From: Adam King Date: Tue, 30 Jan 2024 13:56:17 +0000 (-0500) Subject: mgr/cephadm: move grafana cert/key to cert/key store X-Git-Tag: v20.0.0~1612^2~8 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=bb7e715320e41f5d6b6291769e2b6d230eec74cc;p=ceph.git mgr/cephadm: move grafana cert/key to cert/key store In an effort to try and better track what certs/keys we manage with cephadm Signed-off-by: Adam King --- diff --git a/src/pybind/mgr/cephadm/serve.py b/src/pybind/mgr/cephadm/serve.py index 4eb1bfe3d7b0..2c6c9d96bf2f 100644 --- a/src/pybind/mgr/cephadm/serve.py +++ b/src/pybind/mgr/cephadm/serve.py @@ -136,8 +136,10 @@ class CephadmServe: def _check_certificates(self) -> None: for d in self.mgr.cache.get_daemons_by_type('grafana'): - cert = self.mgr.get_store(f'{d.hostname}/grafana_crt') - key = self.mgr.get_store(f'{d.hostname}/grafana_key') + host = d.hostname + assert host is not None + cert = self.mgr.cert_key_store.get_cert('grafana_cert', host=host) + key = self.mgr.cert_key_store.get_key('grafana_key', host=host) if (not cert or not cert.strip()) and (not key or not key.strip()): # certificate/key are empty... nothing to check return diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py index 184fb0251b82..dca7985fe229 100644 --- a/src/pybind/mgr/cephadm/services/monitoring.py +++ b/src/pybind/mgr/cephadm/services/monitoring.py @@ -121,10 +121,11 @@ class GrafanaService(CephadmService): return config_file, sorted(deps) def prepare_certificates(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[str, str]: - cert_path = f'{daemon_spec.host}/grafana_crt' - key_path = f'{daemon_spec.host}/grafana_key' - cert = self.mgr.get_store(cert_path) - pkey = self.mgr.get_store(key_path) + # TODO: move these variables to migrations + # cert_path = f'{daemon_spec.host}/grafana_crt' + # key_path = f'{daemon_spec.host}/grafana_key' + cert = self.mgr.cert_key_store.get_cert('grafana_cert', host=daemon_spec.host) + pkey = self.mgr.cert_key_store.get_key('grafana_key', host=daemon_spec.host) certs_present = (cert and pkey) is_valid_certificate = False (org, cn) = (None, None) @@ -148,8 +149,8 @@ class GrafanaService(CephadmService): logger.info('Regenerating cephadm self-signed grafana TLS certificates') host_fqdn = socket.getfqdn(daemon_spec.host) cert, pkey = create_self_signed_cert('Ceph', host_fqdn) - self.mgr.set_store(cert_path, cert) - self.mgr.set_store(key_path, pkey) + self.mgr.cert_key_store.save_cert('grafana_cert', cert, host=daemon_spec.host) + self.mgr.cert_key_store.save_key('grafana_key', pkey, host=daemon_spec.host) if 'dashboard' in self.mgr.get('mgr_map')['modules']: self.mgr.check_mon_command({ 'prefix': 'dashboard set-grafana-api-ssl-verify', @@ -203,10 +204,8 @@ class GrafanaService(CephadmService): """ if daemon.hostname is not None: # delete cert/key entires for this grafana daemon - cert_path = f'{daemon.hostname}/grafana_crt' - key_path = f'{daemon.hostname}/grafana_key' - self.mgr.set_store(cert_path, None) - self.mgr.set_store(key_path, None) + self.mgr.cert_key_store.rm_cert('grafana_cert', host=daemon.hostname) + self.mgr.cert_key_store.rm_key('grafana_key', host=daemon.hostname) def ok_to_stop(self, daemon_ids: List[str], diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py index 5b484d094fb0..07d009c2487f 100644 --- a/src/pybind/mgr/cephadm/tests/test_services.py +++ b/src/pybind/mgr/cephadm/tests/test_services.py @@ -1155,8 +1155,8 @@ class TestMonitoring: _run_cephadm.side_effect = async_side_effect(("{}", "", 0)) with with_host(cephadm_module, "test"): - cephadm_module.set_store("test/grafana_crt", grafana_cert) - cephadm_module.set_store("test/grafana_key", grafana_key) + cephadm_module.cert_key_store.save_cert('grafana_cert', grafana_cert, host='test') + cephadm_module.cert_key_store.save_key('grafana_key', grafana_key, host='test') with with_service( cephadm_module, PrometheusSpec("prometheus") ) as _, with_service(cephadm_module, ServiceSpec("mgr")) as _, with_service(