From 60103d084872cebcfeaffc4f0549b651d0d57ea3 Mon Sep 17 00:00:00 2001 From: Sage Weil Date: Wed, 10 Mar 2021 14:58:09 -0500 Subject: [PATCH] mgr/cephadm: remove ssl_frontend_ssl_key from RGWSpec Since this didn't work anyway, stop collecting and passing through the private key portion of the certificate. Instead, users should include both in the first option. This is simpler, and provides consistency across civetweb and beast rgw backends (for whatever that is worth). NOTE: dashboard changes are not included here. Signed-off-by: Sage Weil (cherry picked from commit 4fe35117ce2349adc023604ead1c37c8680b90c4) --- src/cephadm/samples/rgw_ssl.json | 4 +--- .../mgr/cephadm/services/cephadmservice.py | 18 +----------------- .../ceph/deployment/service_spec.py | 2 -- 3 files changed, 2 insertions(+), 22 deletions(-) diff --git a/src/cephadm/samples/rgw_ssl.json b/src/cephadm/samples/rgw_ssl.json index d3c45111a90..3fe6fea1c32 100644 --- a/src/cephadm/samples/rgw_ssl.json +++ b/src/cephadm/samples/rgw_ssl.json @@ -44,9 +44,7 @@ "kWpZ2ypBDH45h2o3LyqvGjsu/BFkeG6JpEDCWbClKWcjKxOrLVDufhSDduffDjja", "zOsgQJg0Yf//Ubb5p0c54GjHM/XDXEcV3m3sEtbmMYz6xGwuag4bx8P2E/QY8sFp", "JxgIdS8vdl6YhDCjKJ2XzI30JwCdftgDIAiWSE0ivoDc+8+gG1nb11GT52HFzA==", - "-----END CERTIFICATE-----" - ], - "rgw_frontend_ssl_key": [ + "-----END CERTIFICATE-----", "-----BEGIN PRIVATE KEY-----", "MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKbRiedt0JBG3N", "+82vIrgk2oY9Ga+ocvk6El/1X3c8Y4mB7g9j4mWciQe7dnjqogPLEOTeddxFLX9m", diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py index af435af542e..c9e84c8b2d5 100644 --- a/src/pybind/mgr/cephadm/services/cephadmservice.py +++ b/src/pybind/mgr/cephadm/services/cephadmservice.py @@ -714,25 +714,10 @@ class RgwService(CephService): % spec.rgw_frontend_ssl_certificate) ret, out, err = self.mgr.check_mon_command({ 'prefix': 'config-key set', - 'key': f'rgw/cert/{spec.service_name()}.crt', + 'key': f'rgw/cert/{spec.service_name()}.crt', # NOTE: actually a .pem! 'val': cert_data, }) - if spec.rgw_frontend_ssl_key: - if isinstance(spec.rgw_frontend_ssl_key, list): - key_data = '\n'.join(spec.rgw_frontend_ssl_key) - elif isinstance(spec.rgw_frontend_ssl_certificate, str): - key_data = spec.rgw_frontend_ssl_key - else: - raise OrchestratorError( - 'Invalid rgw_frontend_ssl_key: %s' - % spec.rgw_frontend_ssl_key) - ret, out, err = self.mgr.check_mon_command({ - 'prefix': 'config-key set', - 'key': f'rgw/cert/{spec.service_name()}.key', - 'val': key_data, - }) - # TODO: fail, if we don't have a spec logger.info('Saving service %s spec with placement %s' % ( spec.service_name(), spec.placement.pretty_str())) @@ -750,7 +735,6 @@ class RgwService(CephService): if spec.ssl: args.append(f"ssl_port={daemon_spec.ports[0]}") args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}.crt") - args.append(f"ssl_private_key=config://rgw/cert/{spec.service_name()}.key") else: args.append(f"port={daemon_spec.ports[0]}") frontend = f'beast {" ".join(args)}' diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py index b6a3869a860..66e4a5f07c1 100644 --- a/src/python-common/ceph/deployment/service_spec.py +++ b/src/python-common/ceph/deployment/service_spec.py @@ -703,7 +703,6 @@ class RGWSpec(ServiceSpec): rgw_zone: Optional[str] = None, rgw_frontend_port: Optional[int] = None, rgw_frontend_ssl_certificate: Optional[List[str]] = None, - rgw_frontend_ssl_key: Optional[List[str]] = None, unmanaged: bool = False, ssl: bool = False, preview_only: bool = False, @@ -725,7 +724,6 @@ class RGWSpec(ServiceSpec): self.rgw_zone = rgw_zone self.rgw_frontend_port = rgw_frontend_port self.rgw_frontend_ssl_certificate = rgw_frontend_ssl_certificate - self.rgw_frontend_ssl_key = rgw_frontend_ssl_key self.ssl = ssl def get_port_start(self) -> Optional[int]: -- 2.47.3