From: Adam King <47704447+adk3798@users.noreply.github.com>
Date: Tue, 25 Mar 2025 14:29:59 +0000 (-0400)
Subject: Merge pull request #61727 from Kushal-deb/fix_issue_2330954-RGW_is_not_adding_a_SAN
X-Git-Tag: v20.3.0~273
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3f1fb2ec34a92ab1e957c992345fecb34cbf4fa3;p=ceph.git

Merge pull request #61727 from Kushal-deb/fix_issue_2330954-RGW_is_not_adding_a_SAN

cephadm: Ensure wildcard SAN is included in RGW self-signed certs

Reviewed-by: Adam King <adking@redhat.com>
---

3f1fb2ec34a92ab1e957c992345fecb34cbf4fa3
diff --cc src/pybind/mgr/cephadm/services/cephadmservice.py
index b290d0c1924,0a9886b9278..072e80ac684
--- a/src/pybind/mgr/cephadm/services/cephadmservice.py
+++ b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@@ -1095,20 -1075,18 +1098,23 @@@ class RgwService(CephService)
              # this is a redeploy of older instance that doesn't have an explicitly
              # assigned port, in which case we can assume there is only 1 per host
              # and it matches the spec.
 -            port = spec.get_port()
 +            ports = spec.get_port()
 +            if spec.ssl:
 +                port = ports[1] if len(ports) > 1 else ports[0]
 +            else:
 +                port = ports[0]
  
          if spec.generate_cert:
+             san_list = spec.zonegroup_hostnames or []
+             custom_san_list = san_list + [f"*.{h}" for h in san_list] if spec.wildcard_enabled else san_list
+ 
              cert, key = self.mgr.cert_mgr.generate_cert(
                  daemon_spec.host,
                  self.mgr.inventory.get_addr(daemon_spec.host),
-                 custom_san_list=spec.zonegroup_hostnames
+                 custom_san_list=custom_san_list
              )
              pem = ''.join([key, cert])
 +            self.mgr.cert_mgr.save_cert('rgw_frontend_ssl_cert', pem, service_name=spec.service_name())
              ret, out, err = self.mgr.check_mon_command({
                  'prefix': 'config-key set',
                  'key': f'rgw/cert/{daemon_spec.name()}',
diff --cc src/python-common/ceph/deployment/service_spec.py
index 8fe2f1e3d0c,bca85b58a2d..c35111f7184
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@@ -1288,31 -1289,18 +1289,32 @@@ class RGWSpec(ServiceSpec)
          self.generate_cert = generate_cert
          #: Used to make RGW not do multisite replication so it can dedicate to IO
          self.disable_multisite_sync_traffic = disable_multisite_sync_traffic
+         self.wildcard_enabled = wildcard_enabled
  
      def get_port_start(self) -> List[int]:
 -        return [self.get_port()]
 +        ports = self.get_port()
 +        return ports
  
 -    def get_port(self) -> int:
 +    def get_port(self) -> List[int]:
 +        ports = []
          if self.rgw_frontend_port:
 -            return self.rgw_frontend_port
 -        if self.ssl:
 -            return 443
 -        else:
 -            return 80
 +            ports.append(self.rgw_frontend_port)
 +
 +        ssl_port = next(
 +            (
 +                int(arg.split('=')[1])
 +                for arg in (self.rgw_frontend_extra_args or [])
 +                if arg.startswith("ssl_port=")
 +            ),
 +            None,
 +        )
 +
 +        if self.ssl and ssl_port:
 +            ports.append(ssl_port)
 +        if not ports:
 +            ports.append(443 if self.ssl else 80)
 +
 +        return ports
  
      def validate(self) -> None:
          super(RGWSpec, self).validate()