From 945b1726d9f2244bbf874d85fc05543f94d883d2 Mon Sep 17 00:00:00 2001
From: Redouane Kachach <rkachach@ibm.com>
Date: Tue, 11 Mar 2025 10:27:00 +0100
Subject: [PATCH] mgr/cephadm: fixing mgmt-gateway cert generation for HA
 scenarios

modified the code to include only the virtual IP in the certificate
when running in high availability (HA) mode, excluding the host FQDN
to ensure consistent certificate validation across all mgmt-gateway
instances.

https://tracker.ceph.com/issues/70391

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
---
 .../mgr/cephadm/services/mgmt_gateway.py      | 21 +++++++++++--------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/pybind/mgr/cephadm/services/mgmt_gateway.py b/src/pybind/mgr/cephadm/services/mgmt_gateway.py
index 1ca7bb74855..cec91b0ecee 100644
--- a/src/pybind/mgr/cephadm/services/mgmt_gateway.py
+++ b/src/pybind/mgr/cephadm/services/mgmt_gateway.py
@@ -40,11 +40,11 @@ class MgmtGatewayService(CephadmService):
         # if empty list provided, return empty Daemon Desc
         return DaemonDescription()
 
-    def get_mgmt_gw_ips(self, svc_spec: MgmtGatewaySpec, daemon_spec: CephadmDaemonDeploySpec) -> List[str]:
-        mgmt_gw_ips = [self.mgr.inventory.get_addr(daemon_spec.host)]
+    def get_mgmt_gw_ip(self, svc_spec: MgmtGatewaySpec, daemon_spec: CephadmDaemonDeploySpec) -> str:
         if svc_spec.virtual_ip is not None:
-            mgmt_gw_ips.append(svc_spec.virtual_ip)
-        return mgmt_gw_ips
+            return svc_spec.virtual_ip
+        else:
+            return self.mgr.inventory.get_addr(daemon_spec.host)
 
     def config_dashboard(self, daemon_descrs: List[DaemonDescription]) -> None:
         # we adjust the standby behaviour so rev-proxy can pick correctly the active instance
@@ -63,9 +63,12 @@ class MgmtGatewayService(CephadmService):
                 key = svc_spec.ssl_certificate_key
             else:
                 # not provided on the spec, let's generate self-sigend certificates
-                ips = self.get_mgmt_gw_ips(svc_spec, daemon_spec)
-                host_fqdn = self.mgr.get_fqdn(daemon_spec.host)
-                cert, key = self.mgr.cert_mgr.generate_cert(host_fqdn, ips)
+                ip = self.get_mgmt_gw_ip(svc_spec, daemon_spec)
+                # we don't include the host_fqdn in case of using a virtual_ip
+                # because we may have several instances of the mgmt-gateway running
+                # on different hosts
+                host_fqdn = [] if svc_spec.virtual_ip else [self.mgr.get_fqdn(daemon_spec.host)]
+                cert, key = self.mgr.cert_mgr.generate_cert(host_fqdn, ip)
             # save certificates
             if cert and key:
                 self.mgr.cert_mgr.save_cert('mgmt_gw_cert', cert, user_made=user_made)
@@ -75,9 +78,9 @@ class MgmtGatewayService(CephadmService):
         return cert, key
 
     def get_internal_certificates(self, svc_spec: MgmtGatewaySpec, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[str, str]:
-        ips = self.get_mgmt_gw_ips(svc_spec, daemon_spec)
+        ip = self.get_mgmt_gw_ip(svc_spec, daemon_spec)
         host_fqdn = self.mgr.get_fqdn(daemon_spec.host)
-        return self.mgr.cert_mgr.generate_cert(host_fqdn, ips)
+        return self.mgr.cert_mgr.generate_cert(host_fqdn, ip)
 
     def get_service_discovery_endpoints(self) -> List[str]:
         sd_endpoints = []
-- 
2.39.5