mgr/cephadm: Fix mgmt-gateway default port in get_port_start()

The mgmt-gateway port was already defaulted to 443 in most places, but
get_port_start() did not apply this default. Since the output of
get_port_start() is used both to configure the daemon ports which are
later used to to open them in firewalld, this inconsistency meant the
HTTPS port was not opened when firewalld service was active.

This change makes get_port_start() also default to port 443, ensuring
the daemon is configured correctly and the corresponding firewalld port
is opened as expected.

Fixes: https://tracker.ceph.com/issues/74015
Signed-off-by: Redouane Kachach <rkachach@ibm.com>

diff --git a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
index 5747cd7a16911770bcc59483f0f34fe31133ab29..e8b3aff093fb75437a8d3d2c6537aa1cadd5f68f 100644 (file)
--- a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
+++ b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
@@ -792,3 +792,29 @@ class TestMgmtGateway:
                     error_ok=True,
                     use_current_daemon_image=False,
                 )
+
+    @patch("cephadm.serve.CephadmServe._run_cephadm")
+    def test_mgmt_gateway_default_port_is_443_when_unspecified(
+        self,
+        _run_cephadm,
+        cephadm_module: CephadmOrchestrator,
+    ):
+        """
+        When no --port is provided and the spec has no port field,
+        the mgmt-gateway daemon spec must use port 443 so that
+        firewalld can open the correct port.
+        """
+
+        _run_cephadm.side_effect = async_side_effect(('{}', '', 0))
+
+        # NOTE: no port passed here, let's test the defaults
+        spec = MgmtGatewaySpec()
+        with with_host(cephadm_module, 'ceph-node'):
+            with with_service(cephadm_module, spec):
+                HTTPS_PORT = 443
+                # Inspect the daemon spec passed to cephadm
+                deployed = json.loads(_run_cephadm.call_args.kwargs['stdin'])
+                # The default port must be 443 (from get_port_start)
+                assert 'tcp_ports' in deployed['params']
+                assert deployed['params']['tcp_ports'] == [HTTPS_PORT]
+                assert deployed['meta']['ports'] == [HTTPS_PORT]

diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 527a4107631bec254352aeb543b2c2f4eaf8419e..89f768ab23be25977aa7c2fb3499b5f53b7009ff 100644 (file)
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -2438,6 +2438,8 @@ class MgmtGatewaySpec(ServiceSpec):
         ports = []
         if self.port is not None:
             ports.append(cast(int, self.port))
+        else:
+            ports.append(443)  # default HTTPS port
         return ports
 
     def validate(self) -> None: