+ custom_san_list: Optional[List[str]] = None,
+ ) -> Tuple[str, str]:
addrs = [_addrs] if isinstance(_addrs, str) else _addrs
hosts = [_hosts] if isinstance(_hosts, str) else _hosts
san_list: List[x509.GeneralName] = [x509.DNSName(host) for host in hosts]
if valid_ips:
san_list.extend(ips)
+ if custom_san_list:
+ san_list.extend([x509.DNSName(n) for n in custom_san_list])
builder = builder.add_extension(
x509.SubjectAlternativeName(
projects / ceph-ci.git / commitdiff