From: Guillaume Abrioux <gabrioux@ibm.com>
Date: Tue, 27 Jan 2026 14:50:46 +0000 (+0100)
Subject: mgr/cephadm: add certificate support and service spec for node-proxy
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=77135de7050bd21af88e31e244ff993f2f8873fa;p=ceph.git

mgr/cephadm: add certificate support and service spec for node-proxy

This adds the proper certificate management and service spec support
for the node-proxy service.

It enables proper SSL certificate handling for node-proxy
daemons deployed via cephadm.

Fixes: https://tracker.ceph.com/issues/74587

Signed-off-by: Guillaume Abrioux <gabrioux@ibm.com>
---

diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py
index aec32f1fb7b0..91789c8673b4 100644
--- a/src/pybind/mgr/cephadm/module.py
+++ b/src/pybind/mgr/cephadm/module.py
@@ -3825,6 +3825,7 @@ Then run the following:
                 'jaeger-agent': PlacementSpec(host_pattern='*'),
                 'jaeger-collector': PlacementSpec(count=1),
                 'jaeger-query': PlacementSpec(count=1),
+                'node-proxy': PlacementSpec(host_pattern='*'),
                 SMBService.TYPE: PlacementSpec(count=1),
             }
             spec.placement = defaults[spec.service_type]
diff --git a/src/pybind/mgr/cephadm/services/node_proxy.py b/src/pybind/mgr/cephadm/services/node_proxy.py
index 299a606c58b7..a760c223352d 100644
--- a/src/pybind/mgr/cephadm/services/node_proxy.py
+++ b/src/pybind/mgr/cephadm/services/node_proxy.py
@@ -26,6 +26,7 @@ class NodeProxy(CephService):
         if not self.mgr.http_server.agent:
             raise OrchestratorError('Cannot deploy node-proxy before creating cephadm endpoint')
 
+        super().register_for_certificates(daemon_spec)
         keyring = self.get_keyring_with_caps(self.get_auth_entity(daemon_id, host=host), [])
         daemon_spec.keyring = keyring
         self.mgr.node_proxy_cache.update_keyring(host, keyring)
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 932044741ca6..0dd5a286d892 100644
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -873,6 +873,7 @@ class ServiceSpec(object):
         'alertmanager': {'user_cert_allowed': False, 'scope': 'host', 'requires_ca_cert': False},
         'ceph-exporter': {'user_cert_allowed': False, 'scope': 'host', 'requires_ca_cert': False},
         'node-exporter': {'user_cert_allowed': False, 'scope': 'host', 'requires_ca_cert': False},
+        'node-proxy': {'user_cert_allowed': False, 'scope': 'host', 'requires_ca_cert': False},
         # 'loki'        : {'user_cert_allowed': False, 'scope': 'host'},
         # 'promtail'    : {'user_cert_allowed': False, 'scope': 'host'},
         # 'jaeger-agent': {'user_cert_allowed': False, 'scope': 'host'},
@@ -912,6 +913,7 @@ class ServiceSpec(object):
             'jaeger-collector': TracingSpec,
             'jaeger-query': TracingSpec,
             'jaeger-tracing': TracingSpec,
+            'node-proxy': NodeProxySpec,
             SMBSpec.service_type: SMBSpec,
         }.get(service_type, cls)
         if ret == ServiceSpec and not service_type:
@@ -3890,4 +3892,15 @@ class SMBSpec(ServiceSpec):
         return obj
 
 
+class NodeProxySpec(ServiceSpec):
+    def __init__(self,
+                 service_type: str,
+                 placement: Optional[PlacementSpec] = None,
+                 ) -> None:
+        assert service_type == 'node-proxy'
+        super(NodeProxySpec, self).__init__('node-proxy', placement=placement)
+        self.ssl: bool = True
+        self.validate()
+
+
 yaml.add_representer(SMBSpec, ServiceSpec.yaml_representer)