From: Redouane Kachach Date: Thu, 25 Sep 2025 15:26:06 +0000 (+0200) Subject: mgr/cephadm: Remove SSL RGW migration logic X-Git-Tag: testing/wip-vshankar-testing-20250929.160013-debug~21^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9e05171155075daf96a070037fa2fa14f84b8bfc;p=ceph-ci.git mgr/cephadm: Remove SSL RGW migration logic Remove the special-case code used for RGW service migration, as it is no longer needed. The certmgr logic now handles populating the certstore with the corresponding certificate and key entries by reading their values directly from the spec. During RGW service redeployment as part of the upgrade, certmgr will ensure the certstore is updated accordingly. Signed-off-by: Redouane Kachach --- diff --git a/src/pybind/mgr/cephadm/inventory.py b/src/pybind/mgr/cephadm/inventory.py index 5a5e8eb7bc7..c4a99fbe88e 100644 --- a/src/pybind/mgr/cephadm/inventory.py +++ b/src/pybind/mgr/cephadm/inventory.py @@ -27,7 +27,7 @@ from cephadm.services.cephadmservice import CephadmDaemonDeploySpec from mgr_util import parse_combined_pem_file from .utils import resolve_ip, SpecialHostLabels -from .migrations import queue_migrate_nfs_spec, queue_migrate_rgw_spec, queue_migrate_rgw_ssl_spec +from .migrations import queue_migrate_nfs_spec, queue_migrate_rgw_spec if TYPE_CHECKING: from .module import CephadmOrchestrator @@ -309,12 +309,6 @@ class SpecStore(): ): queue_migrate_rgw_spec(self.mgr, j) - if ( - (self.mgr.migration_current or 0) < 8 - and j['spec'].get('service_type') == 'rgw' - ): - queue_migrate_rgw_ssl_spec(self.mgr, j) - spec = ServiceSpec.from_json(j['spec']) created = str_to_datetime(cast(str, j['created'])) self._specs[service_name] = spec diff --git a/src/pybind/mgr/cephadm/migrations.py b/src/pybind/mgr/cephadm/migrations.py index 64e39d93432..6daa438459b 100644 --- a/src/pybind/mgr/cephadm/migrations.py +++ b/src/pybind/mgr/cephadm/migrations.py @@ -7,8 +7,7 @@ from ceph.deployment.service_spec import PlacementSpec, ServiceSpec, HostPlaceme from cephadm.schedule import HostAssignment from cephadm.utils import SpecialHostLabels import rados -from mgr_util import parse_combined_pem_file, get_cert_issuer_info -from cephadm.tlsobject_types import CertKeyPair +from mgr_util import get_cert_issuer_info from mgr_module import NFS_POOL_NAME from orchestrator import OrchestratorError, DaemonDescription @@ -16,7 +15,7 @@ from orchestrator import OrchestratorError, DaemonDescription if TYPE_CHECKING: from .module import CephadmOrchestrator -LAST_MIGRATION = 9 +LAST_MIGRATION = 8 logger = logging.getLogger(__name__) @@ -43,9 +42,6 @@ class Migrations: r = mgr.get_store('rgw_migration_queue') self.rgw_migration_queue = json.loads(r) if r else [] - r = mgr.get_store('rgw_ssl_migration_queue') - self.rgw_ssl_migration_queue = json.loads(r) if r else [] - # for some migrations, we don't need to do anything except for # incrementing migration_current. # let's try to shortcut things here. @@ -126,11 +122,6 @@ class Migrations: if self.migrate_7_8(): self.set(8) - if self.mgr.migration_current == 8: - logger.info('Running migration 8 -> 9') - if self.migrate_8_9(): - self.set(9) - def migrate_0_1(self) -> bool: """ Migration 0 -> 1 @@ -478,37 +469,6 @@ class Migrations: return True def migrate_7_8(self) -> bool: - logger.info(f'Starting rgw SSL/TLS migration (queue length is {len(self.rgw_ssl_migration_queue)})') - for s in self.rgw_ssl_migration_queue: - - svc_spec = s['spec'] # this is the RGWspec - - if 'spec' not in svc_spec: - logger.info(f"No SSL/TLS fields migration is needed for rgw spec: {svc_spec}") - continue - - cert_field = svc_spec['spec'].get('rgw_frontend_ssl_certificate') - if not cert_field: - logger.info(f"No SSL/TLS fields migration is needed for rgw spec: {svc_spec}") - continue - - cert_str = '\n'.join(cert_field) if isinstance(cert_field, list) else cert_field - ssl_cert, ssl_key = parse_combined_pem_file(cert_str) - new_spec = svc_spec.copy() - new_spec['spec'].update({ - 'rgw_frontend_ssl_certificate': None, - 'certificate_source': CertificateSource.INLINE.value, - 'ssl_cert': ssl_cert, - 'ssl_key': ssl_key, - }) - - logger.info(f"Migrating {svc_spec} to new RGW SSL/TLS format {new_spec}") - self.mgr.spec_store.save(RGWSpec.from_json(new_spec)) - - self.rgw_ssl_migration_queue = [] - return True - - def migrate_8_9(self) -> bool: """ Replace Promtail with Alloy. @@ -588,15 +548,6 @@ def queue_migrate_rgw_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any] logger.info(f'Queued rgw.{service_id} for migration') -def queue_migrate_rgw_ssl_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any]) -> None: - service_id = spec_dict['spec']['service_id'] - queued = mgr.get_store('rgw_ssl_migration_queue') or '[]' - ls = json.loads(queued) - ls.append(spec_dict) - mgr.set_store('rgw_ssl_migration_queue', json.dumps(ls)) - logger.info(f'Queued rgw.{service_id} for TLS migration') - - def queue_migrate_nfs_spec(mgr: "CephadmOrchestrator", spec_dict: Dict[Any, Any]) -> None: """ After 16.2.5 we dropped the NFSServiceSpec pool and namespace properties.