except SSLConfigException:
raise Exception("Cannot load cephadm root CA certificates.")
else:
- self.ssl_certs.generate_root_cert(ip)
+ self.ssl_certs.generate_root_cert(addr=ip)
mgr.cert_key_store.save_cert(self.CEPHADM_ROOT_CA_CERT, self.ssl_certs.get_root_cert())
mgr.cert_key_store.save_key(self.CEPHADM_ROOT_CA_KEY, self.ssl_certs.get_root_key())
'value': spec.rgw_zone,
})
+ if spec.generate_cert and not spec.rgw_frontend_ssl_certificate:
+ # generate a self-signed cert for the rgw service
+ cert, key = self.mgr.cert_mgr.ssl_certs.generate_root_cert(custom_san_list=spec.zonegroup_hostnames)
+ spec.rgw_frontend_ssl_certificate = ''.join([key, cert])
+ self.mgr.spec_store.save(spec)
+
if spec.rgw_frontend_ssl_certificate:
if isinstance(spec.rgw_frontend_ssl_certificate, list):
cert_data = '\n'.join(spec.rgw_frontend_ssl_certificate)
-from typing import Any, Tuple, IO, List, Union
+from typing import Any, Tuple, IO, List, Union, Optional
import ipaddress
from datetime import datetime, timedelta
self.key_file: IO[bytes]
self.cert_file: IO[bytes]
- def generate_root_cert(self, addr: str) -> Tuple[str, str]:
+ def generate_root_cert(
+ self,
+ addr: Optional[str] = None,
+ custom_san_list: Optional[List[str]] = None
+ ) -> Tuple[str, str]:
self.root_key = rsa.generate_private_key(
public_exponent=65537, key_size=4096, backend=default_backend())
root_public_key = self.root_key.public_key()
root_builder = root_builder.not_valid_after(datetime.now() + timedelta(days=(365 * 10 + 3)))
root_builder = root_builder.serial_number(x509.random_serial_number())
root_builder = root_builder.public_key(root_public_key)
+
+ san_list: List[x509.GeneralName] = []
+ if addr:
+ san_list.extend([x509.IPAddress(ipaddress.ip_address(addr))])
+ if custom_san_list:
+ san_list.extend([x509.DNSName(n) for n in custom_san_list])
root_builder = root_builder.add_extension(
x509.SubjectAlternativeName(
- [x509.IPAddress(ipaddress.ip_address(addr))]
+ san_list
),
critical=False
)
+
root_builder = root_builder.add_extension(
x509.BasicConstraints(ca=True, path_length=None), critical=True,
)
self.http_server = MagicMock()
self.http_server.agent = MagicMock()
self.http_server.agent.ssl_certs = SSLCerts()
- self.http_server.agent.ssl_certs.generate_root_cert(self.get_mgr_ip())
+ self.http_server.agent.ssl_certs.generate_root_cert(addr=self.get_mgr_ip())
self.cert_mgr = FakeCertMgr()
def get_mgr_ip(self) -> str:
rgw_zonegroup: Optional[str] = None,
rgw_zone: Optional[str] = None,
rgw_frontend_port: Optional[int] = None,
- rgw_frontend_ssl_certificate: Optional[List[str]] = None,
+ rgw_frontend_ssl_certificate: Optional[Union[str, List[str]]] = None,
rgw_frontend_type: Optional[str] = None,
rgw_frontend_extra_args: Optional[List[str]] = None,
unmanaged: bool = False,
rgw_user_counters_cache_size: Optional[int] = None,
rgw_bucket_counters_cache: Optional[bool] = False,
rgw_bucket_counters_cache_size: Optional[int] = None,
+ generate_cert: bool = False,
):
assert service_type == 'rgw', service_type
#: Port of the RGW daemons
self.rgw_frontend_port: Optional[int] = rgw_frontend_port
#: List of SSL certificates
- self.rgw_frontend_ssl_certificate: Optional[List[str]] = rgw_frontend_ssl_certificate
+ self.rgw_frontend_ssl_certificate: Optional[Union[str, List[str]]] \
+ = rgw_frontend_ssl_certificate
#: civetweb or beast (default: beast). See :ref:`rgw_frontends`
self.rgw_frontend_type: Optional[str] = rgw_frontend_type
#: List of extra arguments for rgw_frontend in the form opt=value. See :ref:`rgw_frontends`
self.rgw_bucket_counters_cache = rgw_bucket_counters_cache
#: Used to set number of entries in each cache of bucket counters
self.rgw_bucket_counters_cache_size = rgw_bucket_counters_cache_size
+ #: Whether we should generate a cert/key for the user if not provided
+ self.generate_cert = generate_cert
def get_port_start(self) -> List[int]:
return [self.get_port()]
'Additional rgw type parameters can be passed using rgw_frontend_extra_args.'
)
+ if self.generate_cert and not self.ssl:
+ raise SpecValidationError('"ssl" field must be set to true when "generate_cert" '
+ 'is set to true')
+
yaml.add_representer(RGWSpec, ServiceSpec.yaml_representer)
projects / ceph-ci.git / commitdiff