python-common/service_spec: add root_ca_cert to nvmeof spec

Also improves the error messaging around when spec/key
attributes are missing when enable_auth is set to true

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 9212914be65fe3adde2108f5a2cfd2587d17c0ff)
(cherry picked from commit f7c46fa3adf71631a1cea372841e4d74f09094ed)

Resolves: rhbz#2282825

Conflicts:
	src/cephadm/cephadmlib/daemons/nvmeof.py

diff --git a/src/cephadm/cephadm.py b/src/cephadm/cephadm.py
index d7f5bed0b77570630a404feba55c305565c80d29..bf009796da14b7b767040706c16e2dbfff96afdd 100755 (executable)
--- a/src/cephadm/cephadm.py
+++ b/src/cephadm/cephadm.py
@@ -1214,7 +1214,13 @@ class CephNvmeof(object):
         self, data_dir: str, files: Dict[str, str]
     ) -> Dict[str, str]:
         mounts = dict()
-        for fn in ['server_cert', 'server_key', 'client_cert', 'client_key']:
+        for fn in [
+            'server_cert',
+            'server_key',
+            'client_cert',
+            'client_key',
+            'root_ca_cert',
+        ]:
             if fn in files:
                 mounts[
                     os.path.join(data_dir, fn)

diff --git a/src/pybind/mgr/cephadm/services/nvmeof.py b/src/pybind/mgr/cephadm/services/nvmeof.py
index 2f023185aeb12b343d88882a186f90f885f72de0..83a186b9919231ec0021e50710d281a5e3bcdbc7 100644 (file)
--- a/src/pybind/mgr/cephadm/services/nvmeof.py
+++ b/src/pybind/mgr/cephadm/services/nvmeof.py
@@ -67,15 +67,20 @@ class NvmeofService(CephService):
                 or not spec.client_key
                 or not spec.server_cert
                 or not spec.server_key
+                or not spec.root_ca_cert
             ):
-                self.mgr.log.error(f'enable_auth set for {spec.service_name()} spec, but at '
-                                   'least one of server/client cert/key fields missing. TLS '
-                                   f'not being set up for {daemon_spec.name()}')
+                err_msg = 'enable_auth is true but '
+                for cert_key_attr in ['server_key', 'server_cert', 'client_key', 'client_cert', 'root_ca_cert']:
+                    if not hasattr(spec, cert_key_attr):
+                        err_msg += f'{cert_key_attr}, '
+                err_msg += 'attribute(s) missing from nvmeof spec'
+                self.mgr.log.error(err_msg)
             else:
                 daemon_spec.extra_files['server_cert'] = spec.server_cert
                 daemon_spec.extra_files['client_cert'] = spec.client_cert
                 daemon_spec.extra_files['server_key'] = spec.server_key
                 daemon_spec.extra_files['client_key'] = spec.client_key
+                daemon_spec.extra_files['root_ca_cert'] = spec.root_ca_cert
 
         daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec)
         daemon_spec.deps = []

diff --git a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
index 5000efa5d5459e46b605bd239a671cb899cae9e9..b20aa56971a57d8b764233ddba2db6a48b2e354a 100644 (file)
--- a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
+++ b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
@@ -21,6 +21,7 @@ server_key = /server.key
 client_key = /client.key
 server_cert = /server.cert
 client_cert = /client.cert
+root_ca_cert = /root.ca.cert
 
 [spdk]
 tgt_path = {{ spec.tgt_path }}

diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 4310118a5ebc97b1c90c327e0453124444784952..949dd9aa8cc119ff2f62b2b32053ed6104f7d4fd 100644 (file)
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -1236,6 +1236,7 @@ class NvmeofServiceSpec(ServiceSpec):
                  server_cert: Optional[str] = None,
                  client_key: Optional[str] = None,
                  client_cert: Optional[str] = None,
+                 root_ca_cert: Optional[str] = None,
                  spdk_path: Optional[str] = None,
                  tgt_path: Optional[str] = None,
                  timeout: Optional[int] = 60,
@@ -1280,6 +1281,8 @@ class NvmeofServiceSpec(ServiceSpec):
         self.client_key = client_key
         #: ``client_cert`` client certificate
         self.client_cert = client_cert
+        #: ``root_ca_cert`` CA cert for server/client certs
+        self.root_ca_cert = root_ca_cert
         #: ``spdk_path`` path to SPDK
         self.spdk_path = spdk_path or '/usr/local/bin/nvmf_tgt'
         #: ``tgt_path`` nvmeof target path
@@ -1306,9 +1309,13 @@ class NvmeofServiceSpec(ServiceSpec):
             raise SpecValidationError('Cannot add NVMEOF: No Pool specified')
 
         if self.enable_auth:
-            if not all([self.server_key, self.server_cert, self.client_key, self.client_cert]):
-                raise SpecValidationError(
-                    'enable_auth is true but client/server certificates are missing')
+            if not all([self.server_key, self.server_cert, self.client_key, self.client_cert, self.root_ca_cert]):
+                err_msg = 'enable_auth is true but '
+                for cert_key_attr in ['server_key', 'server_cert', 'client_key', 'client_cert', 'root_ca_cert']:
+                    if not hasattr(self, cert_key_attr):
+                        err_msg += f'{cert_key_attr}, '
+                err_msg += 'attribute(s) not set in the spec'
+                raise SpecValidationError(err_msg)
 
         if self.transports not in ['tcp']:
             raise SpecValidationError('Invalid transport. Valid values are tcp')