From: Sage Weil Date: Wed, 10 Mar 2021 19:58:09 +0000 (-0500) Subject: mgr/cephadm: remove ssl_frontend_ssl_key from RGWSpec X-Git-Tag: v16.2.0~73^2~32 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=60103d084872cebcfeaffc4f0549b651d0d57ea3;p=ceph.git mgr/cephadm: remove ssl_frontend_ssl_key from RGWSpec Since this didn't work anyway, stop collecting and passing through the private key portion of the certificate. Instead, users should include both in the first option. This is simpler, and provides consistency across civetweb and beast rgw backends (for whatever that is worth). NOTE: dashboard changes are not included here. Signed-off-by: Sage Weil (cherry picked from commit 4fe35117ce2349adc023604ead1c37c8680b90c4) --- diff --git a/src/cephadm/samples/rgw_ssl.json b/src/cephadm/samples/rgw_ssl.json index d3c45111a90..3fe6fea1c32 100644 --- a/src/cephadm/samples/rgw_ssl.json +++ b/src/cephadm/samples/rgw_ssl.json @@ -44,9 +44,7 @@ "kWpZ2ypBDH45h2o3LyqvGjsu/BFkeG6JpEDCWbClKWcjKxOrLVDufhSDduffDjja", "zOsgQJg0Yf//Ubb5p0c54GjHM/XDXEcV3m3sEtbmMYz6xGwuag4bx8P2E/QY8sFp", "JxgIdS8vdl6YhDCjKJ2XzI30JwCdftgDIAiWSE0ivoDc+8+gG1nb11GT52HFzA==", - "-----END CERTIFICATE-----" - ], - "rgw_frontend_ssl_key": [ + "-----END CERTIFICATE-----", "-----BEGIN PRIVATE KEY-----", "MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKbRiedt0JBG3N", "+82vIrgk2oY9Ga+ocvk6El/1X3c8Y4mB7g9j4mWciQe7dnjqogPLEOTeddxFLX9m", diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py index af435af542e..c9e84c8b2d5 100644 --- a/src/pybind/mgr/cephadm/services/cephadmservice.py +++ b/src/pybind/mgr/cephadm/services/cephadmservice.py @@ -714,25 +714,10 @@ class RgwService(CephService): % spec.rgw_frontend_ssl_certificate) ret, out, err = self.mgr.check_mon_command({ 'prefix': 'config-key set', - 'key': f'rgw/cert/{spec.service_name()}.crt', + 'key': f'rgw/cert/{spec.service_name()}.crt', # NOTE: actually a .pem! 'val': cert_data, }) - if spec.rgw_frontend_ssl_key: - if isinstance(spec.rgw_frontend_ssl_key, list): - key_data = '\n'.join(spec.rgw_frontend_ssl_key) - elif isinstance(spec.rgw_frontend_ssl_certificate, str): - key_data = spec.rgw_frontend_ssl_key - else: - raise OrchestratorError( - 'Invalid rgw_frontend_ssl_key: %s' - % spec.rgw_frontend_ssl_key) - ret, out, err = self.mgr.check_mon_command({ - 'prefix': 'config-key set', - 'key': f'rgw/cert/{spec.service_name()}.key', - 'val': key_data, - }) - # TODO: fail, if we don't have a spec logger.info('Saving service %s spec with placement %s' % ( spec.service_name(), spec.placement.pretty_str())) @@ -750,7 +735,6 @@ class RgwService(CephService): if spec.ssl: args.append(f"ssl_port={daemon_spec.ports[0]}") args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}.crt") - args.append(f"ssl_private_key=config://rgw/cert/{spec.service_name()}.key") else: args.append(f"port={daemon_spec.ports[0]}") frontend = f'beast {" ".join(args)}' diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py index b6a3869a860..66e4a5f07c1 100644 --- a/src/python-common/ceph/deployment/service_spec.py +++ b/src/python-common/ceph/deployment/service_spec.py @@ -703,7 +703,6 @@ class RGWSpec(ServiceSpec): rgw_zone: Optional[str] = None, rgw_frontend_port: Optional[int] = None, rgw_frontend_ssl_certificate: Optional[List[str]] = None, - rgw_frontend_ssl_key: Optional[List[str]] = None, unmanaged: bool = False, ssl: bool = False, preview_only: bool = False, @@ -725,7 +724,6 @@ class RGWSpec(ServiceSpec): self.rgw_zone = rgw_zone self.rgw_frontend_port = rgw_frontend_port self.rgw_frontend_ssl_certificate = rgw_frontend_ssl_certificate - self.rgw_frontend_ssl_key = rgw_frontend_ssl_key self.ssl = ssl def get_port_start(self) -> Optional[int]: