From: Redouane Kachach <rkachach@ibm.com>
Date: Thu, 18 Sep 2025 08:34:52 +0000 (+0200)
Subject: mgr/cephadm: Remove Grafana self-signed certificate migration logic
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=786f28cbb7d63ce46e2ca54c5bb71dc91108400c;p=ceph.git

mgr/cephadm: Remove Grafana self-signed certificate migration logic

Remove the code used to migrate Grafana self-signed certificates, as
it is no longer needed. The certmgr logic now handles generating new
certificates during the upgrade, eliminating the need for any migration
code or logic.

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
---

diff --git a/src/pybind/mgr/cephadm/migrations.py b/src/pybind/mgr/cephadm/migrations.py
index 6daa438459b3f..d2831ec46da76 100644
--- a/src/pybind/mgr/cephadm/migrations.py
+++ b/src/pybind/mgr/cephadm/migrations.py
@@ -446,16 +446,12 @@ class Migrations:
             grafana_cert = self.mgr.get_store(grafana_cert_path)
             grafana_key = self.mgr.get_store(grafana_key_path)
             if grafana_cert:
-                (org, cn) = get_cert_issuer_info(grafana_cert)
-                if org == 'Ceph':
-                    logger.info(f'Migrating {grafana_daemon.name()}/{hostname} cert/key to cert store (as cephadm-signed certs)')
-                    self.mgr.cert_mgr.register_self_signed_cert_key_pair('grafana')
-                    self.mgr.cert_mgr.save_self_signed_cert_key_pair('grafana', CertKeyPair(grafana_cert, grafana_key), host=hostname)
-                else:
+                org, _ = get_cert_issuer_info(grafana_cert)
+                if org != 'Ceph':
                     logger.info(f'Migrating {grafana_daemon.name()}/{hostname} cert/key to cert store (as custom-certs)')
                     grafana_cephadm_signed_certs = False
-                    self.mgr.cert_mgr.save_cert('grafana_ssl_cert', grafana_cert, host=hostname)
-                    self.mgr.cert_mgr.save_key('grafana_ssl_key', grafana_key, host=hostname)
+                    self.mgr.cert_mgr.save_cert('grafana_ssl_cert', grafana_cert, host=hostname, user_made=True, editable=True)
+                    self.mgr.cert_mgr.save_key('grafana_ssl_key', grafana_key, host=hostname, user_made=True, editable=True)
 
         if not grafana_cephadm_signed_certs:
             # Update the spec to specify the right certificate source
diff --git a/src/pybind/mgr/cephadm/tests/test_migration.py b/src/pybind/mgr/cephadm/tests/test_migration.py
index 775077de2c02d..6e74ad6df7604 100644
--- a/src/pybind/mgr/cephadm/tests/test_migration.py
+++ b/src/pybind/mgr/cephadm/tests/test_migration.py
@@ -8,7 +8,8 @@ from ceph.deployment.service_spec import (
     RGWSpec,
     IngressSpec,
     IscsiServiceSpec,
-    GrafanaSpec
+    GrafanaSpec,
+    CertificateSource
 )
 from ceph.utils import datetime_to_str, datetime_now
 from cephadm import CephadmOrchestrator
@@ -402,25 +403,6 @@ def test_migrate_rgw_spec(cephadm_module: CephadmOrchestrator, rgw_spec_store_en
             assert 'rgw.foo' not in cephadm_module.spec_store.all_specs
 
 
-@mock.patch('cephadm.migrations.get_cert_issuer_info')
-def test_migrate_grafana_cephadm_signed(mock_get_cert_issuer_info, cephadm_module: CephadmOrchestrator):
-    mock_get_cert_issuer_info.return_value = ('Ceph', 'MockCephCN')
-
-    cephadm_module.set_store('host1/grafana_crt', 'grafana_cert1')
-    cephadm_module.set_store('host1/grafana_key', 'grafana_key1')
-    cephadm_module.set_store('host2/grafana_crt', 'grafana_cert2')
-    cephadm_module.set_store('host2/grafana_key', 'grafana_key2')
-    cephadm_module.cache.daemons = {'host1': {'grafana.host1': DaemonDescription('grafana', 'host1', 'host1')},
-                                    'host2': {'grafana.host2': DaemonDescription('grafana', 'host2', 'host2')}}
-
-    cephadm_module.migration.migrate_6_7()
-
-    assert cephadm_module.cert_mgr.get_cert('cephadm-signed_grafana_cert', host='host1')
-    assert cephadm_module.cert_mgr.get_cert('cephadm-signed_grafana_cert', host='host2')
-    assert cephadm_module.cert_mgr.get_key('cephadm-signed_grafana_key', host='host1')
-    assert cephadm_module.cert_mgr.get_key('cephadm-signed_grafana_key', host='host2')
-
-
 @mock.patch('cephadm.migrations.get_cert_issuer_info')
 def test_migrate_grafana_custom_certs(mock_get_cert_issuer_info, cephadm_module: CephadmOrchestrator):
     from datetime import datetime, timezone
@@ -445,6 +427,7 @@ def test_migrate_grafana_custom_certs(mock_get_cert_issuer_info, cephadm_module:
     assert cephadm_module.cert_mgr.get_cert('grafana_ssl_cert', host='host2')
     assert cephadm_module.cert_mgr.get_key('grafana_ssl_key', host='host1')
     assert cephadm_module.cert_mgr.get_key('grafana_ssl_key', host='host2')
+    assert cephadm_module.spec_store._specs['grafana'].certificate_source == CertificateSource.REFERENCE.value
 
 
 def test_migrate_cert_store(cephadm_module: CephadmOrchestrator):