mgr/cephadm: sign generated RGW certs

Previously the "generate_cert" field would just cause cephadm
to generate self-signed certificates. This was an issue when trying to sync
the secondary site in a multisite situation, resulting in

```
SL peer certificate or SSH remote key was not OK req_data->error_buf=SSL
certificate problem: self-signed certificate request failed: (2200) Unknown error 2200
```

This change makes it so the certificate are signed by cephadm's
root CA cert so that users may grab that cert via
"ceph orch cert-store get cert cephadm_root_ca_cert"
and set that as a trusted CA cert on their secondary cluster.

Additionally, we now generate a cert per RGW daemon so that
we can include the hostname/addr of the node we are deploying
the RGW daemon on in the cert.

Signed-off-by: Adam King <adking@redhat.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index 979c14f7d00..1ab8ef81fc8 100644
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -1313,6 +1313,10 @@ class RGWSpec(ServiceSpec):
             raise SpecValidationError('"ssl" field must be set to true when "generate_cert" '
                                       'is set to true')
 
+        if self.generate_cert and self.rgw_frontend_ssl_certificate:
+            raise SpecValidationError('"generate_cert" field and "rgw_frontend_ssl_certificate" '
+                                      'field are mutually exclusive')
+
 
 yaml.add_representer(RGWSpec, ServiceSpec.yaml_representer)