diff options
| author | Redouane Kachach <rkachach@ibm.com> | 2024-07-03 10:15:20 +0200 |
|---|---|---|
| committer | Redouane Kachach <rkachach@ibm.com> | 2024-07-31 08:47:17 +0200 |
| commit | 0596664c40288fa153735f30257ec4b0655921f2 (patch) | |
| tree | 5342a37ad4034a174d45263ccec00316eb98f036 /src/cephadm | |
| parent | mgr/cephadm: introducing cert_mgr new class to centralize certs mgmt (diff) | |
| download | ceph-0596664c40288fa153735f30257ec4b0655921f2.tar.xz ceph-0596664c40288fa153735f30257ec4b0655921f2.zip | |
mgr/cephadm: introducing new cmd to generate self-signed certs
this new Cephadm cmd introduces the ability to generate self-signed
certificates for external modules, signed by Cephadm as the root CA.
This feature is essential for implementing mTLS. Previously, if the
user did not provide a certificate and key, the dashboard would
generate its own. With this update, the dashboard now calls Cephadm
to generate self-signed certificates, enabling secure mTLS
communication with other backend applications. Prometheus module
also makes use of this new functionality to generate self-signed
certificates.
Signed-off-by: Redouane Kachach <rkachach@ibm.com>
Diffstat (limited to 'src/cephadm')
| -rwxr-xr-x | src/cephadm/cephadm.py | 20 | ||||
| -rw-r--r-- | src/cephadm/tests/test_cephadm.py | 3 |
2 files changed, 18 insertions, 5 deletions
diff --git a/src/cephadm/cephadm.py b/src/cephadm/cephadm.py index 5deaec55949..75ac3045c1e 100755 --- a/src/cephadm/cephadm.py +++ b/src/cephadm/cephadm.py @@ -2421,11 +2421,23 @@ def prepare_dashboard( pathify(ctx.dashboard_crt.name): '/tmp/dashboard.crt:z', pathify(ctx.dashboard_key.name): '/tmp/dashboard.key:z' } - cli(['dashboard', 'set-ssl-certificate', '-i', '/tmp/dashboard.crt'], extra_mounts=mounts) - cli(['dashboard', 'set-ssl-certificate-key', '-i', '/tmp/dashboard.key'], extra_mounts=mounts) else: - logger.info('Generating a dashboard self-signed certificate...') - cli(['dashboard', 'create-self-signed-cert']) + logger.info('Using certmgr to generate dashboard self-signed certificate...') + cert_key = json_loads_retry(lambda: cli(['orch', 'certmgr', 'generate-certificates', 'dashboard'], + verbosity=CallVerbosity.QUIET_UNLESS_ERROR)) + mounts = {} + if cert_key: + cert_file = write_tmp(cert_key['cert'], uid, gid) + key_file = write_tmp(cert_key['key'], uid, gid) + mounts = { + cert_file.name: '/tmp/dashboard.crt:z', + key_file.name: '/tmp/dashboard.key:z' + } + else: + logger.error('Cannot generate certificates for Ceph dashboard.') + + cli(['dashboard', 'set-ssl-certificate', '-i', '/tmp/dashboard.crt'], extra_mounts=mounts) + cli(['dashboard', 'set-ssl-certificate-key', '-i', '/tmp/dashboard.key'], extra_mounts=mounts) logger.info('Creating initial admin user...') password = ctx.initial_dashboard_password or generate_password() diff --git a/src/cephadm/tests/test_cephadm.py b/src/cephadm/tests/test_cephadm.py index 6a5f4c9f00c..9e0345fe758 100644 --- a/src/cephadm/tests/test_cephadm.py +++ b/src/cephadm/tests/test_cephadm.py @@ -282,7 +282,8 @@ class TestCephAdm(object): @mock.patch('cephadmlib.firewalld.Firewalld', mock_bad_firewalld) @mock.patch('cephadm.Firewalld', mock_bad_firewalld) @mock.patch('cephadm.logger') - def test_skip_firewalld(self, _logger, cephadm_fs): + @mock.patch('cephadm.json_loads_retry', return_value=None) + def test_skip_firewalld(self, _logger, _jlr, cephadm_fs): """ test --skip-firewalld actually skips changing firewall """ |