diff options
| author | Adam King <adking@redhat.com> | 2024-05-23 18:54:25 +0200 |
|---|---|---|
| committer | Adam King <adking@redhat.com> | 2024-07-08 23:11:44 +0200 |
| commit | e2e6aeb40acc98070e0e2c4a0056e42458e9f4f1 (patch) | |
| tree | e4363f452e5c2aa2324c8ef750a839095fb47bcb /src | |
| parent | Merge pull request #58454 from spdfnet/docs (diff) | |
| download | ceph-e2e6aeb40acc98070e0e2c4a0056e42458e9f4f1.tar.xz ceph-e2e6aeb40acc98070e0e2c4a0056e42458e9f4f1.zip | |
mgr/cephadm: allow passing client/server cert/key in nvmeof spec
Before this patch the client/server cert/key fields were
just filepaths that told the nvmeof gw daemon where to look
for the cert/key. There's not much reason why users would
care where in the nvmeof gw container the cert goes. It's more
useful to use these fields as a way to pass the certs/keys
to the daemon and then just hardcode where in the container
we'll place the certs/keys
Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit e9fca39092348e6c08022341116875e831c175f0)
Diffstat (limited to 'src')
| -rw-r--r-- | src/cephadm/cephadmlib/daemons/nvmeof.py | 12 | ||||
| -rw-r--r-- | src/pybind/mgr/cephadm/services/nvmeof.py | 17 | ||||
| -rw-r--r-- | src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 | 8 | ||||
| -rw-r--r-- | src/python-common/ceph/deployment/service_spec.py | 10 |
4 files changed, 38 insertions, 9 deletions
diff --git a/src/cephadm/cephadmlib/daemons/nvmeof.py b/src/cephadm/cephadmlib/daemons/nvmeof.py index f22147c775c..8c0623448ff 100644 --- a/src/cephadm/cephadmlib/daemons/nvmeof.py +++ b/src/cephadm/cephadmlib/daemons/nvmeof.py @@ -76,12 +76,24 @@ class CephNvmeof(ContainerDaemonForm): mounts[log_dir] = '/var/log/ceph:z' return mounts + def _get_tls_cert_key_mounts( + self, data_dir: str, files: Dict[str, str] + ) -> Dict[str, str]: + mounts = dict() + for fn in ['server_cert', 'server_key', 'client_cert', 'client_key']: + if fn in files: + mounts[ + os.path.join(data_dir, fn) + ] = f'/{fn.replace("_", ".")}' + return mounts + def customize_container_mounts( self, ctx: CephadmContext, mounts: Dict[str, str] ) -> None: data_dir = self.identity.data_dir(ctx.data_dir) log_dir = os.path.join(ctx.log_dir, self.identity.fsid) mounts.update(self._get_container_mounts(data_dir, log_dir)) + mounts.update(self._get_tls_cert_key_mounts(data_dir, self.files)) def customize_container_binds( self, ctx: CephadmContext, binds: List[List[str]] diff --git a/src/pybind/mgr/cephadm/services/nvmeof.py b/src/pybind/mgr/cephadm/services/nvmeof.py index 99e63c0b7da..f6b1c22dba3 100644 --- a/src/pybind/mgr/cephadm/services/nvmeof.py +++ b/src/pybind/mgr/cephadm/services/nvmeof.py @@ -53,6 +53,23 @@ class NvmeofService(CephService): daemon_spec.keyring = keyring daemon_spec.extra_files = {'ceph-nvmeof.conf': gw_conf} + + if spec.enable_auth: + if ( + not spec.client_cert + or not spec.client_key + or not spec.server_cert + or not spec.server_key + ): + self.mgr.log.error(f'enable_auth set for {spec.service_name()} spec, but at ' + 'least one of server/client cert/key fields missing. TLS ' + f'not being set up for {daemon_spec.name()}') + else: + daemon_spec.extra_files['server_cert'] = spec.server_cert + daemon_spec.extra_files['client_cert'] = spec.client_cert + daemon_spec.extra_files['server_key'] = spec.server_key + daemon_spec.extra_files['client_key'] = spec.client_key + daemon_spec.final_config, daemon_spec.deps = self.generate_config(daemon_spec) daemon_spec.deps = [] return daemon_spec diff --git a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 index f2f994c5521..9ef92991aff 100644 --- a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 +++ b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 @@ -41,10 +41,10 @@ config_file = /etc/ceph/ceph.conf id = {{ rados_id }} [mtls] -server_key = {{ spec.server_key }} -client_key = {{ spec.client_key }} -server_cert = {{ spec.server_cert }} -client_cert = {{ spec.client_cert }} +server_key = /server.key +client_key = /client.key +server_cert = /server.cert +client_cert = /client.cert [spdk] tgt_path = {{ spec.tgt_path }} diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py index b91b62b02ac..5be5f1e1df0 100644 --- a/src/python-common/ceph/deployment/service_spec.py +++ b/src/python-common/ceph/deployment/service_spec.py @@ -1408,13 +1408,13 @@ class NvmeofServiceSpec(ServiceSpec): #: ``bdevs_per_cluster`` number of bdevs per cluster self.bdevs_per_cluster = bdevs_per_cluster #: ``server_key`` gateway server key - self.server_key = server_key or './server.key' + self.server_key = server_key #: ``server_cert`` gateway server certificate - self.server_cert = server_cert or './server.crt' + self.server_cert = server_cert #: ``client_key`` client key - self.client_key = client_key or './client.key' + self.client_key = client_key #: ``client_cert`` client certificate - self.client_cert = client_cert or './client.crt' + self.client_cert = client_cert #: ``spdk_path`` path to SPDK self.spdk_path = spdk_path or '/usr/local/bin/nvmf_tgt' #: ``tgt_path`` nvmeof target path @@ -1469,7 +1469,7 @@ class NvmeofServiceSpec(ServiceSpec): raise SpecValidationError('Cannot add NVMEOF: No Pool specified') if self.enable_auth: - if not any([self.server_key, self.server_cert, self.client_key, self.client_cert]): + if not all([self.server_key, self.server_cert, self.client_key, self.client_cert]): raise SpecValidationError( 'enable_auth is true but client/server certificates are missing') |