]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
mgr/smb: Add ssl_certificates buffer for smb features
authorRabinarayan Panigrahi <rapanigr@redhat.com>
Fri, 8 May 2026 05:34:39 +0000 (11:04 +0530)
committerRabinarayan Panigrahi <rapanigr@redhat.com>
Thu, 18 Jun 2026 13:50:17 +0000 (19:20 +0530)
Add ssl_certificates buffer for smb features like remote_control
and keybridge. when certificate applied it stores as a feature
name and SSLParameters as value where SSLParameters holds cert,
key and ca-cert.

Signed-off-by: Rabinarayan Panigrahi <rapanigr@redhat.com>
Signed-off-by: Avan Thakkar <athakkar@redhat.com>
src/pybind/mgr/smb/handler.py

index 6f6954d0b2e039ff9ccbc39f69428d009a3cde6f..10364024181050973bba31caae90f8034b261e4e 100644 (file)
@@ -20,7 +20,11 @@ import logging
 import time
 
 import ceph.smb.constants
-from ceph.deployment.service_spec import SMBExternalCephCluster, SMBSpec
+from ceph.deployment.service_spec import (
+    SMBExternalCephCluster,
+    SMBSpec,
+    SSLParameters,
+)
 from ceph.fs.earmarking import EarmarkTopScope
 
 from . import config_store, external, resources
@@ -631,6 +635,7 @@ class ClusterConfigHandler:
             change_group.cluster.cluster_id,
         )
         cluster = change_group.cluster
+        ssl_certificates: Dict[str, SSLParameters] = {}
         assert isinstance(cluster, resources.Cluster)
         # vols: hold the cephfs volumes our shares touch. some operations are
         # disabled/skipped unless we touch volumes.
@@ -688,6 +693,7 @@ class ClusterConfigHandler:
         if change_group.ext_ceph_clusters:
             assert len(change_group.ext_ceph_clusters) == 1
             ext_ceph_cluster = change_group.ext_ceph_clusters[0]
+
         smb_spec = _generate_smb_service_spec(
             cluster,
             config_entries=config_entries,
@@ -697,6 +703,7 @@ class ClusterConfigHandler:
             data_entity=cluster_conf.data_entity,
             needs_proxy=_has_proxied_vfs(change_group),
             ext_ceph_cluster=ext_ceph_cluster,
+            ssl_certificates=ssl_certificates,
         )
         _save_pending_spec_backup(self.public_store, change_group, smb_spec)
         # if orch was ever needed in the past we must "re-orch", but if we have
@@ -1058,6 +1065,7 @@ def _generate_smb_service_spec(
     data_entity: str = '',
     needs_proxy: bool = False,
     ext_ceph_cluster: Optional[resources.ExternalCephCluster],
+    ssl_certificates: Dict[str, SSLParameters],
 ) -> SMBSpec:
     features = []
     if cluster.auth_mode == AuthMode.ACTIVE_DIRECTORY:
@@ -1092,8 +1100,9 @@ def _generate_smb_service_spec(
     user_entities: Optional[List[str]] = None
     if data_entity:
         user_entities = [data_entity]
+
     rc_cert = rc_key = rc_ca_cert = None
-    if cluster.remote_control_is_enabled:
+    if cluster.is_feature_enabled(_REMOTE_CONTROL):
         assert cluster.remote_control
         rc_cert = _tls_uri(
             cluster.remote_control.cert, tls_credential_entries
@@ -1102,8 +1111,18 @@ def _generate_smb_service_spec(
         rc_ca_cert = _tls_uri(
             cluster.remote_control.ca_cert, tls_credential_entries
         )
+        feature = ceph.smb.constants.FEATURE_FILE_NAMES.get(_REMOTE_CONTROL)
+        if feature is not None:
+            ssl_certificates[feature] = SSLParameters(
+                enabled=bool(rc_cert and rc_key),
+                ssl_cert=rc_cert,
+                ssl_key=rc_key,
+                ssl_ca_cert=rc_ca_cert,
+                certificate_source='uri',
+            )
+
     kb_cert = kb_key = kb_ca_cert = None
-    if cluster.keybridge_is_enabled:
+    if cluster.is_feature_enabled(_KEYBRIDGE):
         assert cluster.keybridge  # type narrow
         # TODO: current all KMIP scopes must share the same tls creds
         # and that sucks. need to update keybridge to fetch cert URIs directly
@@ -1122,6 +1141,16 @@ def _generate_smb_service_spec(
             kb_ca_cert = _tls_uri(
                 kmip_scope.kmip_ca_cert, tls_credential_entries
             )
+            feature = ceph.smb.constants.FEATURE_FILE_NAMES.get(_KEYBRIDGE)
+            if feature is not None:
+                ssl_certificates[feature] = SSLParameters(
+                    enabled=bool(kb_cert and kb_key),
+                    ssl_cert=kb_cert,
+                    ssl_key=kb_key,
+                    ssl_ca_cert=kb_ca_cert,
+                    certificate_source='uri',
+                )
+
     ceph_cluster_configs = None
     if ext_ceph_cluster:
         exo = checked(ext_ceph_cluster.cluster)
@@ -1134,7 +1163,6 @@ def _generate_smb_service_spec(
                 key=exo.cephfs_user.key,
             )
         ]
-
     return SMBSpec(
         service_id=cluster.cluster_id,
         placement=cluster.placement,
@@ -1148,12 +1176,7 @@ def _generate_smb_service_spec(
         cluster_public_addrs=cluster.service_spec_public_addrs(),
         custom_ports=cluster.custom_ports,
         bind_addrs=cluster.service_spec_bind_addrs(),
-        remote_control_ssl_cert=rc_cert,
-        remote_control_ssl_key=rc_key,
-        remote_control_ca_cert=rc_ca_cert,
-        keybridge_kmip_ssl_cert=kb_cert,
-        keybridge_kmip_ssl_key=kb_key,
-        keybridge_kmip_ca_cert=kb_ca_cert,
+        ssl_certificates=ssl_certificates or None,
         ceph_cluster_configs=ceph_cluster_configs,
         tunables=_service_spec_tunables(cluster),
     )