From 4b08c603d2ccda5cd21c8bf7cf0f6d36d6767a1a Mon Sep 17 00:00:00 2001
From: Adam King <adking@redhat.com>
Date: Mon, 5 Feb 2024 19:18:00 -0500
Subject: [PATCH] mgr/cephadm: move alertmanager crt/key to cert store

We weren't actually even storing these before, but
given we want to be able to offer some more cert
management options in the future, it's good to start
doing so

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 6ae8c5ae645851dbb6981ede9ae3d0b4dd8e511e)
---
 src/pybind/mgr/cephadm/services/monitoring.py | 18 ++++++++++++++++--
 src/pybind/mgr/cephadm/tests/test_services.py |  3 +++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py
index dca7985fe2292..dd9951bdffbd7 100644
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -315,8 +315,13 @@ class AlertmanagerService(CephadmService):
                 deps.append(f'{hash(alertmanager_user + alertmanager_password)}')
             node_ip = self.mgr.inventory.get_addr(daemon_spec.host)
             host_fqdn = self._inventory_get_fqdn(daemon_spec.host)
-            cert, key = self.mgr.http_server.service_discovery.ssl_certs.generate_cert(
-                host_fqdn, node_ip)
+            cert = self.mgr.cert_key_store.get_cert('alertmanager_cert', host=daemon_spec.host)
+            key = self.mgr.cert_key_store.get_key('alertmanager_key', host=daemon_spec.host)
+            if not (cert and key):
+                cert, key = self.mgr.http_server.service_discovery.ssl_certs.generate_cert(
+                    host_fqdn, node_ip)
+                self.mgr.cert_key_store.save_cert('alertmanager_cert', cert, host=daemon_spec.host)
+                self.mgr.cert_key_store.save_key('alertmanager_key', key, host=daemon_spec.host)
             context = {
                 'alertmanager_web_user': alertmanager_user,
                 'alertmanager_web_password': password_hash(alertmanager_password),
@@ -361,6 +366,15 @@ class AlertmanagerService(CephadmService):
             service_url
         )
 
+    def pre_remove(self, daemon: DaemonDescription) -> None:
+        """
+        Called before alertmanager daemon is removed.
+        """
+        if daemon.hostname is not None:
+            # delete cert/key entires for this grafana daemon
+            self.mgr.cert_key_store.rm_cert('alertmanager_cert', host=daemon.hostname)
+            self.mgr.cert_key_store.rm_key('alertmanager_key', host=daemon.hostname)
+
     def ok_to_stop(self,
                    daemon_ids: List[str],
                    force: bool = False,
diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
index 42016a03037be..b32ca1f118803 100644
--- a/src/pybind/mgr/cephadm/tests/test_services.py
+++ b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -692,6 +692,9 @@ class TestMonitoring:
                     use_current_daemon_image=False,
                 )
 
+                assert cephadm_module.cert_key_store.get_cert('alertmanager_cert', host='test') == 'mycert'
+                assert cephadm_module.cert_key_store.get_key('alertmanager_key', host='test') == 'mykey'
+
     @patch("cephadm.serve.CephadmServe._run_cephadm")
     @patch("cephadm.module.CephadmOrchestrator.get_mgr_ip", lambda _: '::1')
     def test_prometheus_config_security_disabled(self, _run_cephadm, cephadm_module: CephadmOrchestrator):
-- 
2.39.5