From 48ba46f797ee0039591571f92d44bf6b63c55d39 Mon Sep 17 00:00:00 2001 From: Adam King Date: Thu, 23 May 2024 12:54:25 -0400 Subject: [PATCH] mgr/cephadm: allow passing client/server cert/key in nvmeof spec Before this patch the client/server cert/key fields were just filepaths that told the nvmeof gw daemon where to look for the cert/key. There's not much reason why users would care where in the nvmeof gw container the cert goes. It's more useful to use these fields as a way to pass the certs/keys to the daemon and then just hardcode where in the container we'll place the certs/keys Signed-off-by: Adam King (cherry picked from commit e9fca39092348e6c08022341116875e831c175f0) (cherry picked from commit e2e6aeb40acc98070e0e2c4a0056e42458e9f4f1) --- src/cephadm/cephadmlib/daemons/nvmeof.py | 12 ++++++++++++ src/pybind/mgr/cephadm/services/nvmeof.py | 17 +++++++++++++++++ .../services/nvmeof/ceph-nvmeof.conf.j2 | 8 ++++---- .../ceph/deployment/service_spec.py | 10 +++++----- 4 files changed, 38 insertions(+), 9 deletions(-) diff --git a/src/cephadm/cephadmlib/daemons/nvmeof.py b/src/cephadm/cephadmlib/daemons/nvmeof.py index f22147c775c37..8c0623448ff03 100644 --- a/src/cephadm/cephadmlib/daemons/nvmeof.py +++ b/src/cephadm/cephadmlib/daemons/nvmeof.py @@ -76,12 +76,24 @@ class CephNvmeof(ContainerDaemonForm): mounts[log_dir] = '/var/log/ceph:z' return mounts + def _get_tls_cert_key_mounts( + self, data_dir: str, files: Dict[str, str] + ) -> Dict[str, str]: + mounts = dict() + for fn in ['server_cert', 'server_key', 'client_cert', 'client_key']: + if fn in files: + mounts[ + os.path.join(data_dir, fn) + ] = f'/{fn.replace("_", ".")}' + return mounts + def customize_container_mounts( self, ctx: CephadmContext, mounts: Dict[str, str] ) -> None: data_dir = self.identity.data_dir(ctx.data_dir) log_dir = os.path.join(ctx.log_dir, self.identity.fsid) mounts.update(self._get_container_mounts(data_dir, log_dir)) + mounts.update(self._get_tls_cert_key_mounts(data_dir, self.files)) def customize_container_binds( self, ctx: CephadmContext, binds: List[List[str]] diff --git a/src/pybind/mgr/cephadm/services/nvmeof.py b/src/pybind/mgr/cephadm/services/nvmeof.py index 99e63c0b7da17..f6b1c22dba326 100644 --- a/src/pybind/mgr/cephadm/services/nvmeof.py +++ b/src/pybind/mgr/cephadm/services/nvmeof.py @@ -53,6 +53,23 @@ class NvmeofService(CephService): daemon_spec.keyring = keyring daemon_spec.extra_files = {'ceph-nvmeof.conf': gw_conf} + + if spec.enable_auth: + if ( + not spec.client_cert + or not spec.client_key + or not spec.server_cert + or not spec.server_key + ): + self.mgr.log.error(f'enable_auth set for {spec.service_name()} spec, but at ' + 'least one of server/client cert/key fields missing. TLS ' + f'not being set up for {daemon_spec.name()}') + else: + daemon_spec.extra_files['server_cert'] = spec.server_cert + daemon_spec.extra_files['client_cert'] = spec.client_cert + daemon_spec.extra_files['server_key'] = spec.server_key + daemon_spec.extra_files['client_key'] = spec.client_key + daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec) daemon_spec.deps = [] return daemon_spec diff --git a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 index f2f994c552118..9ef92991affbc 100644 --- a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 +++ b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 @@ -41,10 +41,10 @@ config_file = /etc/ceph/ceph.conf id = {{ rados_id }} [mtls] -server_key = {{ spec.server_key }} -client_key = {{ spec.client_key }} -server_cert = {{ spec.server_cert }} -client_cert = {{ spec.client_cert }} +server_key = /server.key +client_key = /client.key +server_cert = /server.cert +client_cert = /client.cert [spdk] tgt_path = {{ spec.tgt_path }} diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py index ab397476d1f8d..b2dd1c79195b2 100644 --- a/src/python-common/ceph/deployment/service_spec.py +++ b/src/python-common/ceph/deployment/service_spec.py @@ -1408,13 +1408,13 @@ class NvmeofServiceSpec(ServiceSpec): #: ``bdevs_per_cluster`` number of bdevs per cluster self.bdevs_per_cluster = bdevs_per_cluster #: ``server_key`` gateway server key - self.server_key = server_key or './server.key' + self.server_key = server_key #: ``server_cert`` gateway server certificate - self.server_cert = server_cert or './server.crt' + self.server_cert = server_cert #: ``client_key`` client key - self.client_key = client_key or './client.key' + self.client_key = client_key #: ``client_cert`` client certificate - self.client_cert = client_cert or './client.crt' + self.client_cert = client_cert #: ``spdk_path`` path to SPDK self.spdk_path = spdk_path or '/usr/local/bin/nvmf_tgt' #: ``tgt_path`` nvmeof target path @@ -1469,7 +1469,7 @@ class NvmeofServiceSpec(ServiceSpec): raise SpecValidationError('Cannot add NVMEOF: No Pool specified') if self.enable_auth: - if not any([self.server_key, self.server_cert, self.client_key, self.client_cert]): + if not all([self.server_key, self.server_cert, self.client_key, self.client_cert]): raise SpecValidationError( 'enable_auth is true but client/server certificates are missing') -- 2.39.5