From: Sage Weil Date: Wed, 10 Mar 2021 19:58:09 +0000 (-0500) Subject: mgr/cephadm: remove ssl_frontend_ssl_key from RGWSpec X-Git-Tag: v17.1.0~2601^2~6 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4fe35117ce2349adc023604ead1c37c8680b90c4;p=ceph.git mgr/cephadm: remove ssl_frontend_ssl_key from RGWSpec Since this didn't work anyway, stop collecting and passing through the private key portion of the certificate. Instead, users should include both in the first option. This is simpler, and provides consistency across civetweb and beast rgw backends (for whatever that is worth). NOTE: dashboard changes are not included here. Signed-off-by: Sage Weil --- diff --git a/src/cephadm/samples/rgw_ssl.json b/src/cephadm/samples/rgw_ssl.json index d3c45111a90d8..3fe6fea1c3275 100644 --- a/src/cephadm/samples/rgw_ssl.json +++ b/src/cephadm/samples/rgw_ssl.json @@ -44,9 +44,7 @@ "kWpZ2ypBDH45h2o3LyqvGjsu/BFkeG6JpEDCWbClKWcjKxOrLVDufhSDduffDjja", "zOsgQJg0Yf//Ubb5p0c54GjHM/XDXEcV3m3sEtbmMYz6xGwuag4bx8P2E/QY8sFp", "JxgIdS8vdl6YhDCjKJ2XzI30JwCdftgDIAiWSE0ivoDc+8+gG1nb11GT52HFzA==", - "-----END CERTIFICATE-----" - ], - "rgw_frontend_ssl_key": [ + "-----END CERTIFICATE-----", "-----BEGIN PRIVATE KEY-----", "MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKbRiedt0JBG3N", "+82vIrgk2oY9Ga+ocvk6El/1X3c8Y4mB7g9j4mWciQe7dnjqogPLEOTeddxFLX9m", diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py index 2510e45afda2b..4606247997345 100644 --- a/src/pybind/mgr/cephadm/services/cephadmservice.py +++ b/src/pybind/mgr/cephadm/services/cephadmservice.py @@ -714,25 +714,10 @@ class RgwService(CephService): % spec.rgw_frontend_ssl_certificate) ret, out, err = self.mgr.check_mon_command({ 'prefix': 'config-key set', - 'key': f'rgw/cert/{spec.service_name()}.crt', + 'key': f'rgw/cert/{spec.service_name()}.crt', # NOTE: actually a .pem! 'val': cert_data, }) - if spec.rgw_frontend_ssl_key: - if isinstance(spec.rgw_frontend_ssl_key, list): - key_data = '\n'.join(spec.rgw_frontend_ssl_key) - elif isinstance(spec.rgw_frontend_ssl_certificate, str): - key_data = spec.rgw_frontend_ssl_key - else: - raise OrchestratorError( - 'Invalid rgw_frontend_ssl_key: %s' - % spec.rgw_frontend_ssl_key) - ret, out, err = self.mgr.check_mon_command({ - 'prefix': 'config-key set', - 'key': f'rgw/cert/{spec.service_name()}.key', - 'val': key_data, - }) - # TODO: fail, if we don't have a spec logger.info('Saving service %s spec with placement %s' % ( spec.service_name(), spec.placement.pretty_str())) @@ -750,7 +735,6 @@ class RgwService(CephService): if spec.ssl: args.append(f"ssl_port={daemon_spec.ports[0]}") args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}.crt") - args.append(f"ssl_private_key=config://rgw/cert/{spec.service_name()}.key") else: args.append(f"port={daemon_spec.ports[0]}") frontend = f'beast {" ".join(args)}' diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py index 339dbe0a48340..1c45780778c49 100644 --- a/src/python-common/ceph/deployment/service_spec.py +++ b/src/python-common/ceph/deployment/service_spec.py @@ -707,7 +707,6 @@ class RGWSpec(ServiceSpec): rgw_zone: Optional[str] = None, rgw_frontend_port: Optional[int] = None, rgw_frontend_ssl_certificate: Optional[List[str]] = None, - rgw_frontend_ssl_key: Optional[List[str]] = None, unmanaged: bool = False, ssl: bool = False, preview_only: bool = False, @@ -729,7 +728,6 @@ class RGWSpec(ServiceSpec): self.rgw_zone = rgw_zone self.rgw_frontend_port = rgw_frontend_port self.rgw_frontend_ssl_certificate = rgw_frontend_ssl_certificate - self.rgw_frontend_ssl_key = rgw_frontend_ssl_key self.ssl = ssl def get_port_start(self) -> Optional[int]: