- ceph0
spec:
port: 5000
+ ssl: True
ssl_protocols:
- TLSv1.2
- TLSv1.3
- AES128-SHA
- AES256-SHA
- ...
- ssl_certificate: |
+ ssl_cert: |
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIYMC4xNzc1NDQxNjEzMzc2MjMyXzxvQ7EcMA0GCSqGSIb3
DQEBCwUAMG0xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMRcwFQYDVQQHDA5T
[...]
-----END CERTIFICATE-----
- ssl_certificate_key: |
+ ssl_key: |
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5jdYbjtNTAKW4
/CwQr/7wOiLGzVxChn3mmCIF3DwbL/qvTFTX2d8bDf6LjGwLYloXHscRfxszX/4h
endpoint_suffix = '/internal'
else:
mgmt_gw_port = dd.ports[0] if dd.ports else None
- protocol = 'http' if mgmt_gw_spec.disable_https else 'https'
+ protocol = 'https' if mgmt_gw_spec.ssl else 'http'
endpoint_suffix = ''
mgmt_gw_endpoint = build_url(scheme=protocol, host=mgmt_gw_addr, port=mgmt_gw_port)
user_made = False
if not (cert and key):
# not available on store, check if provided on the spec
- if svc_spec.ssl_certificate and svc_spec.ssl_certificate_key:
+ if svc_spec.ssl_cert and svc_spec.ssl_key:
user_made = True
- cert = svc_spec.ssl_certificate
- key = svc_spec.ssl_certificate_key
+ cert = svc_spec.ssl_cert
+ key = svc_spec.ssl_key
else:
# not provided on the spec, let's generate self-sigend certificates
ip = self.get_mgmt_gw_ip(svc_spec, daemon_spec)
'enable_oauth2_proxy': bool(oauth2_proxy_endpoints),
}
- cert, key = self.get_external_certificates(svc_spec, daemon_spec)
internal_cert, internal_pkey = self.get_internal_certificates(svc_spec, daemon_spec)
daemon_config = {
"files": {
"ca.crt": self.mgr.cert_mgr.get_root_ca()
}
}
- if not svc_spec.disable_https:
+ if svc_spec.ssl:
+ cert, key = self.get_external_certificates(svc_spec, daemon_spec)
daemon_config["files"]["nginx.crt"] = cert
daemon_config["files"]["nginx.key"] = key
user_made = False
if not (cert and key):
# not available on store, check if provided on the spec
- if svc_spec.ssl_certificate and svc_spec.ssl_certificate_key:
+ if svc_spec.ssl_cert and svc_spec.ssl_key:
user_made = True
- cert = svc_spec.ssl_certificate
- key = svc_spec.ssl_certificate_key
+ cert = svc_spec.ssl_cert
+ key = svc_spec.ssl_key
else:
# not provided on the spec, let's generate self-sigend certificates
addr = self.mgr.inventory.get_addr(daemon_spec.host)
server {
-{% if spec.disable_https %}
+{% if not spec.ssl %}
listen {{ spec.port or 80 }};
{% else %}
listen {{ spec.port or 443 }} ssl;
client_secret='my_client_secret',
oidc_issuer_url='http://192.168.10.10:8888/dex',
cookie_secret='kbAEM9opAmuHskQvt0AW8oeJRaOM2BYy5Loba0kZ0SQ=',
- ssl_certificate=ceph_generated_cert,
- ssl_certificate_key=ceph_generated_key)
+ ssl_cert=ceph_generated_cert,
+ ssl_key=ceph_generated_key)
with with_host(cephadm_module, "test"):
cephadm_module.cert_mgr.save_cert('grafana_cert', ceph_generated_cert, host='test')
server_port = 5555
spec = MgmtGatewaySpec(port=server_port,
- ssl_certificate=ceph_generated_cert,
- ssl_certificate_key=ceph_generated_key)
+ ssl_cert=ceph_generated_cert,
+ ssl_key=ceph_generated_key)
expected = {
"fsid": "fsid",
server_port = 5555
spec = MgmtGatewaySpec(port=server_port,
- ssl_certificate=ceph_generated_cert,
- ssl_certificate_key=ceph_generated_key,
+ ssl_cert=ceph_generated_cert,
+ ssl_key=ceph_generated_key,
enable_auth=True)
expected = {
server_port = 5555
mgmt_gw_spec = MgmtGatewaySpec(port=server_port,
- ssl_certificate=ceph_generated_cert,
- ssl_certificate_key=ceph_generated_key,
+ ssl_cert=ceph_generated_cert,
+ ssl_key=ceph_generated_key,
enable_auth=True,
virtual_ip=virtual_ip)
client_secret='my_client_secret',
oidc_issuer_url='http://192.168.10.10:8888/dex',
cookie_secret='kbAEM9opAmuHskQvt0AW8oeJRaOM2BYy5Loba0kZ0SQ=',
- ssl_certificate=ceph_generated_cert,
- ssl_certificate_key=ceph_generated_key,
+ ssl_cert=ceph_generated_cert,
+ ssl_key=ceph_generated_key,
allowlist_domains=[allowed_domain])
whitelist_domains = f"{allowed_domain},1::4,ceph-node" if virtual_ip is None else f"{allowed_domain},{virtual_ip},1::4,ceph-node"
@_cli_write_command('orch apply mgmt-gateway')
def _apply_mgmt_gateway(self,
port: Optional[int] = None,
- disable_https: Optional[bool] = False,
+ ssl: Optional[bool] = True,
enable_auth: Optional[bool] = False,
virtual_ip: Optional[str] = None,
placement: Optional[str] = None,
unmanaged=unmanaged,
port=port,
virtual_ip=virtual_ip,
- disable_https=disable_https,
+ ssl=ssl,
enable_auth=enable_auth,
preview_only=dry_run
)
config: Optional[Dict[str, str]] = None,
networks: Optional[List[str]] = None,
placement: Optional[PlacementSpec] = None,
- disable_https: Optional[bool] = False,
+ ssl: Optional[bool] = True,
enable_auth: Optional[bool] = False,
port: Optional[int] = None,
- ssl_certificate: Optional[str] = None,
- ssl_certificate_key: Optional[str] = None,
+ ssl_cert: Optional[str] = None,
+ ssl_key: Optional[str] = None,
ssl_prefer_server_ciphers: Optional[str] = None,
ssl_session_tickets: Optional[str] = None,
ssl_session_timeout: Optional[str] = None,
extra_entrypoint_args=extra_entrypoint_args,
custom_configs=custom_configs
)
- #: Is a flag to disable HTTPS. If True, the server will use unsecure HTTP
- self.disable_https = disable_https
+ #: Is a flag to enable/disable HTTPS. By default set to True.
+ self.ssl = ssl
#: Is a flag to enable SSO auth. Requires oauth2-proxy to be active for SSO authentication.
self.enable_auth = enable_auth
#: The port number on which the server will listen
self.port = port
#: A multi-line string that contains the SSL certificate
- self.ssl_certificate = ssl_certificate
+ self.ssl_cert = ssl_cert
#: A multi-line string that contains the SSL key
- self.ssl_certificate_key = ssl_certificate_key
+ self.ssl_key = ssl_key
#: Prefer server ciphers over client ciphers: on | off
self.ssl_prefer_server_ciphers = ssl_prefer_server_ciphers
#: A multioption flag to control session tickets: on | off
def validate(self) -> None:
super(MgmtGatewaySpec, self).validate()
self._validate_port(self.port)
- self._validate_certificate(self.ssl_certificate, "ssl_certificate")
- self._validate_private_key(self.ssl_certificate_key, "ssl_certificate_key")
+ self._validate_certificate(self.ssl_cert, "ssl_cert")
+ self._validate_private_key(self.ssl_key, "ssl_key")
self._validate_boolean_switch(self.ssl_prefer_server_ciphers, "ssl_prefer_server_ciphers")
self._validate_boolean_switch(self.ssl_session_tickets, "ssl_session_tickets")
self._validate_session_timeout(self.ssl_session_timeout)
oidc_issuer_url: Optional[str] = None,
redirect_url: Optional[str] = None,
cookie_secret: Optional[str] = None,
- ssl_certificate: Optional[str] = None,
- ssl_certificate_key: Optional[str] = None,
+ ssl_cert: Optional[str] = None,
+ ssl_key: Optional[str] = None,
allowlist_domains: Optional[List[str]] = None,
unmanaged: bool = False,
extra_container_args: Optional[GeneralArgList] = None,
# 24, or 32 bytes to create an AES cipher.
self.cookie_secret = cookie_secret or self.generate_random_secret()
#: The multi-line SSL certificate for encrypting communications.
- self.ssl_certificate = ssl_certificate
+ self.ssl_cert = ssl_cert
#: The multi-line SSL certificate private key for decrypting communications.
- self.ssl_certificate_key = ssl_certificate_key
+ self.ssl_key = ssl_key
#: List of allowed domains for safe redirection after login or logout,
# preventing unauthorized redirects.
self.allowlist_domains = allowlist_domains
projects / ceph.git / commitdiff