From a0bbccc5d4fda5b3af1b9a0281c4c4e08f2eb6a6 Mon Sep 17 00:00:00 2001
From: Adam King <adking@redhat.com>
Date: Mon, 5 Feb 2024 19:56:46 -0500
Subject: [PATCH] mgr/cephadm: move prometheus daemon cert to cert store

We weren't storing this before, but since we want to
add more options for cert management, it's good to start
doing so

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 255e50827828b464654072c410007923697058ef)
---
 src/pybind/mgr/cephadm/services/monitoring.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py
index dd9951bdffbd7..56778083b8b33 100644
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -485,6 +485,8 @@ class PrometheusService(CephadmService):
         }
 
         if self.mgr.secure_monitoring_stack:
+            # NOTE: this prometheus root cert is managed by the prometheus module
+            # we are using it in a read only fashion in the cephadm module
             cfg_key = 'mgr/prometheus/root/cert'
             cmd = {'prefix': 'config-key get', 'key': cfg_key}
             ret, mgr_prometheus_rootca, err = self.mgr.mon_command(cmd)
@@ -493,7 +495,12 @@ class PrometheusService(CephadmService):
             else:
                 node_ip = self.mgr.inventory.get_addr(daemon_spec.host)
                 host_fqdn = self._inventory_get_fqdn(daemon_spec.host)
-                cert, key = self.mgr.http_server.service_discovery.ssl_certs.generate_cert(host_fqdn, node_ip)
+                cert = self.mgr.cert_key_store.get_cert('prometheus_cert', host=daemon_spec.host)
+                key = self.mgr.cert_key_store.get_key('prometheus_key', host=daemon_spec.host)
+                if not (cert and key):
+                    cert, key = self.mgr.http_server.service_discovery.ssl_certs.generate_cert(host_fqdn, node_ip)
+                    self.mgr.cert_key_store.save_cert('prometheus_cert', cert, host=daemon_spec.host)
+                    self.mgr.cert_key_store.save_key('prometheus_key', key, host=daemon_spec.host)
                 r: Dict[str, Any] = {
                     'files': {
                         'prometheus.yml': self.mgr.template.render('services/prometheus/prometheus.yml.j2', context),
@@ -587,6 +594,15 @@ class PrometheusService(CephadmService):
             service_url
         )
 
+    def pre_remove(self, daemon: DaemonDescription) -> None:
+        """
+        Called before prometheus daemon is removed.
+        """
+        if daemon.hostname is not None:
+            # delete cert/key entires for this prometheus daemon
+            self.mgr.cert_key_store.rm_cert('prometheus_cert', host=daemon.hostname)
+            self.mgr.cert_key_store.rm_key('prometheus_key', host=daemon.hostname)
+
     def ok_to_stop(self,
                    daemon_ids: List[str],
                    force: bool = False,
-- 
2.39.5