mgr/cephadm: Remove SSL RGW migration logic

Remove the special-case code used for RGW service migration, as it is no
longer needed. The certmgr logic now handles populating the certstore
with the corresponding certificate and key entries by reading their values
directly from the spec. During RGW service redeployment as part of the
upgrade, certmgr will ensure the certstore is updated accordingly.

Resolves: rhbz#2400686

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
(cherry picked from commit 9e05171155075daf96a070037fa2fa14f84b8bfc)

diff --git a/src/pybind/mgr/cephadm/inventory.py b/src/pybind/mgr/cephadm/inventory.py
index 63ddfb68b28f6fa5c42ea30238a01cc0556be416..5077bb85692fe1bc7d241d8b6d26cde7bf9af7ee 100644 (file)
--- a/src/pybind/mgr/cephadm/inventory.py
+++ b/src/pybind/mgr/cephadm/inventory.py
@@ -27,7 +27,7 @@ from cephadm.services.cephadmservice import CephadmDaemonDeploySpec
 from mgr_util import parse_combined_pem_file
 
 from .utils import resolve_ip, SpecialHostLabels
-from .migrations import queue_migrate_nfs_spec, queue_migrate_rgw_spec, queue_migrate_rgw_ssl_spec
+from .migrations import queue_migrate_nfs_spec, queue_migrate_rgw_spec
 from .schedule import DaemonPlacement
 
 if TYPE_CHECKING:
@@ -478,12 +478,6 @@ class SpecStore():
                 ):
                     queue_migrate_rgw_spec(self.mgr, j)
 
-                if (
-                        (self.mgr.migration_current or 0) < 8
-                        and j['spec'].get('service_type') == 'rgw'
-                ):
-                    queue_migrate_rgw_ssl_spec(self.mgr, j)
-
                 spec = ServiceSpec.from_json(j['spec'])
                 created = str_to_datetime(cast(str, j['created']))
                 self._specs[service_name] = spec

diff --git a/src/pybind/mgr/cephadm/migrations.py b/src/pybind/mgr/cephadm/migrations.py
index a992cc3ea5d9d975f8b1be223f9aa981b0b9c475..b4713ef67069c4809a0cb5fe6b4b8196a0efb3b4 100644 (file)
--- a/src/pybind/mgr/cephadm/migrations.py
+++ b/src/pybind/mgr/cephadm/migrations.py
@@ -9,8 +9,7 @@ from cephadm.utils import SpecialHostLabels
 from cephadm.services.nfs import NFSService
 from cephadm.services.service_registry import service_registry
 import rados
-from mgr_util import parse_combined_pem_file, get_cert_issuer_info
-from cephadm.tlsobject_types import CertKeyPair
+from mgr_util import get_cert_issuer_info
 
 from mgr_module import NFS_POOL_NAME
 from orchestrator import OrchestratorError, DaemonDescription
@@ -18,7 +17,7 @@ from orchestrator import OrchestratorError, DaemonDescription
 if TYPE_CHECKING:
     from .module import CephadmOrchestrator
 
-LAST_MIGRATION = 11
+LAST_MIGRATION = 10
 
 logger = logging.getLogger(__name__)
 
@@ -45,9 +44,6 @@ class Migrations:
         r = mgr.get_store('rgw_migration_queue')
         self.rgw_migration_queue = json.loads(r) if r else []
 
-        r = mgr.get_store('rgw_ssl_migration_queue')
-        self.rgw_ssl_migration_queue = json.loads(r) if r else []
-
         # for some migrations, we don't need to do anything except for
         # incrementing migration_current.
         # let's try to shortcut things here.
@@ -130,10 +126,6 @@ class Migrations:
             if self.migrate_9_10():
                 self.set(10)
 
-        if self.mgr.migration_current == 10:
-            if self.migrate_10_11():
-                self.set(11)
-
     def migrate_0_1(self) -> bool:
         """
         Migration 0 -> 1
@@ -515,37 +507,6 @@ class Migrations:
         return True
 
     def migrate_9_10(self) -> bool:
-        logger.info(f'Starting rgw SSL/TLS migration (queue length is {len(self.rgw_ssl_migration_queue)})')
-        for s in self.rgw_ssl_migration_queue:
-
-            svc_spec = s['spec']  # this is the RGWspec
-
-            if 'spec' not in svc_spec:
-                logger.info(f"No SSL/TLS fields migration is needed for rgw spec: {svc_spec}")
-                continue
-
-            cert_field = svc_spec['spec'].get('rgw_frontend_ssl_certificate')
-            if not cert_field:
-                logger.info(f"No SSL/TLS fields migration is needed for rgw spec: {svc_spec}")
-                continue
-
-            cert_str = '\n'.join(cert_field) if isinstance(cert_field, list) else cert_field
-            ssl_cert, ssl_key = parse_combined_pem_file(cert_str)
-            new_spec = svc_spec.copy()
-            new_spec['spec'].update({
-                'rgw_frontend_ssl_certificate': None,
-                'certificate_source': CertificateSource.INLINE.value,
-                'ssl_cert': ssl_cert,
-                'ssl_key': ssl_key,
-            })
-
-            logger.info(f"Migrating {svc_spec} to new RGW SSL/TLS format {new_spec}")
-            self.mgr.spec_store.save(RGWSpec.from_json(new_spec))
-
-        self.rgw_ssl_migration_queue = []
-        return True
-
-    def migrate_10_11(self) -> bool:
         """
         Replace Promtail with Alloy.
 
@@ -625,15 +586,6 @@ def queue_migrate_rgw_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any]
     logger.info(f'Queued rgw.{service_id} for migration')
 
 
-def queue_migrate_rgw_ssl_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any]) -> None:
-    service_id = spec_dict['spec']['service_id']
-    queued = mgr.get_store('rgw_ssl_migration_queue') or '[]'
-    ls = json.loads(queued)
-    ls.append(spec_dict)
-    mgr.set_store('rgw_ssl_migration_queue', json.dumps(ls))
-    logger.info(f'Queued rgw.{service_id} for TLS migration')
-
-
 def queue_migrate_nfs_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any]) -> None:
     """
     After 16.2.5 we dropped the NFSServiceSpec pool and namespace properties.