From: Redouane Kachach Date: Mon, 23 Feb 2026 15:15:12 +0000 (+0100) Subject: mgr/cephadm: moving certificates reconciliation code to a new method X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ce80967837362674e317af70a0998f8a714e1530;p=ceph.git mgr/cephadm: moving certificates reconciliation code to a new method This way we ensure it's called everytime there's a switch in the certificate Signed-off-by: Redouane Kachach --- diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py index 207295a73ec4..09080e27a191 100644 --- a/src/pybind/mgr/cephadm/services/cephadmservice.py +++ b/src/pybind/mgr/cephadm/services/cephadmservice.py @@ -423,28 +423,6 @@ class CephadmService(metaclass=ABCMeta): cert_source = getattr(svc_spec, cert_source_attr, None) logger.debug(f'Getting certificate for {svc_spec.service_name()} using source: {cert_source}') - # Reconcile TLS objects when switching certificate sources. - # - # - Inline-saved certs/keys are persisted in the certmgr store as user_made=True - # but editable=False. These should be garbage-collected once the service no - # longer uses INLINE. - # - Cephadm-signed certs/keys are stored under cephadm-signed_* entities and - # should be removed when the service no longer uses CEPHADM_SIGNED. - svc_name = svc_spec.service_name() - host = daemon_spec.host - if cert_source in (CertificateSource.REFERENCE.value, CertificateSource.CEPHADM_SIGNED.value): - self.mgr.cert_mgr.rm_inline_saved_cert_key_pair( - cert_name, - key_name, - service_name=svc_name, - host=host, - ca_cert_name=ca_cert_name, - ) - if cert_source != CertificateSource.CEPHADM_SIGNED.value: - # Best-effort: the cephadm-signed entities might not be registered if the - # service never used CEPHADM_SIGNED (or after a manager restart). - self.mgr.cert_mgr.try_rm_self_signed_cert_key_pair(svc_name, host) - if cert_source == CertificateSource.INLINE.value: return self._get_certificates_from_spec(svc_spec, daemon_spec, cert_attr, key_attr, cert_name, key_name, ca_cert_attr, ca_cert_name) elif cert_source == CertificateSource.REFERENCE.value: @@ -621,8 +599,38 @@ class CephadmService(metaclass=ABCMeta): if spec.is_using_certificates_source(CertificateSource.CEPHADM_SIGNED): self.mgr.cert_mgr.register_self_signed_cert_key_pair(spec.service_name()) - def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonDeploySpec: + def prepare_certificates(self, daemon_spec: CephadmDaemonDeploySpec) -> None: self.register_for_certificates(daemon_spec) + self.reconcile_certificates(daemon_spec) + + def reconcile_certificates(self, daemon_spec: CephadmDaemonDeploySpec) -> None: + """Garbage-collect stale TLS objects when the certificate source has changed.""" + if not self.requires_certificates: + return + spec = self.mgr.spec_store[daemon_spec.service_name].spec + cert_source = getattr(spec, 'certificate_source', None) + svc_name = spec.service_name() + host = daemon_spec.host + + # Inline-saved certs/keys are persisted in the certmgr store as user_made=True + # but editable=False. These should be garbage-collected once the service no + # longer uses INLINE. + if cert_source in (CertificateSource.REFERENCE.value, CertificateSource.CEPHADM_SIGNED.value): + self.mgr.cert_mgr.rm_inline_saved_cert_key_pair( + self.cert_name, + self.key_name, + service_name=svc_name, + host=host, + ca_cert_name=self.ca_cert_name, + ) + + # Cephadm-signed certs/keys are stored under cephadm-signed_* entities and + # should be removed when the service no longer uses CEPHADM_SIGNED. + if cert_source != CertificateSource.CEPHADM_SIGNED.value: + self.mgr.cert_mgr.try_rm_self_signed_cert_key_pair(svc_name, host) + + def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonDeploySpec: + self.prepare_certificates(daemon_spec) daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec) return daemon_spec @@ -1510,7 +1518,7 @@ class RgwService(CephService): def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonDeploySpec: assert self.TYPE == daemon_spec.daemon_type - self.register_for_certificates(daemon_spec) + super().prepare_certificates(daemon_spec) rgw_id, _ = daemon_spec.daemon_id, daemon_spec.host spec = cast(RGWSpec, self.mgr.spec_store[daemon_spec.service_name].spec) @@ -1921,7 +1929,7 @@ class CephExporterService(CephService): def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonDeploySpec: assert self.TYPE == daemon_spec.daemon_type - self.register_for_certificates(daemon_spec) + super().prepare_certificates(daemon_spec) spec = cast(CephExporterSpec, self.mgr.spec_store[daemon_spec.service_name].spec) keyring = self.get_keyring_with_caps(self.get_auth_entity(daemon_spec.daemon_id), ['mon', 'profile ceph-exporter', diff --git a/src/pybind/mgr/cephadm/services/iscsi.py b/src/pybind/mgr/cephadm/services/iscsi.py index b33c88b52b46..d49adfd2227f 100644 --- a/src/pybind/mgr/cephadm/services/iscsi.py +++ b/src/pybind/mgr/cephadm/services/iscsi.py @@ -56,7 +56,7 @@ class IscsiService(CephService): def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonDeploySpec: assert self.TYPE == daemon_spec.daemon_type - self.register_for_certificates(daemon_spec) + super().prepare_certificates(daemon_spec) spec = cast(IscsiServiceSpec, self.mgr.spec_store[daemon_spec.service_name].spec) igw_id = daemon_spec.daemon_id diff --git a/src/pybind/mgr/cephadm/services/mgmt_gateway.py b/src/pybind/mgr/cephadm/services/mgmt_gateway.py index dc68eb465cbd..801a76b281e5 100644 --- a/src/pybind/mgr/cephadm/services/mgmt_gateway.py +++ b/src/pybind/mgr/cephadm/services/mgmt_gateway.py @@ -26,7 +26,7 @@ class MgmtGatewayService(CephadmService): def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonDeploySpec: assert self.TYPE == daemon_spec.daemon_type - super().register_for_certificates(daemon_spec) + super().prepare_certificates(daemon_spec) self.mgr.cert_mgr.register_self_signed_cert_key_pair(MgmtGatewayService.TYPE, INTERNAL_CERT_LABEL) daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec) return daemon_spec diff --git a/src/pybind/mgr/cephadm/services/nfs.py b/src/pybind/mgr/cephadm/services/nfs.py index 566d936a6ed2..d47adb3327eb 100644 --- a/src/pybind/mgr/cephadm/services/nfs.py +++ b/src/pybind/mgr/cephadm/services/nfs.py @@ -146,8 +146,7 @@ class NFSService(CephService): def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[str, Any], List[str]]: assert self.TYPE == daemon_spec.daemon_type - - super().register_for_certificates(daemon_spec) + super().prepare_certificates(daemon_spec) daemon_type = daemon_spec.daemon_type daemon_id = daemon_spec.daemon_id host = daemon_spec.host diff --git a/src/pybind/mgr/cephadm/services/node_proxy.py b/src/pybind/mgr/cephadm/services/node_proxy.py index a760c223352d..9b9de4e6e133 100644 --- a/src/pybind/mgr/cephadm/services/node_proxy.py +++ b/src/pybind/mgr/cephadm/services/node_proxy.py @@ -26,7 +26,7 @@ class NodeProxy(CephService): if not self.mgr.http_server.agent: raise OrchestratorError('Cannot deploy node-proxy before creating cephadm endpoint') - super().register_for_certificates(daemon_spec) + super().prepare_certificates(daemon_spec) keyring = self.get_keyring_with_caps(self.get_auth_entity(daemon_id, host=host), []) daemon_spec.keyring = keyring self.mgr.node_proxy_cache.update_keyring(host, keyring) diff --git a/src/pybind/mgr/cephadm/services/nvmeof.py b/src/pybind/mgr/cephadm/services/nvmeof.py index b811d0118f78..e83db5a42bfe 100644 --- a/src/pybind/mgr/cephadm/services/nvmeof.py +++ b/src/pybind/mgr/cephadm/services/nvmeof.py @@ -120,7 +120,7 @@ class NvmeofService(CephService): ['mon', 'profile rbd', 'osd', 'profile rbd']) - super().register_for_certificates(daemon_spec) + super().prepare_certificates(daemon_spec) self.mgr.cert_mgr.register_self_signed_cert_key_pair(spec.service_name(), NVMEOF_CLIENT_CERT_LABEL) self.configure_tls(spec, daemon_spec)