mgr/cephadm: replace md5_hash with FIPS-safe config_hash

author Kobi Ginon <kginon@redhat.com>

Mon, 27 Apr 2026 19:08:54 +0000 (22:08 +0300)

committer Kobi Ginon <kginon@redhat.com>

Tue, 28 Apr 2026 11:50:45 +0000 (14:50 +0300)
author Kobi Ginon <kginon@redhat.com>
Mon, 27 Apr 2026 19:08:54 +0000 (22:08 +0300)
committer Kobi Ginon <kginon@redhat.com>
Tue, 28 Apr 2026 11:50:45 +0000 (14:50 +0300)
diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py

index 5a25837931d258258863da779cea21ec70761c0d..fc2c43943fa005608b62a451814a7099687bd5a7 100644 (file)
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -1343,7 +1343,7 @@ class RgwService(CephService):
          if ssl_cert:
              if isinstance(ssl_cert, list):
                  ssl_cert = '\n'.join(ssl_cert)
-            deps.append(f'ssl-cert:{str(utils.md5_hash(ssl_cert))}')
+            deps.append(f'ssl-cert:{utils.config_hash(ssl_cert)}')
  
          return sorted(deps)
  
diff --git a/src/pybind/mgr/cephadm/services/ingress.py b/src/pybind/mgr/cephadm/services/ingress.py

index 59288256aa5f81110feab511601bb4625ff5ba66..1f044232ccdf848284a76178fe88b413f5b9bf89 100644 (file)
--- a/src/pybind/mgr/cephadm/services/ingress.py
+++ b/src/pybind/mgr/cephadm/services/ingress.py
@@ -121,7 +121,7 @@ class IngressService(CephService):
              ssl_cert_key = getattr(ingress_spec, attr, None)
              if ssl_cert_key:
                  assert isinstance(ssl_cert_key, str)
-                deps.append(f'ssl-cert-key:{str(utils.md5_hash(ssl_cert_key))}')
+                deps.append(f'ssl-cert-key:{utils.config_hash(ssl_cert_key)}')
          backend_spec = mgr.spec_store[ingress_spec.backend_service].spec
          if backend_spec.service_type == 'nfs':
              hosts = get_placement_hosts(spec, mgr.cache.get_schedulable_hosts(), mgr.cache.get_draining_hosts())
diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py

index afbf9cd0ca0aef2c8ee5676df641591fd67e1802..438315a4118c2199d946057163bfb9d7444966d2 100644 (file)
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -113,7 +113,7 @@ class GrafanaService(CephadmService):
          # in case security is enabled we have to reconfig when prom user/pass changes
          prometheus_user, prometheus_password = mgr._get_prometheus_credentials()
          if security_enabled and prometheus_user and prometheus_password:
-            deps.append(f'cred:{utils.md5_hash(prometheus_user + prometheus_password)}')
+            deps.append(f'cred:{utils.config_hash(prometheus_user + prometheus_password)}')
  
          # adding a dependency for mgmt-gateway because the usage of url_prefix relies on its presence.
          # another dependency is added for oauth-proxy as Grafana login is delegated to this service when enabled.
@@ -307,7 +307,7 @@ class AlertmanagerService(CephadmService):
          if security_enabled:
              alertmanager_user, alertmanager_password = mgr._get_alertmanager_credentials()
              if alertmanager_user and alertmanager_password:
-                alertmgr_cred_hash = f'cred:{utils.md5_hash(alertmanager_user + alertmanager_password)}'
+                alertmgr_cred_hash = f'cred:{utils.config_hash(alertmanager_user + alertmanager_password)}'
                  deps.append(alertmgr_cred_hash)
  
          if not mgmt_gw_enabled:
@@ -667,9 +667,9 @@ class PrometheusService(CephadmService):
              alertmanager_user, alertmanager_password = mgr._get_alertmanager_credentials()
              prometheus_user, prometheus_password = mgr._get_prometheus_credentials()
              if prometheus_user and prometheus_password:
-                deps.append(f'prom-cred:{utils.md5_hash(prometheus_user + prometheus_password)}')
+                deps.append(f'prom-cred:{utils.config_hash(prometheus_user + prometheus_password)}')
              if alertmanager_user and alertmanager_password:
-                deps.append(f'alert-cred:{utils.md5_hash(alertmanager_user + alertmanager_password)}')
+                deps.append(f'alert-cred:{utils.config_hash(alertmanager_user + alertmanager_password)}')
  
          # Adding other services as deps (with corresponding justification):
          # mgmt-gateway : url_prefix depends on the existence of mgmt-gateway
diff --git a/src/pybind/mgr/cephadm/services/nfs.py b/src/pybind/mgr/cephadm/services/nfs.py

index ffc4fff849b12baab7cb0467bcfe5eedc8541169..36e1b5452b1d311a83e0375cb560dbe4c7541e4c 100644 (file)
--- a/src/pybind/mgr/cephadm/services/nfs.py
+++ b/src/pybind/mgr/cephadm/services/nfs.py
@@ -132,9 +132,9 @@ class NFSService(CephService):
          nfs_spec = cast(NFSServiceSpec, spec)
          # add dependency of tls fields
          if (spec.ssl and spec.ssl_cert and spec.ssl_key and spec.ssl_ca_cert):
-            deps.append(f'ssl_cert: {str(utils.md5_hash(spec.ssl_cert))}')
-            deps.append(f'ssl_key: {str(utils.md5_hash(spec.ssl_key))}')
-            deps.append(f'ssl_ca_cert: {str(utils.md5_hash(spec.ssl_ca_cert))}')
+            deps.append(f'ssl_cert: {utils.config_hash(spec.ssl_cert)}')
+            deps.append(f'ssl_key: {utils.config_hash(spec.ssl_key)}')
+            deps.append(f'ssl_ca_cert: {utils.config_hash(spec.ssl_ca_cert)}')
          deps.append(f'tls_ktls: {nfs_spec.tls_ktls}')
          deps.append(f'tls_debug: {nfs_spec.tls_debug}')
          deps.append(f'tls_min_version: {nfs_spec.tls_min_version}')
diff --git a/src/pybind/mgr/cephadm/utils.py b/src/pybind/mgr/cephadm/utils.py

index b59b94e17ead1fda6f0a4849a3500ab900d85a3c..8221b950af4155fb79805ceff8bb96a15713c4c9 100644 (file)
--- a/src/pybind/mgr/cephadm/utils.py
+++ b/src/pybind/mgr/cephadm/utils.py
@@ -187,10 +187,13 @@ def file_mode_to_str(mode: int) -> str:
      return r
  
  
-def md5_hash(input_value: str) -> str:
-    input_str = str(input_value).encode('utf-8')
-    hash_object = hashlib.md5(input_str)
-    return hash_object.hexdigest()
+def config_hash(input_value: str) -> str:
+    """
+    Short stable digest for config/dependency change detection.
+    Uses SHA-256 so this works on FIPS-enabled systems (MD5 may be blocked).
+    """
+    input_str = input_value.encode('utf-8')
+    return hashlib.sha256(input_str).hexdigest()[:8]
  
  
  def get_node_proxy_status_value(data: Any, key: str, lower: bool = False) -> str:
author	Kobi Ginon <kginon@redhat.com>
	Mon, 27 Apr 2026 19:08:54 +0000 (22:08 +0300)
committer	Kobi Ginon <kginon@redhat.com>
	Tue, 28 Apr 2026 11:50:45 +0000 (14:50 +0300)
src/pybind/mgr/cephadm/services/cephadmservice.py		patch \| blob \| history
src/pybind/mgr/cephadm/services/ingress.py		patch \| blob \| history
src/pybind/mgr/cephadm/services/monitoring.py		patch \| blob \| history
src/pybind/mgr/cephadm/services/nfs.py		patch \| blob \| history
src/pybind/mgr/cephadm/utils.py		patch \| blob \| history