From: Adam King <adking@redhat.com>
Date: Tue, 6 Feb 2024 00:18:00 +0000 (-0500)
Subject: mgr/cephadm: move alertmanager crt/key to cert store
X-Git-Tag: testing/wip-pdonnell-testing-20240703.143006-debug~16^2~6
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=6ae8c5ae645851dbb6981ede9ae3d0b4dd8e511e;p=ceph-ci.git

mgr/cephadm: move alertmanager crt/key to cert store

We weren't actually even storing these before, but
given we want to be able to offer some more cert
management options in the future, it's good to start
doing so

Signed-off-by: Adam King <adking@redhat.com>
---

diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py
index dca7985fe22..dd9951bdffb 100644
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -315,8 +315,13 @@ class AlertmanagerService(CephadmService):
                 deps.append(f'{hash(alertmanager_user + alertmanager_password)}')
             node_ip = self.mgr.inventory.get_addr(daemon_spec.host)
             host_fqdn = self._inventory_get_fqdn(daemon_spec.host)
-            cert, key = self.mgr.http_server.service_discovery.ssl_certs.generate_cert(
-                host_fqdn, node_ip)
+            cert = self.mgr.cert_key_store.get_cert('alertmanager_cert', host=daemon_spec.host)
+            key = self.mgr.cert_key_store.get_key('alertmanager_key', host=daemon_spec.host)
+            if not (cert and key):
+                cert, key = self.mgr.http_server.service_discovery.ssl_certs.generate_cert(
+                    host_fqdn, node_ip)
+                self.mgr.cert_key_store.save_cert('alertmanager_cert', cert, host=daemon_spec.host)
+                self.mgr.cert_key_store.save_key('alertmanager_key', key, host=daemon_spec.host)
             context = {
                 'alertmanager_web_user': alertmanager_user,
                 'alertmanager_web_password': password_hash(alertmanager_password),
@@ -361,6 +366,15 @@ class AlertmanagerService(CephadmService):
             service_url
         )
 
+    def pre_remove(self, daemon: DaemonDescription) -> None:
+        """
+        Called before alertmanager daemon is removed.
+        """
+        if daemon.hostname is not None:
+            # delete cert/key entires for this grafana daemon
+            self.mgr.cert_key_store.rm_cert('alertmanager_cert', host=daemon.hostname)
+            self.mgr.cert_key_store.rm_key('alertmanager_key', host=daemon.hostname)
+
     def ok_to_stop(self,
                    daemon_ids: List[str],
                    force: bool = False,
diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
index 07d009c2487..ef3476142ee 100644
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -692,6 +692,9 @@ class TestMonitoring:
                     use_current_daemon_image=False,
                 )
 
+                assert cephadm_module.cert_key_store.get_cert('alertmanager_cert', host='test') == 'mycert'
+                assert cephadm_module.cert_key_store.get_key('alertmanager_key', host='test') == 'mykey'
+
     @patch("cephadm.serve.CephadmServe._run_cephadm")
     @patch("cephadm.module.CephadmOrchestrator.get_mgr_ip", lambda _: '::1')
     def test_prometheus_config_security_disabled(self, _run_cephadm, cephadm_module: CephadmOrchestrator):