From: Rabinarayan Panigrahi Date: Fri, 8 May 2026 05:34:39 +0000 (+0530) Subject: mgr/smb: Add ssl_certificates buffer for smb features X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=66fc26d43b77d8ed72186722b5e4f69447536364;p=ceph.git mgr/smb: Add ssl_certificates buffer for smb features Add ssl_certificates buffer for smb features like remote_control and keybridge. when certificate applied it stores as a feature name and SSLParameters as value where SSLParameters holds cert, key and ca-cert. Signed-off-by: Rabinarayan Panigrahi Signed-off-by: Avan Thakkar --- diff --git a/src/pybind/mgr/smb/handler.py b/src/pybind/mgr/smb/handler.py index 6f6954d0b2e..10364024181 100644 --- a/src/pybind/mgr/smb/handler.py +++ b/src/pybind/mgr/smb/handler.py @@ -20,7 +20,11 @@ import logging import time import ceph.smb.constants -from ceph.deployment.service_spec import SMBExternalCephCluster, SMBSpec +from ceph.deployment.service_spec import ( + SMBExternalCephCluster, + SMBSpec, + SSLParameters, +) from ceph.fs.earmarking import EarmarkTopScope from . import config_store, external, resources @@ -631,6 +635,7 @@ class ClusterConfigHandler: change_group.cluster.cluster_id, ) cluster = change_group.cluster + ssl_certificates: Dict[str, SSLParameters] = {} assert isinstance(cluster, resources.Cluster) # vols: hold the cephfs volumes our shares touch. some operations are # disabled/skipped unless we touch volumes. @@ -688,6 +693,7 @@ class ClusterConfigHandler: if change_group.ext_ceph_clusters: assert len(change_group.ext_ceph_clusters) == 1 ext_ceph_cluster = change_group.ext_ceph_clusters[0] + smb_spec = _generate_smb_service_spec( cluster, config_entries=config_entries, @@ -697,6 +703,7 @@ class ClusterConfigHandler: data_entity=cluster_conf.data_entity, needs_proxy=_has_proxied_vfs(change_group), ext_ceph_cluster=ext_ceph_cluster, + ssl_certificates=ssl_certificates, ) _save_pending_spec_backup(self.public_store, change_group, smb_spec) # if orch was ever needed in the past we must "re-orch", but if we have @@ -1058,6 +1065,7 @@ def _generate_smb_service_spec( data_entity: str = '', needs_proxy: bool = False, ext_ceph_cluster: Optional[resources.ExternalCephCluster], + ssl_certificates: Dict[str, SSLParameters], ) -> SMBSpec: features = [] if cluster.auth_mode == AuthMode.ACTIVE_DIRECTORY: @@ -1092,8 +1100,9 @@ def _generate_smb_service_spec( user_entities: Optional[List[str]] = None if data_entity: user_entities = [data_entity] + rc_cert = rc_key = rc_ca_cert = None - if cluster.remote_control_is_enabled: + if cluster.is_feature_enabled(_REMOTE_CONTROL): assert cluster.remote_control rc_cert = _tls_uri( cluster.remote_control.cert, tls_credential_entries @@ -1102,8 +1111,18 @@ def _generate_smb_service_spec( rc_ca_cert = _tls_uri( cluster.remote_control.ca_cert, tls_credential_entries ) + feature = ceph.smb.constants.FEATURE_FILE_NAMES.get(_REMOTE_CONTROL) + if feature is not None: + ssl_certificates[feature] = SSLParameters( + enabled=bool(rc_cert and rc_key), + ssl_cert=rc_cert, + ssl_key=rc_key, + ssl_ca_cert=rc_ca_cert, + certificate_source='uri', + ) + kb_cert = kb_key = kb_ca_cert = None - if cluster.keybridge_is_enabled: + if cluster.is_feature_enabled(_KEYBRIDGE): assert cluster.keybridge # type narrow # TODO: current all KMIP scopes must share the same tls creds # and that sucks. need to update keybridge to fetch cert URIs directly @@ -1122,6 +1141,16 @@ def _generate_smb_service_spec( kb_ca_cert = _tls_uri( kmip_scope.kmip_ca_cert, tls_credential_entries ) + feature = ceph.smb.constants.FEATURE_FILE_NAMES.get(_KEYBRIDGE) + if feature is not None: + ssl_certificates[feature] = SSLParameters( + enabled=bool(kb_cert and kb_key), + ssl_cert=kb_cert, + ssl_key=kb_key, + ssl_ca_cert=kb_ca_cert, + certificate_source='uri', + ) + ceph_cluster_configs = None if ext_ceph_cluster: exo = checked(ext_ceph_cluster.cluster) @@ -1134,7 +1163,6 @@ def _generate_smb_service_spec( key=exo.cephfs_user.key, ) ] - return SMBSpec( service_id=cluster.cluster_id, placement=cluster.placement, @@ -1148,12 +1176,7 @@ def _generate_smb_service_spec( cluster_public_addrs=cluster.service_spec_public_addrs(), custom_ports=cluster.custom_ports, bind_addrs=cluster.service_spec_bind_addrs(), - remote_control_ssl_cert=rc_cert, - remote_control_ssl_key=rc_key, - remote_control_ca_cert=rc_ca_cert, - keybridge_kmip_ssl_cert=kb_cert, - keybridge_kmip_ssl_key=kb_key, - keybridge_kmip_ca_cert=kb_ca_cert, + ssl_certificates=ssl_certificates or None, ceph_cluster_configs=ceph_cluster_configs, tunables=_service_spec_tunables(cluster), )