From: Redouane Kachach <rkachach@ibm.com>
Date: Fri, 25 Apr 2025 07:38:46 +0000 (+0200)
Subject: mgr/cepahdm: adapting oauth2-proxy service to use the new cert mgmt
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4f03347296f6d3e7f8dc174d84e68fa474577276;p=ceph.git

mgr/cepahdm: adapting oauth2-proxy service to use the new cert mgmt

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
---

diff --git a/src/pybind/mgr/cephadm/services/oauth2_proxy.py b/src/pybind/mgr/cephadm/services/oauth2_proxy.py
index a1f19b73fbde..5a36b5a6adb3 100644
--- a/src/pybind/mgr/cephadm/services/oauth2_proxy.py
+++ b/src/pybind/mgr/cephadm/services/oauth2_proxy.py
@@ -20,6 +20,7 @@ class OAuth2ProxyService(CephadmService):
 
     def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonDeploySpec:
         assert self.TYPE == daemon_spec.daemon_type
+        super().prepare_create(daemon_spec)
         daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec)
         return daemon_spec
 
@@ -58,29 +59,6 @@ class OAuth2ProxyService(CephadmService):
         # if empty list provided, return empty Daemon Desc
         return DaemonDescription()
 
-    def get_certificates(self, svc_spec: OAuth2ProxySpec, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[str, str]:
-        cert = self.mgr.cert_mgr.get_cert('oauth2_proxy_cert')
-        key = self.mgr.cert_mgr.get_key('oauth2_proxy_key')
-        user_made = False
-        if not (cert and key):
-            # not available on store, check if provided on the spec
-            if svc_spec.ssl_cert and svc_spec.ssl_key:
-                user_made = True
-                cert = svc_spec.ssl_cert
-                key = svc_spec.ssl_key
-            else:
-                # not provided on the spec, let's generate self-sigend certificates
-                addr = self.mgr.inventory.get_addr(daemon_spec.host)
-                host_fqdn = self.mgr.get_fqdn(daemon_spec.host)
-                cert, key = self.mgr.cert_mgr.generate_cert(host_fqdn, addr)
-            # save certificates
-            if cert and key:
-                self.mgr.cert_mgr.save_cert('oauth2_proxy_cert', cert, user_made=user_made)
-                self.mgr.cert_mgr.save_key('oauth2_proxy_key', key, user_made=user_made)
-            else:
-                logger.error("Failed to obtain certificate and key from mgmt-gateway.")
-        return cert, key
-
     def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[str, Any], List[str]]:
         assert self.TYPE == daemon_spec.daemon_type
         svc_spec = cast(OAuth2ProxySpec, self.mgr.spec_store[daemon_spec.service_name].spec)
@@ -93,21 +71,13 @@ class OAuth2ProxyService(CephadmService):
             'redirect_url': svc_spec.redirect_url or self.get_redirect_url()
         }
 
-        cert, key = self.get_certificates(svc_spec, daemon_spec)
+        tls_pair = self.get_certificates(daemon_spec)
         daemon_config = {
             "files": {
                 "oauth2-proxy.conf": self.mgr.template.render(self.SVC_TEMPLATE_PATH, context),
-                "oauth2-proxy.crt": cert,
-                "oauth2-proxy.key": key,
+                "oauth2-proxy.crt": tls_pair.cert,
+                "oauth2-proxy.key": tls_pair.key,
             }
         }
 
         return daemon_config, sorted(OAuth2ProxyService.get_dependencies(self.mgr))
-
-    def post_remove(self, daemon: DaemonDescription, is_failed_deploy: bool) -> None:
-        """
-        Called before mgmt-gateway daemon is removed.
-        """
-        # delete cert/key entires for this mgmt-gateway daemon
-        self.mgr.cert_mgr.rm_cert('oauth2_proxy_cert')
-        self.mgr.cert_mgr.rm_key('oauth2_proxy_key')