From 90ccfdff24e09fe0cc498d4055b9a016052cddf0 Mon Sep 17 00:00:00 2001 From: Adam King Date: Fri, 10 Sep 2021 11:46:27 -0400 Subject: [PATCH] mgr/cephadm: handle making certs when we have hostname but no address Signed-off-by: Adam King --- src/pybind/mgr/cephadm/agent.py | 28 +++++++++++-------- src/pybind/mgr/cephadm/module.py | 4 +-- .../mgr/cephadm/services/cephadmservice.py | 4 ++- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/src/pybind/mgr/cephadm/agent.py b/src/pybind/mgr/cephadm/agent.py index 19a1185db9e..a41c1c7f191 100644 --- a/src/pybind/mgr/cephadm/agent.py +++ b/src/pybind/mgr/cephadm/agent.py @@ -7,7 +7,7 @@ import tempfile import threading import time -from orchestrator import OrchestratorError +# from orchestrator import OrchestratorError from mgr_util import verify_tls_files from ceph.utils import datetime_now from ceph.deployment.inventory import Devices @@ -357,12 +357,18 @@ class SSLCerts: return (cert_str, key_str) def generate_cert(self, addr: str = '') -> Tuple[str, str]: + have_ip = True if addr: try: - ipaddress.IPv4Address(addr) + ip = x509.IPAddress(ipaddress.IPv4Address(addr)) except Exception: - raise OrchestratorError( - f'Address supplied to build cert ({addr}) is not valid IPv4 address') + try: + ip = x509.IPAddress(ipaddress.IPv6Address(addr)) + except Exception: + have_ip = False + pass + else: + ip = x509.IPAddress(ipaddress.IPv4Address(self.mgr.get_mgr_ip())) private_key = rsa.generate_private_key( public_exponent=65537, key_size=4096, backend=default_backend()) @@ -382,13 +388,13 @@ class SSLCerts: builder = builder.not_valid_after(datetime.now() + timedelta(days=(365 * 10 + 3))) builder = builder.serial_number(x509.random_serial_number()) builder = builder.public_key(public_key) - builder = builder.add_extension( - x509.SubjectAlternativeName( - [x509.IPAddress(ipaddress.IPv4Address( - addr if addr else str(self.mgr.get_mgr_ip())))] - ), - critical=False - ) + if have_ip: + builder = builder.add_extension( + x509.SubjectAlternativeName( + [ip] + ), + critical=False + ) builder = builder.add_extension( x509.BasicConstraints(ca=False, path_length=None), critical=True, ) diff --git a/src/pybind/mgr/cephadm/module.py b/src/pybind/mgr/cephadm/module.py index b46cce02f47..5ddfa436f1a 100644 --- a/src/pybind/mgr/cephadm/module.py +++ b/src/pybind/mgr/cephadm/module.py @@ -2268,8 +2268,8 @@ Then run the following: root_cert = self.cherrypy_thread.ssl_certs.get_root_cert() except Exception: pass - deps = sorted([self.get_mgr_ip(), str(self.endpoint_port), root_cert, - str(self.get_module_option('device_enhanced_scan'))]) + deps = sorted([self.get_mgr_ip(), self.inventory.get_addr(daemon_id), str(self.endpoint_port), + root_cert, str(self.get_module_option('device_enhanced_scan'))]) else: need = { 'prometheus': ['mgr', 'alertmanager', 'node-exporter', 'ingress'], diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py index 31f51f0db15..f80bf34669d 100644 --- a/src/pybind/mgr/cephadm/services/cephadmservice.py +++ b/src/pybind/mgr/cephadm/services/cephadmservice.py @@ -1043,4 +1043,6 @@ class CephadmAgent(CephService): 'listener.key': listener_key, } - return config, sorted([str(self.mgr.get_mgr_ip()), str(self.mgr.endpoint_port), self.mgr.cherrypy_thread.ssl_certs.get_root_cert(), str(self.mgr.get_module_option('device_enhanced_scan'))]) + return config, sorted([str(self.mgr.get_mgr_ip()), self.mgr.inventory.get_addr(daemon_spec.host), + str(self.mgr.endpoint_port), self.mgr.cherrypy_thread.ssl_certs.get_root_cert(), + str(self.mgr.get_module_option('device_enhanced_scan'))]) -- 2.39.5