From fa2b084b6d1b38aadc0c77fbcb6e6ce3a92e998f Mon Sep 17 00:00:00 2001
From: Redouane Kachach <rkachach@ibm.com>
Date: Fri, 7 Mar 2025 09:56:12 +0100
Subject: [PATCH] mgr/cepahdm: adapting Grafana service to use the new cert
 mgmt

Signed-off-by: Redouane Kachach <rkachach@ibm.com>
---
 src/pybind/mgr/cephadm/services/monitoring.py | 30 ++++++++-----------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/src/pybind/mgr/cephadm/services/monitoring.py b/src/pybind/mgr/cephadm/services/monitoring.py
index dff6036a95c..61c106d0b29 100644
--- a/src/pybind/mgr/cephadm/services/monitoring.py
+++ b/src/pybind/mgr/cephadm/services/monitoring.py
@@ -9,6 +9,7 @@ import requests
 from mgr_module import HandleCommandResult
 from .service_registry import register_cephadm_service
 from cephadm.services.service_registry import service_registry
+from cephadm.tlsobject_types import CertKeyPair
 
 from orchestrator import DaemonDescription
 from ceph.deployment.service_spec import AlertManagerSpec, GrafanaSpec, ServiceSpec, \
@@ -16,6 +17,7 @@ from ceph.deployment.service_spec import AlertManagerSpec, GrafanaSpec, ServiceS
 from cephadm.services.cephadmservice import CephadmService, CephadmDaemonDeploySpec, get_dashboard_urls
 from mgr_util import build_url, password_hash
 from ceph.deployment.utils import wrap_ipv6
+from cephadm.tlsobject_store import TLSObjectScope
 from .. import utils
 
 if TYPE_CHECKING:
@@ -37,11 +39,6 @@ class GrafanaService(CephadmService):
     TYPE = 'grafana'
     DEFAULT_SERVICE_PORT = 3000
 
-    def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonDeploySpec:
-        assert self.TYPE == daemon_spec.daemon_type
-        daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec)
-        return daemon_spec
-
     def generate_data_sources(self, security_enabled: bool, mgmt_gw_enabled: bool, cert: str, pkey: str) -> str:
         prometheus_user, prometheus_password = self.mgr._get_prometheus_credentials()
         root_cert = self.mgr.cert_mgr.get_root_ca()
@@ -148,19 +145,22 @@ class GrafanaService(CephadmService):
 
         return ''
 
+    def get_grafana_certificates(self, daemon_spec: CephadmDaemonDeploySpec) -> CertKeyPair:
+        host_ips = [self.mgr.inventory.get_addr(daemon_spec.host)]
+        host_fqdns = [self.mgr.get_fqdn(daemon_spec.host), 'grafana_servers']
+        return self.get_certificates(daemon_spec, host_ips, host_fqdns)
+
     def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[str, Any], List[str]]:
         assert self.TYPE == daemon_spec.daemon_type
 
-        host_fqdns = [socket.getfqdn(daemon_spec.host), 'grafana_servers']
-        host_ips = self.mgr.inventory.get_addr(daemon_spec.host)
-        cert, pkey = self.mgr.cert_mgr.prepare_certificate('grafana_cert', 'grafana_key', host_fqdns, host_ips, target_host=daemon_spec.host)
-        if not cert or not pkey:
+        tls_pair = self.get_grafana_certificates(daemon_spec)
+        if not tls_pair.cert or not tls_pair.key:
+            # this will lead to an error in the daemon as certificates are needed
             logger.error(f'Cannot generate the needed certificates to deploy Grafana on {daemon_spec.host}')
-            cert, pkey = ('', '')  # this will lead to an error in the daemon as certificates are needed
 
         security_enabled, mgmt_gw_enabled, oauth2_enabled = self.mgr._get_security_config()
         grafana_ini = self.generate_grafana_ini(daemon_spec, mgmt_gw_enabled, oauth2_enabled)
-        grafana_data_sources = self.generate_data_sources(security_enabled, mgmt_gw_enabled, cert, pkey)
+        grafana_data_sources = self.generate_data_sources(security_enabled, mgmt_gw_enabled, tls_pair.cert, tls_pair.key)
         # the path of the grafana dashboards are assumed from the providers.yml.j2 file by grafana
         grafana_dashboards_path = self.mgr.grafana_dashboards_path or '/etc/grafana/dashboards/ceph-dashboard/'
 
@@ -173,8 +173,8 @@ class GrafanaService(CephadmService):
             'files': {
                 "grafana.ini": grafana_ini,
                 'provisioning/datasources/ceph-dashboard.yml': grafana_data_sources,
-                'certs/cert_file': '# generated by cephadm\n%s' % cert,
-                'certs/cert_key': '# generated by cephadm\n%s' % pkey,
+                'certs/cert_file': '# generated by cephadm\n%s' % tls_pair.cert,
+                'certs/cert_key': '# generated by cephadm\n%s' % tls_pair.key,
                 'provisioning/dashboards/default.yml': self.mgr.template.render(
                     'services/grafana/providers.yml.j2', {
                         'grafana_dashboards_path': grafana_dashboards_path
@@ -264,10 +264,6 @@ class GrafanaService(CephadmService):
         """
         Called before grafana daemon is removed.
         """
-        if daemon.hostname is not None:
-            # delete cert/key entires for this grafana daemon
-            self.mgr.cert_mgr.rm_cert('grafana_cert', host=daemon.hostname)
-            self.mgr.cert_mgr.rm_key('grafana_key', host=daemon.hostname)
         self.reset_config(daemon)
 
     def ok_to_stop(self,
-- 
2.39.5