From: Redouane Kachach Date: Sat, 29 Mar 2025 05:22:18 +0000 (+0100) Subject: mgr/cephadm: harmonize mgmt-gateway and oauth2-proxy spec fields X-Git-Tag: v20.3.0~13^2~3 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9aefb506690082d5db5d93d7c43c6675fb88d46a;p=ceph.git mgr/cephadm: harmonize mgmt-gateway and oauth2-proxy spec fields Let's rename the spec fields for mgmt-gateway and oauth2-proxy from ssl_certificate to ssl_cert, and from ssl_certificate_key to ssl_key, to align with the naming conventions used by other Cephadm services such as iscsi and ingress. Fixes: https://tracker.ceph.com/issues/70359 Signed-off-by: Redouane Kachach --- diff --git a/doc/cephadm/services/mgmt-gateway.rst b/doc/cephadm/services/mgmt-gateway.rst index 5d0d46d37779..7fb5f5661190 100644 --- a/doc/cephadm/services/mgmt-gateway.rst +++ b/doc/cephadm/services/mgmt-gateway.rst @@ -128,6 +128,7 @@ A ``mgmt-gateway`` service can be applied using a specification. An example in Y - ceph0 spec: port: 5000 + ssl: True ssl_protocols: - TLSv1.2 - TLSv1.3 @@ -136,13 +137,13 @@ A ``mgmt-gateway`` service can be applied using a specification. An example in Y - AES128-SHA - AES256-SHA - ... - ssl_certificate: | + ssl_cert: | -----BEGIN CERTIFICATE----- MIIDtTCCAp2gAwIBAgIYMC4xNzc1NDQxNjEzMzc2MjMyXzxvQ7EcMA0GCSqGSIb3 DQEBCwUAMG0xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMRcwFQYDVQQHDA5T [...] -----END CERTIFICATE----- - ssl_certificate_key: | + ssl_key: | -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5jdYbjtNTAKW4 /CwQr/7wOiLGzVxChn3mmCIF3DwbL/qvTFTX2d8bDf6LjGwLYloXHscRfxszX/4h diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py index ef9a43571b83..69db12889708 100644 --- a/src/pybind/mgr/cephadm/module.py +++ b/src/pybind/mgr/cephadm/module.py @@ -751,7 +751,7 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule, endpoint_suffix = '/internal' else: mgmt_gw_port = dd.ports[0] if dd.ports else None - protocol = 'http' if mgmt_gw_spec.disable_https else 'https' + protocol = 'https' if mgmt_gw_spec.ssl else 'http' endpoint_suffix = '' mgmt_gw_endpoint = build_url(scheme=protocol, host=mgmt_gw_addr, port=mgmt_gw_port) diff --git a/src/pybind/mgr/cephadm/services/mgmt_gateway.py b/src/pybind/mgr/cephadm/services/mgmt_gateway.py index cec91b0ecee7..5a89c96187f8 100644 --- a/src/pybind/mgr/cephadm/services/mgmt_gateway.py +++ b/src/pybind/mgr/cephadm/services/mgmt_gateway.py @@ -57,10 +57,10 @@ class MgmtGatewayService(CephadmService): user_made = False if not (cert and key): # not available on store, check if provided on the spec - if svc_spec.ssl_certificate and svc_spec.ssl_certificate_key: + if svc_spec.ssl_cert and svc_spec.ssl_key: user_made = True - cert = svc_spec.ssl_certificate - key = svc_spec.ssl_certificate_key + cert = svc_spec.ssl_cert + key = svc_spec.ssl_key else: # not provided on the spec, let's generate self-sigend certificates ip = self.get_mgmt_gw_ip(svc_spec, daemon_spec) @@ -147,7 +147,6 @@ class MgmtGatewayService(CephadmService): 'enable_oauth2_proxy': bool(oauth2_proxy_endpoints), } - cert, key = self.get_external_certificates(svc_spec, daemon_spec) internal_cert, internal_pkey = self.get_internal_certificates(svc_spec, daemon_spec) daemon_config = { "files": { @@ -159,7 +158,8 @@ class MgmtGatewayService(CephadmService): "ca.crt": self.mgr.cert_mgr.get_root_ca() } } - if not svc_spec.disable_https: + if svc_spec.ssl: + cert, key = self.get_external_certificates(svc_spec, daemon_spec) daemon_config["files"]["nginx.crt"] = cert daemon_config["files"]["nginx.key"] = key diff --git a/src/pybind/mgr/cephadm/services/oauth2_proxy.py b/src/pybind/mgr/cephadm/services/oauth2_proxy.py index bcf97968d90b..4f62084f6358 100644 --- a/src/pybind/mgr/cephadm/services/oauth2_proxy.py +++ b/src/pybind/mgr/cephadm/services/oauth2_proxy.py @@ -48,10 +48,10 @@ class OAuth2ProxyService(CephadmService): user_made = False if not (cert and key): # not available on store, check if provided on the spec - if svc_spec.ssl_certificate and svc_spec.ssl_certificate_key: + if svc_spec.ssl_cert and svc_spec.ssl_key: user_made = True - cert = svc_spec.ssl_certificate - key = svc_spec.ssl_certificate_key + cert = svc_spec.ssl_cert + key = svc_spec.ssl_key else: # not provided on the spec, let's generate self-sigend certificates addr = self.mgr.inventory.get_addr(daemon_spec.host) diff --git a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 index 50a61f843d12..3db1a1142b35 100644 --- a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 +++ b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 @@ -1,6 +1,6 @@ server { -{% if spec.disable_https %} +{% if not spec.ssl %} listen {{ spec.port or 80 }}; {% else %} listen {{ spec.port or 443 }} ssl; diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py index da1865f0a5c8..aca7806c9954 100644 --- a/src/pybind/mgr/cephadm/tests/test_services.py +++ b/src/pybind/mgr/cephadm/tests/test_services.py @@ -1588,8 +1588,8 @@ class TestMonitoring: client_secret='my_client_secret', oidc_issuer_url='http://192.168.10.10:8888/dex', cookie_secret='kbAEM9opAmuHskQvt0AW8oeJRaOM2BYy5Loba0kZ0SQ=', - ssl_certificate=ceph_generated_cert, - ssl_certificate_key=ceph_generated_key) + ssl_cert=ceph_generated_cert, + ssl_key=ceph_generated_key) with with_host(cephadm_module, "test"): cephadm_module.cert_mgr.save_cert('grafana_cert', ceph_generated_cert, host='test') @@ -4005,8 +4005,8 @@ class TestMgmtGateway: server_port = 5555 spec = MgmtGatewaySpec(port=server_port, - ssl_certificate=ceph_generated_cert, - ssl_certificate_key=ceph_generated_key) + ssl_cert=ceph_generated_cert, + ssl_key=ceph_generated_key) expected = { "fsid": "fsid", @@ -4253,8 +4253,8 @@ class TestMgmtGateway: server_port = 5555 spec = MgmtGatewaySpec(port=server_port, - ssl_certificate=ceph_generated_cert, - ssl_certificate_key=ceph_generated_key, + ssl_cert=ceph_generated_cert, + ssl_key=ceph_generated_key, enable_auth=True) expected = { @@ -4603,8 +4603,8 @@ class TestMgmtGateway: server_port = 5555 mgmt_gw_spec = MgmtGatewaySpec(port=server_port, - ssl_certificate=ceph_generated_cert, - ssl_certificate_key=ceph_generated_key, + ssl_cert=ceph_generated_cert, + ssl_key=ceph_generated_key, enable_auth=True, virtual_ip=virtual_ip) @@ -4614,8 +4614,8 @@ class TestMgmtGateway: client_secret='my_client_secret', oidc_issuer_url='http://192.168.10.10:8888/dex', cookie_secret='kbAEM9opAmuHskQvt0AW8oeJRaOM2BYy5Loba0kZ0SQ=', - ssl_certificate=ceph_generated_cert, - ssl_certificate_key=ceph_generated_key, + ssl_cert=ceph_generated_cert, + ssl_key=ceph_generated_key, allowlist_domains=[allowed_domain]) whitelist_domains = f"{allowed_domain},1::4,ceph-node" if virtual_ip is None else f"{allowed_domain},{virtual_ip},1::4,ceph-node" diff --git a/src/pybind/mgr/orchestrator/module.py b/src/pybind/mgr/orchestrator/module.py index 151616c84860..303ea4c573d7 100644 --- a/src/pybind/mgr/orchestrator/module.py +++ b/src/pybind/mgr/orchestrator/module.py @@ -2048,7 +2048,7 @@ Usage: @_cli_write_command('orch apply mgmt-gateway') def _apply_mgmt_gateway(self, port: Optional[int] = None, - disable_https: Optional[bool] = False, + ssl: Optional[bool] = True, enable_auth: Optional[bool] = False, virtual_ip: Optional[str] = None, placement: Optional[str] = None, @@ -2066,7 +2066,7 @@ Usage: unmanaged=unmanaged, port=port, virtual_ip=virtual_ip, - disable_https=disable_https, + ssl=ssl, enable_auth=enable_auth, preview_only=dry_run ) diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py index f9366830adc0..a8130525238b 100644 --- a/src/python-common/ceph/deployment/service_spec.py +++ b/src/python-common/ceph/deployment/service_spec.py @@ -1853,11 +1853,11 @@ class MgmtGatewaySpec(ServiceSpec): config: Optional[Dict[str, str]] = None, networks: Optional[List[str]] = None, placement: Optional[PlacementSpec] = None, - disable_https: Optional[bool] = False, + ssl: Optional[bool] = True, enable_auth: Optional[bool] = False, port: Optional[int] = None, - ssl_certificate: Optional[str] = None, - ssl_certificate_key: Optional[str] = None, + ssl_cert: Optional[str] = None, + ssl_key: Optional[str] = None, ssl_prefer_server_ciphers: Optional[str] = None, ssl_session_tickets: Optional[str] = None, ssl_session_timeout: Optional[str] = None, @@ -1886,16 +1886,16 @@ class MgmtGatewaySpec(ServiceSpec): extra_entrypoint_args=extra_entrypoint_args, custom_configs=custom_configs ) - #: Is a flag to disable HTTPS. If True, the server will use unsecure HTTP - self.disable_https = disable_https + #: Is a flag to enable/disable HTTPS. By default set to True. + self.ssl = ssl #: Is a flag to enable SSO auth. Requires oauth2-proxy to be active for SSO authentication. self.enable_auth = enable_auth #: The port number on which the server will listen self.port = port #: A multi-line string that contains the SSL certificate - self.ssl_certificate = ssl_certificate + self.ssl_cert = ssl_cert #: A multi-line string that contains the SSL key - self.ssl_certificate_key = ssl_certificate_key + self.ssl_key = ssl_key #: Prefer server ciphers over client ciphers: on | off self.ssl_prefer_server_ciphers = ssl_prefer_server_ciphers #: A multioption flag to control session tickets: on | off @@ -1927,8 +1927,8 @@ class MgmtGatewaySpec(ServiceSpec): def validate(self) -> None: super(MgmtGatewaySpec, self).validate() self._validate_port(self.port) - self._validate_certificate(self.ssl_certificate, "ssl_certificate") - self._validate_private_key(self.ssl_certificate_key, "ssl_certificate_key") + self._validate_certificate(self.ssl_cert, "ssl_cert") + self._validate_private_key(self.ssl_key, "ssl_key") self._validate_boolean_switch(self.ssl_prefer_server_ciphers, "ssl_prefer_server_ciphers") self._validate_boolean_switch(self.ssl_session_tickets, "ssl_session_tickets") self._validate_session_timeout(self.ssl_session_timeout) @@ -1997,8 +1997,8 @@ class OAuth2ProxySpec(ServiceSpec): oidc_issuer_url: Optional[str] = None, redirect_url: Optional[str] = None, cookie_secret: Optional[str] = None, - ssl_certificate: Optional[str] = None, - ssl_certificate_key: Optional[str] = None, + ssl_cert: Optional[str] = None, + ssl_key: Optional[str] = None, allowlist_domains: Optional[List[str]] = None, unmanaged: bool = False, extra_container_args: Optional[GeneralArgList] = None, @@ -2032,9 +2032,9 @@ class OAuth2ProxySpec(ServiceSpec): # 24, or 32 bytes to create an AES cipher. self.cookie_secret = cookie_secret or self.generate_random_secret() #: The multi-line SSL certificate for encrypting communications. - self.ssl_certificate = ssl_certificate + self.ssl_cert = ssl_cert #: The multi-line SSL certificate private key for decrypting communications. - self.ssl_certificate_key = ssl_certificate_key + self.ssl_key = ssl_key #: List of allowed domains for safe redirection after login or logout, # preventing unauthorized redirects. self.allowlist_domains = allowlist_domains