From 8141b3f60a9fd87bb19db889c5148b543ddc1b21 Mon Sep 17 00:00:00 2001
From: Malik Mann <github@dermm.io>
Date: Mon, 4 May 2026 11:28:33 +0200
Subject: [PATCH] mgr/cephadm: mgmt-gateway bind to virtual_ip

Nginx will only bind to <vip>:<port> if a virtual_ip is given

Fixes: https://tracker.ceph.com/issues/74929
Signed-off-by: Malik Mann <github@dermm.io>
---
 .../templates/services/mgmt-gateway/external_server.conf.j2 | 6 +++++-
 src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py  | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2 b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2
index 3db1a1142b35..5030110aac16 100644
--- a/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2
+++ b/src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2
@@ -3,8 +3,12 @@ server {
 {% if not spec.ssl %}
     listen {{ spec.port or 80 }};
 {% else %}
-    listen                    {{ spec.port or 443 }} ssl;
+    {% if spec.virtual_ip %}
+    listen                    {{ spec.virtual_ip }}:{{ spec.port or 443 }} ssl;
+    {% else %}
+    listen                    0.0.0.0:{{ spec.port or 443 }} ssl;
     listen                    [::]:{{ spec.port or 443 }} ssl;
+    {% endif %}
     ssl_certificate            /etc/nginx/ssl/nginx.crt;
     ssl_certificate_key /etc/nginx/ssl/nginx.key;
     {% if spec.ssl_protocols %}
diff --git a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
index 63fdef636d67..5d7b4e5b55af 100644
--- a/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
+++ b/src/pybind/mgr/cephadm/tests/services/test_mgmt_gateway.py
@@ -148,7 +148,7 @@ class TestMgmtGateway:
                                          }"""),
                     "nginx_external_server.conf": dedent("""
                                              server {
-                                                 listen                    5555 ssl;
+                                                 listen                    0.0.0.0:5555 ssl;
                                                  listen                    [::]:5555 ssl;
                                                  ssl_certificate            /etc/nginx/ssl/nginx.crt;
                                                  ssl_certificate_key /etc/nginx/ssl/nginx.key;
@@ -401,7 +401,7 @@ class TestMgmtGateway:
                                          }"""),
                     "nginx_external_server.conf": dedent("""
                                              server {
-                                                 listen                    5555 ssl;
+                                                 listen                    0.0.0.0:5555 ssl;
                                                  listen                    [::]:5555 ssl;
                                                  ssl_certificate            /etc/nginx/ssl/nginx.crt;
                                                  ssl_certificate_key /etc/nginx/ssl/nginx.key;
-- 
2.47.3