From: Adam King <adking@redhat.com>
Date: Tue, 6 Feb 2024 00:18:00 +0000 (-0500)
Subject: mgr/cephadm: move alertmanager crt/key to cert store
X-Git-Tag: testing/wip-jcollin-testing-20240718.061041-squid~10^2~14
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4b08c603d2ccda5cd21c8bf7cf0f6d36d6767a1a;p=ceph-ci.git

mgr/cephadm: move alertmanager crt/key to cert store

We weren't actually even storing these before, but
given we want to be able to offer some more cert
management options in the future, it's good to start
doing so

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 6ae8c5ae645851dbb6981ede9ae3d0b4dd8e511e)
---

diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py
index dca7985fe22..dd9951bdffb 100644
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -315,8 +315,13 @@ class AlertmanagerService(CephadmService):
                 deps.append(f'{hash(alertmanager_user + alertmanager_password)}')
             node_ip = self.mgr.inventory.get_addr(daemon_spec.host)
             host_fqdn = self._inventory_get_fqdn(daemon_spec.host)
-            cert, key = self.mgr.http_server.service_discovery.ssl_certs.generate_cert(
-                host_fqdn, node_ip)
+            cert = self.mgr.cert_key_store.get_cert('alertmanager_cert', host=daemon_spec.host)
+            key = self.mgr.cert_key_store.get_key('alertmanager_key', host=daemon_spec.host)
+            if not (cert and key):
+                cert, key = self.mgr.http_server.service_discovery.ssl_certs.generate_cert(
+                    host_fqdn, node_ip)
+                self.mgr.cert_key_store.save_cert('alertmanager_cert', cert, host=daemon_spec.host)
+                self.mgr.cert_key_store.save_key('alertmanager_key', key, host=daemon_spec.host)
             context = {
                 'alertmanager_web_user': alertmanager_user,
                 'alertmanager_web_password': password_hash(alertmanager_password),
@@ -361,6 +366,15 @@ class AlertmanagerService(CephadmService):
             service_url
         )
 
+    def pre_remove(self, daemon: DaemonDescription) -> None:
+        """
+        Called before alertmanager daemon is removed.
+        """
+        if daemon.hostname is not None:
+            # delete cert/key entires for this grafana daemon
+            self.mgr.cert_key_store.rm_cert('alertmanager_cert', host=daemon.hostname)
+            self.mgr.cert_key_store.rm_key('alertmanager_key', host=daemon.hostname)
+
     def ok_to_stop(self,
                    daemon_ids: List[str],
                    force: bool = False,
diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
index 42016a03037..b32ca1f1188 100644
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -692,6 +692,9 @@ class TestMonitoring:
                     use_current_daemon_image=False,
                 )
 
+                assert cephadm_module.cert_key_store.get_cert('alertmanager_cert', host='test') == 'mycert'
+                assert cephadm_module.cert_key_store.get_key('alertmanager_key', host='test') == 'mykey'
+
     @patch("cephadm.serve.CephadmServe._run_cephadm")
     @patch("cephadm.module.CephadmOrchestrator.get_mgr_ip", lambda _: '::1')
     def test_prometheus_config_security_disabled(self, _run_cephadm, cephadm_module: CephadmOrchestrator):