cephadm: add keybridge sidecar to smb daemon module

The keybridge uses the sambacc configuration but can also be passed
CLI options. Since cephadm writes the cert files, cephadm must also
pass the file names to use to the container args.

Signed-off-by: John Mulligan <jmulligan@redhat.com>
(cherry picked from commit a140d9d0c7ffc6837c7fa02fe92082efefe9ffc5)

diff --git a/src/cephadm/cephadmlib/daemons/smb.py b/src/cephadm/cephadmlib/daemons/smb.py
index 553fbe6c8f0562655bf708a5740f05f57305899f..d4941a34d3b46b1220f28cc9c23cee389765a3f9 100644 (file)
--- a/src/cephadm/cephadmlib/daemons/smb.py
+++ b/src/cephadm/cephadmlib/daemons/smb.py
@@ -63,6 +63,7 @@ class Features(enum.Enum):
     CLUSTERED = 'clustered'
     CEPHFS_PROXY = 'cephfs-proxy'
     REMOTE_CONTROL = 'remote-control'
+    KEYBRIDGE = 'keybridge'
 
     @classmethod
     def valid(cls, value: str) -> bool:
@@ -188,6 +189,12 @@ class RemoteControlConfig:
     tls_files: TLSFiles
 
 
+@dataclasses.dataclass(frozen=True)
+class KeyBridgeConfig:
+    tls_files: TLSFiles
+    socket = 'unix:/run/keybridge.s'
+
+
 @dataclasses.dataclass(frozen=True)
 class Config:
     identity: DaemonIdentity
@@ -218,6 +225,7 @@ class Config:
     bind_to: List[BindInterface] = dataclasses.field(default_factory=list)
     proxy_image: str = ''
     remote_control: Optional[RemoteControlConfig] = None
+    keybridge: Optional[KeyBridgeConfig] = None
 
     def config_uris(self) -> List[str]:
         uris = [self.source_config]
@@ -447,6 +455,30 @@ class RemoteControlContainer(SambaContainerCommon):
         ]
 
 
+class KeyBridgeContainer(SambaContainerCommon):
+    def name(self) -> str:
+        return 'keybridge'
+
+    def args(self) -> List[str]:
+        args = super().args()
+        assert self.cfg.keybridge, 'keybridge is not configured'
+        args.append('keybridge')
+        if self.cfg.keybridge.tls_files:
+            cert_path = self.cfg.keybridge.tls_files.cert_interior_path
+            key_path = self.cfg.keybridge.tls_files.key_interior_path
+            ca_cert_path = self.cfg.keybridge.tls_files.ca_cert_interior_path
+            # all or nothing with kmip
+            assert cert_path and key_path and ca_cert_path
+            args.append(f'--kmip-tls-cert={cert_path}')
+            args.append(f'--kmip-tls-key={key_path}')
+            args.append(f'--kmip-tls-ca-cert={ca_cert_path}')
+        args.append(self.cfg.keybridge.socket)
+        return args
+
+    def container_args(self) -> List[str]:
+        return super().container_args() + ['--entrypoint=samba-satellite']
+
+
 class CephFSProxyContainer(ContainerCommon):
     def name(self) -> str:
         return 'proxy'
@@ -660,6 +692,12 @@ class SMB(ContainerDaemonForm):
             )
         else:
             remote_control_cfg = None
+        if Features.KEYBRIDGE.value in instance_features:
+            keybridge_cfg = KeyBridgeConfig(
+                tls_files=TLSFiles.match(self._tls_files, 'keybridge')
+            )
+        else:
+            keybridge_cfg = None
 
         rank, rank_gen = self._rank_info
         self._instance_cfg = Config(
@@ -688,6 +726,7 @@ class SMB(ContainerDaemonForm):
             proxy_image=proxy_image,
             bind_to=self._network_mapper.bind_interfaces(bind_networks),
             remote_control=remote_control_cfg,
+            keybridge=keybridge_cfg,
         )
         logger.debug('SMB Instance Config: %s', self._instance_cfg)
         logger.debug('Configured files: %s', self._files)
@@ -749,6 +788,8 @@ class SMB(ContainerDaemonForm):
             )
         if self._cfg.remote_control:
             ctrs.append(RemoteControlContainer(self._cfg))
+        if self._cfg.keybridge:
+            ctrs.append(KeyBridgeContainer(self._cfg))
 
         if self._cfg.clustered:
             init_ctrs += [