From 81c54dd9c786a69c6e94aecf5701edec7692058f Mon Sep 17 00:00:00 2001
From: Redouane Kachach <rkachach@ibm.com>
Date: Mon, 24 Feb 2025 12:40:20 +0100
Subject: [PATCH] mgr/cephadm: fixing docs and defaults for some options

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
---
 doc/cephadm/certmgr.rst          | 21 ++++++++++++++-------
 src/pybind/mgr/cephadm/module.py |  6 +++---
 src/pybind/mgr/cephadm/serve.py  |  4 ++++
 3 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/doc/cephadm/certmgr.rst b/doc/cephadm/certmgr.rst
index 55465e50c18..66d5b5a3f62 100644
--- a/doc/cephadm/certmgr.rst
+++ b/doc/cephadm/certmgr.rst
@@ -46,8 +46,8 @@ and applies renewal policies based on the certificate type and configured
 parameters. Cephadm provides several configuration options to manage certificate
 lifecycle and renewal:
 
-- **`mgr/cephadm/certificate_automated_rotation_enabled`** (default: `False`):
-  Disabled by default, this configuration option controls
+- **`mgr/cephadm/certificate_automated_rotation_enabled`** (default: `True`):
+  Enabled by default, this configuration option controls
   whether Cephadm automatically rotates certificates upon expiration. This helps
   ensure continuity and security without manual intervention. When disabled cephadm will
   still check periodically the certificates but instead of automatically renewing self-signed
@@ -58,7 +58,7 @@ lifecycle and renewal:
   and signed by the Cephadm root CA. This determines the validity period before
   renewal is required.
 
-- **`certificate_renewal_threshold_days`** (default: `30`, min: `10`, max:
+- **`mgr/cephadm/certificate_renewal_threshold_days`** (default: `30`, min: `10`, max:
   `90`): Defines the number of days before a certificate's expiration when
   Cephadm should initiate renewal. This ensures timely replacement before
   expiration occurs. This applies to both self-signed and user-provided
@@ -66,6 +66,10 @@ lifecycle and renewal:
   health error or warning alerting administrators about the upcoming renewal
   period proximity.
 
+- **`mgr/cephadm/certificate_check_period`** (default: `1`, min: `0`, max: `30`):
+  Specifies how often (in days) the certificate should be checked for validity.
+  This ensures timely detection of any issues related to certificate expiration.
+  Setting this to `0` disables the certificate check functionality.
 
 Certificate Health Monitoring
 =============================
@@ -201,11 +205,14 @@ To associate a certificate with a private key:
 
 .. prompt:: bash #
 
-   ceph orch certmgr cert-key set <entity> [--cert <value>] [--key <value>] [--service_name <value>] [--hostname <value>] [--force]
+   ceph orch certmgr cert-key set <entity> [--cert <value>] [--key <value>] [--service_name <value>] [--hostname <value>] [-i <cert-key-path>] [--force]
 
-Use this command to upload or replace an existing certificate/key pair for a
-certain service. Replace `<entiy-name>` with the actual certificate name from
-`ceph orch certmgr entity ls`.
+Use this command to upload or replace an existing certificate/key pair
+for a certain service. Replace `<entity-name>` with the actual
+certificate name from `ceph orch certmgr entity ls`. The -i option
+can be used to specify a file containing a combined certificate and
+key in PEM format. This file should include both the certificate and
+private key concatenated together.
 
 Setting a Certificate
 =====================
diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py
index 752d9ddfe80..6476766dd61 100644
--- a/src/pybind/mgr/cephadm/module.py
+++ b/src/pybind/mgr/cephadm/module.py
@@ -413,7 +413,7 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule,
         Option(
             'certificate_automated_rotation_enabled',
             type='bool',
-            default=False,
+            default=True,
             desc='This flag controls whether cephadm automatically rotates certificates upon expiration.',
         ),
         Option(
@@ -421,8 +421,8 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule,
             type='int',
             default=1,  # Default to checking certificates once per day
             desc='Specifies how often (in days) the certificate should be checked for validity.',
-            min=1,
-            max=3,  # must be lesr than min of certificate_renewal_threshold_days
+            min=0,  # 0 will disable the certificate checking
+            max=30,  # must be less than the min of certificate_renewal_threshold_days.
         ),
         Option(
             'certificate_duration_days',
diff --git a/src/pybind/mgr/cephadm/serve.py b/src/pybind/mgr/cephadm/serve.py
index 543909bbf9c..ed2aae4efb6 100644
--- a/src/pybind/mgr/cephadm/serve.py
+++ b/src/pybind/mgr/cephadm/serve.py
@@ -142,6 +142,10 @@ class CephadmServe:
 
     def _check_certificates(self) -> None:
 
+        if self.mgr.certificate_check_period == 0:
+            # certificate check has been disabled by the user
+            return
+
         # Check certificates if:
         # - This is the first time (startup, last_certificates_check is None)
         # - Or the elapsed time is greater than or equal to the configured check period
-- 
2.39.5