From: John Mulligan Date: Fri, 18 Jul 2025 16:20:17 +0000 (-0400) Subject: cephadm: add keybridge sidecar to smb daemon module X-Git-Tag: testing/wip-pdonnell-testing-20260323.122957-tentacle~637 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=910c82ef8350ab73f250d3d319cca9e7b85a1de6;p=ceph-ci.git cephadm: add keybridge sidecar to smb daemon module The keybridge uses the sambacc configuration but can also be passed CLI options. Since cephadm writes the cert files, cephadm must also pass the file names to use to the container args. Signed-off-by: John Mulligan (cherry picked from commit a140d9d0c7ffc6837c7fa02fe92082efefe9ffc5) --- diff --git a/src/cephadm/cephadmlib/daemons/smb.py b/src/cephadm/cephadmlib/daemons/smb.py index 553fbe6c8f0..d4941a34d3b 100644 --- a/src/cephadm/cephadmlib/daemons/smb.py +++ b/src/cephadm/cephadmlib/daemons/smb.py @@ -63,6 +63,7 @@ class Features(enum.Enum): CLUSTERED = 'clustered' CEPHFS_PROXY = 'cephfs-proxy' REMOTE_CONTROL = 'remote-control' + KEYBRIDGE = 'keybridge' @classmethod def valid(cls, value: str) -> bool: @@ -188,6 +189,12 @@ class RemoteControlConfig: tls_files: TLSFiles +@dataclasses.dataclass(frozen=True) +class KeyBridgeConfig: + tls_files: TLSFiles + socket = 'unix:/run/keybridge.s' + + @dataclasses.dataclass(frozen=True) class Config: identity: DaemonIdentity @@ -218,6 +225,7 @@ class Config: bind_to: List[BindInterface] = dataclasses.field(default_factory=list) proxy_image: str = '' remote_control: Optional[RemoteControlConfig] = None + keybridge: Optional[KeyBridgeConfig] = None def config_uris(self) -> List[str]: uris = [self.source_config] @@ -447,6 +455,30 @@ class RemoteControlContainer(SambaContainerCommon): ] +class KeyBridgeContainer(SambaContainerCommon): + def name(self) -> str: + return 'keybridge' + + def args(self) -> List[str]: + args = super().args() + assert self.cfg.keybridge, 'keybridge is not configured' + args.append('keybridge') + if self.cfg.keybridge.tls_files: + cert_path = self.cfg.keybridge.tls_files.cert_interior_path + key_path = self.cfg.keybridge.tls_files.key_interior_path + ca_cert_path = self.cfg.keybridge.tls_files.ca_cert_interior_path + # all or nothing with kmip + assert cert_path and key_path and ca_cert_path + args.append(f'--kmip-tls-cert={cert_path}') + args.append(f'--kmip-tls-key={key_path}') + args.append(f'--kmip-tls-ca-cert={ca_cert_path}') + args.append(self.cfg.keybridge.socket) + return args + + def container_args(self) -> List[str]: + return super().container_args() + ['--entrypoint=samba-satellite'] + + class CephFSProxyContainer(ContainerCommon): def name(self) -> str: return 'proxy' @@ -660,6 +692,12 @@ class SMB(ContainerDaemonForm): ) else: remote_control_cfg = None + if Features.KEYBRIDGE.value in instance_features: + keybridge_cfg = KeyBridgeConfig( + tls_files=TLSFiles.match(self._tls_files, 'keybridge') + ) + else: + keybridge_cfg = None rank, rank_gen = self._rank_info self._instance_cfg = Config( @@ -688,6 +726,7 @@ class SMB(ContainerDaemonForm): proxy_image=proxy_image, bind_to=self._network_mapper.bind_interfaces(bind_networks), remote_control=remote_control_cfg, + keybridge=keybridge_cfg, ) logger.debug('SMB Instance Config: %s', self._instance_cfg) logger.debug('Configured files: %s', self._files) @@ -749,6 +788,8 @@ class SMB(ContainerDaemonForm): ) if self._cfg.remote_control: ctrs.append(RemoteControlContainer(self._cfg)) + if self._cfg.keybridge: + ctrs.append(KeyBridgeContainer(self._cfg)) if self._cfg.clustered: init_ctrs += [