mgr/cephadm: Remove SSL RGW migration logic

Remove the special-case code used for RGW service migration, as it is no
longer needed. The certmgr logic now handles populating the certstore
with the corresponding certificate and key entries by reading their values
directly from the spec. During RGW service redeployment as part of the
upgrade, certmgr will ensure the certstore is updated accordingly.

Signed-off-by: Redouane Kachach <rkachach@ibm.com>

diff --git a/src/pybind/mgr/cephadm/inventory.py b/src/pybind/mgr/cephadm/inventory.py
index 5a5e8eb7bc72209606b535e6e3a7cae075ea5fac..c4a99fbe88e41effcb651a74f7158e83220ce791 100644 (file)
--- a/src/pybind/mgr/cephadm/inventory.py
+++ b/src/pybind/mgr/cephadm/inventory.py
@@ -27,7 +27,7 @@ from cephadm.services.cephadmservice import CephadmDaemonDeploySpec
 from mgr_util import parse_combined_pem_file
 
 from .utils import resolve_ip, SpecialHostLabels
-from .migrations import queue_migrate_nfs_spec, queue_migrate_rgw_spec, queue_migrate_rgw_ssl_spec
+from .migrations import queue_migrate_nfs_spec, queue_migrate_rgw_spec
 
 if TYPE_CHECKING:
     from .module import CephadmOrchestrator
@@ -309,12 +309,6 @@ class SpecStore():
                 ):
                     queue_migrate_rgw_spec(self.mgr, j)
 
-                if (
-                        (self.mgr.migration_current or 0) < 8
-                        and j['spec'].get('service_type') == 'rgw'
-                ):
-                    queue_migrate_rgw_ssl_spec(self.mgr, j)
-
                 spec = ServiceSpec.from_json(j['spec'])
                 created = str_to_datetime(cast(str, j['created']))
                 self._specs[service_name] = spec

diff --git a/src/pybind/mgr/cephadm/migrations.py b/src/pybind/mgr/cephadm/migrations.py
index 64e39d9343286ba1c567d29bd0e06a28568b3fa3..6daa438459b3fe16380c6998aa5a841ff3f71e44 100644 (file)
--- a/src/pybind/mgr/cephadm/migrations.py
+++ b/src/pybind/mgr/cephadm/migrations.py
@@ -7,8 +7,7 @@ from ceph.deployment.service_spec import PlacementSpec, ServiceSpec, HostPlaceme
 from cephadm.schedule import HostAssignment
 from cephadm.utils import SpecialHostLabels
 import rados
-from mgr_util import parse_combined_pem_file, get_cert_issuer_info
-from cephadm.tlsobject_types import CertKeyPair
+from mgr_util import get_cert_issuer_info
 
 from mgr_module import NFS_POOL_NAME
 from orchestrator import OrchestratorError, DaemonDescription
@@ -16,7 +15,7 @@ from orchestrator import OrchestratorError, DaemonDescription
 if TYPE_CHECKING:
     from .module import CephadmOrchestrator
 
-LAST_MIGRATION = 9
+LAST_MIGRATION = 8
 
 logger = logging.getLogger(__name__)
 
@@ -43,9 +42,6 @@ class Migrations:
         r = mgr.get_store('rgw_migration_queue')
         self.rgw_migration_queue = json.loads(r) if r else []
 
-        r = mgr.get_store('rgw_ssl_migration_queue')
-        self.rgw_ssl_migration_queue = json.loads(r) if r else []
-
         # for some migrations, we don't need to do anything except for
         # incrementing migration_current.
         # let's try to shortcut things here.
@@ -126,11 +122,6 @@ class Migrations:
             if self.migrate_7_8():
                 self.set(8)
 
-        if self.mgr.migration_current == 8:
-            logger.info('Running migration 8 -> 9')
-            if self.migrate_8_9():
-                self.set(9)
-
     def migrate_0_1(self) -> bool:
         """
         Migration 0 -> 1
@@ -478,37 +469,6 @@ class Migrations:
         return True
 
     def migrate_7_8(self) -> bool:
-        logger.info(f'Starting rgw SSL/TLS migration (queue length is {len(self.rgw_ssl_migration_queue)})')
-        for s in self.rgw_ssl_migration_queue:
-
-            svc_spec = s['spec']  # this is the RGWspec
-
-            if 'spec' not in svc_spec:
-                logger.info(f"No SSL/TLS fields migration is needed for rgw spec: {svc_spec}")
-                continue
-
-            cert_field = svc_spec['spec'].get('rgw_frontend_ssl_certificate')
-            if not cert_field:
-                logger.info(f"No SSL/TLS fields migration is needed for rgw spec: {svc_spec}")
-                continue
-
-            cert_str = '\n'.join(cert_field) if isinstance(cert_field, list) else cert_field
-            ssl_cert, ssl_key = parse_combined_pem_file(cert_str)
-            new_spec = svc_spec.copy()
-            new_spec['spec'].update({
-                'rgw_frontend_ssl_certificate': None,
-                'certificate_source': CertificateSource.INLINE.value,
-                'ssl_cert': ssl_cert,
-                'ssl_key': ssl_key,
-            })
-
-            logger.info(f"Migrating {svc_spec} to new RGW SSL/TLS format {new_spec}")
-            self.mgr.spec_store.save(RGWSpec.from_json(new_spec))
-
-        self.rgw_ssl_migration_queue = []
-        return True
-
-    def migrate_8_9(self) -> bool:
         """
         Replace Promtail with Alloy.
 
@@ -588,15 +548,6 @@ def queue_migrate_rgw_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any]
     logger.info(f'Queued rgw.{service_id} for migration')
 
 
-def queue_migrate_rgw_ssl_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any]) -> None:
-    service_id = spec_dict['spec']['service_id']
-    queued = mgr.get_store('rgw_ssl_migration_queue') or '[]'
-    ls = json.loads(queued)
-    ls.append(spec_dict)
-    mgr.set_store('rgw_ssl_migration_queue', json.dumps(ls))
-    logger.info(f'Queued rgw.{service_id} for TLS migration')
-
-
 def queue_migrate_nfs_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any]) -> None:
     """
     After 16.2.5 we dropped the NFSServiceSpec pool and namespace properties.