From 4fe35117ce2349adc023604ead1c37c8680b90c4 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Wed, 10 Mar 2021 14:58:09 -0500 Subject: [PATCH] mgr/cephadm: remove ssl_frontend_ssl_key from RGWSpec Since this didn't work anyway, stop collecting and passing through the private key portion of the certificate. Instead, users should include both in the first option. This is simpler, and provides consistency across civetweb and beast rgw backends (for whatever that is worth). NOTE: dashboard changes are not included here. Signed-off-by: Sage Weil --- src/cephadm/samples/rgw_ssl.json | 4 +--- .../mgr/cephadm/services/cephadmservice.py | 18 +----------------- .../ceph/deployment/service_spec.py | 2 -- 3 files changed, 2 insertions(+), 22 deletions(-) diff --git a/src/cephadm/samples/rgw_ssl.json b/src/cephadm/samples/rgw_ssl.json index d3c45111a90..3fe6fea1c32 100644 --- a/src/cephadm/samples/rgw_ssl.json +++ b/src/cephadm/samples/rgw_ssl.json @@ -44,9 +44,7 @@ "kWpZ2ypBDH45h2o3LyqvGjsu/BFkeG6JpEDCWbClKWcjKxOrLVDufhSDduffDjja", "zOsgQJg0Yf//Ubb5p0c54GjHM/XDXEcV3m3sEtbmMYz6xGwuag4bx8P2E/QY8sFp", "JxgIdS8vdl6YhDCjKJ2XzI30JwCdftgDIAiWSE0ivoDc+8+gG1nb11GT52HFzA==", - "-----END CERTIFICATE-----" - ], - "rgw_frontend_ssl_key": [ + "-----END CERTIFICATE-----", "-----BEGIN PRIVATE KEY-----", "MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKbRiedt0JBG3N", "+82vIrgk2oY9Ga+ocvk6El/1X3c8Y4mB7g9j4mWciQe7dnjqogPLEOTeddxFLX9m", diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py index 2510e45afda..46062479973 100644 --- a/src/pybind/mgr/cephadm/services/cephadmservice.py +++ b/src/pybind/mgr/cephadm/services/cephadmservice.py @@ -714,25 +714,10 @@ class RgwService(CephService): % spec.rgw_frontend_ssl_certificate) ret, out, err = self.mgr.check_mon_command({ 'prefix': 'config-key set', - 'key': f'rgw/cert/{spec.service_name()}.crt', + 'key': f'rgw/cert/{spec.service_name()}.crt', # NOTE: actually a .pem! 'val': cert_data, }) - if spec.rgw_frontend_ssl_key: - if isinstance(spec.rgw_frontend_ssl_key, list): - key_data = '\n'.join(spec.rgw_frontend_ssl_key) - elif isinstance(spec.rgw_frontend_ssl_certificate, str): - key_data = spec.rgw_frontend_ssl_key - else: - raise OrchestratorError( - 'Invalid rgw_frontend_ssl_key: %s' - % spec.rgw_frontend_ssl_key) - ret, out, err = self.mgr.check_mon_command({ - 'prefix': 'config-key set', - 'key': f'rgw/cert/{spec.service_name()}.key', - 'val': key_data, - }) - # TODO: fail, if we don't have a spec logger.info('Saving service %s spec with placement %s' % ( spec.service_name(), spec.placement.pretty_str())) @@ -750,7 +735,6 @@ class RgwService(CephService): if spec.ssl: args.append(f"ssl_port={daemon_spec.ports[0]}") args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}.crt") - args.append(f"ssl_private_key=config://rgw/cert/{spec.service_name()}.key") else: args.append(f"port={daemon_spec.ports[0]}") frontend = f'beast {" ".join(args)}' diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py index 339dbe0a483..1c45780778c 100644 --- a/src/python-common/ceph/deployment/service_spec.py +++ b/src/python-common/ceph/deployment/service_spec.py @@ -707,7 +707,6 @@ class RGWSpec(ServiceSpec): rgw_zone: Optional[str] = None, rgw_frontend_port: Optional[int] = None, rgw_frontend_ssl_certificate: Optional[List[str]] = None, - rgw_frontend_ssl_key: Optional[List[str]] = None, unmanaged: bool = False, ssl: bool = False, preview_only: bool = False, @@ -729,7 +728,6 @@ class RGWSpec(ServiceSpec): self.rgw_zone = rgw_zone self.rgw_frontend_port = rgw_frontend_port self.rgw_frontend_ssl_certificate = rgw_frontend_ssl_certificate - self.rgw_frontend_ssl_key = rgw_frontend_ssl_key self.ssl = ssl def get_port_start(self) -> Optional[int]: -- 2.39.5