cephadm: Make ceph-iscsi SSL aware

Ceph-iscsi's `rbd-target-api.py` supports listening over SSL if you
provide an SSL cert and key. Originally the script is opinionated and
requires these files to be named `/etc/ceph/iscsi-gateway.{crt,key}`.

When dealing with containers, having to place files inside a container to
enable SSL isn't very clean. To make things easier, like RGW, you can
now place the SSL cert and key data in the mon config-key store.

This will mean there are 2 ways to enable SSL in ceph-iscsi via orch/cephadm.

1. Push the SSL key and cert into the mon config-key under the keys, and
   then make sure api_secure is enabled (requires json):

  iscsi/{clientname}/iscsi-gateway.crt
  iscsi/{clientname}/iscsi-gateway.key

2. Provide the SSL key and cert in the json you pass the orchestrator and
   it'll push them up for you.

Also lockdown the caps so the container can only access iscsi ssl
key/certs.

Signed-off-by: Matthew Oliver <moliver@suse.com>
(cherry picked from commit 4c942d05949f0cb79963258b6f75093bb5d1d4d9)

diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py
index c23aa2703c4f102fce67187f5c5043e07a93cee1..81d4cb3bd3a4f8e4d6ab1b293a0e96ecef861f4b 100644 (file)
--- a/src/pybind/mgr/cephadm/module.py
+++ b/src/pybind/mgr/cephadm/module.py
@@ -2863,10 +2863,34 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule):
         ret, keyring, err = self.check_mon_command({
             'prefix': 'auth get-or-create',
             'entity': utils.name_to_config_section('iscsi') + '.' + igw_id,
-            'caps': ['mon', 'allow rw',
+            'caps': ['mon', 'profile rbd, '
+                            'allow command "osd blacklist", '
+                            'allow command "config-key get" with "key" prefix "iscsi/"',
                      'osd', f'allow rwx pool={spec.pool}'],
         })
 
+        if spec.ssl_cert:
+            if isinstance(spec.ssl_cert, list):
+                cert_data = '\n'.join(spec.ssl_cert)
+            else:
+                cert_data = spec.ssl_cert
+            ret, out, err = self.mon_command({
+                'prefix': 'config-key set',
+                'key': f'iscsi/{utils.name_to_config_section("iscsi")}.{igw_id}/iscsi-gateway.crt',
+                'val': cert_data,
+            })
+
+        if spec.ssl_key:
+            if isinstance(spec.ssl_key, list):
+                key_data = '\n'.join(spec.ssl_key)
+            else:
+                key_data = spec.ssl_key
+            ret, out, err = self.mon_command({
+                'prefix': 'config-key set',
+                'key': f'iscsi/{utils.name_to_config_section("iscsi")}.{igw_id}/iscsi-gateway.key',
+                'val': key_data,
+            })
+
         api_secure = 'false' if spec.api_secure is None else spec.api_secure
         igw_conf = f"""
 # generated by cephadm

diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 4bdf3dd23c23b9c0e13dd1dafa491ce1a61719a4..c6195ddf0c560f5e5c22ae969526446938ff36e2 100644 (file)
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -597,6 +597,9 @@ class IscsiServiceSpec(ServiceSpec):
         self.ssl_cert = ssl_cert
         self.ssl_key = ssl_key
 
+        if not self.api_secure and self.ssl_cert and self.ssl_key:
+            self.api_secure = True
+
     def validate_add(self):
         servicespec_validate_add(self)