mgr/cephadm: enable custom TLS certificates for grafana

using `ceph config-key`.

E.g.:

    ceph config-key set mgr/cephadm/grafana_crt -i cert.pem
    ceph config-key set mgr/cephadm/grafana_key -i key.pem

Signed-off-by: Patrick Seidensal <pseidensal@suse.com>

diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py
index b4c4bda0895e8472c8cd7be804a12dad75af90b5..d6106ab8d96e29c6437e4fe19c2f66bc2f9ed9fc 100644 (file)
--- a/src/pybind/mgr/cephadm/module.py
+++ b/src/pybind/mgr/cephadm/module.py
@@ -6,7 +6,7 @@ import yaml
 from threading import Event
 from functools import wraps
 
-from mgr_util import create_self_signed_cert
+from mgr_util import create_self_signed_cert, verify_tls, ServerConfigException
 
 import string
 try:
@@ -2507,7 +2507,20 @@ datasources:
         for dd in self.cache.get_daemons_by_service('prometheus'):
             prom_services.append(dd.hostname)
             deps.append(dd.name())
-        cert, pkey = create_self_signed_cert('Ceph', 'cephadm')
+
+        cert = self.get_store('grafana_crt')
+        pkey = self.get_store('grafana_key')
+        if cert and pkey:
+            try:
+                verify_tls(cert, pkey)
+            except ServerConfigException as e:
+                logger.warning('Provided grafana TLS certificates invalid: %s', str(e))
+                cert, pkey = None, None
+        if not (cert and pkey):
+            cert, pkey = create_self_signed_cert('Ceph', 'cephadm')
+            self.set_store('grafana_crt', cert)
+            self.set_store('grafana_key', pkey)
+
         config_file = {
             'files': {
                 "grafana.ini": """# generated by cephadm