Merge pull request ceph#60943 from anuradhagadge/fix_69081_ca_cert_with_fsid

mgr/cephadm: Changes for creating root cert with manager cluster fsid

Reviewed-by: Adam King <[email protected]>
Reviewed-by: Redouane Kachach <[email protected]>

Author: adk3798

src/pybind/mgr/cephadm/cert_mgr.py

@@ -12,7 +12,7 @@ class CertMgr:
     CEPHADM_ROOT_CA_KEY = 'cephadm_root_ca_key'
 
     def __init__(self, mgr: "CephadmOrchestrator", ip: str) -> None:
-        self.ssl_certs: SSLCerts = SSLCerts()
+        self.ssl_certs: SSLCerts = SSLCerts(mgr._cluster_fsid)
         old_cert = mgr.cert_key_store.get_cert(self.CEPHADM_ROOT_CA_CERT)
         old_key = mgr.cert_key_store.get_key(self.CEPHADM_ROOT_CA_KEY)
         if old_key and old_cert:

src/pybind/mgr/cephadm/ssl_cert_utils.py

@@ -15,11 +15,12 @@ class SSLConfigException(Exception):
 
 
 class SSLCerts:
-    def __init__(self) -> None:
+    def __init__(self, fsid: str) -> None:
         self.root_cert: Any
         self.root_key: Any
         self.key_file: IO[bytes]
         self.cert_file: IO[bytes]
+        self.cluster_fsid: str = fsid
 
     def generate_root_cert(
         self,
@@ -42,6 +43,7 @@ def generate_root_cert(
         root_builder = root_builder.public_key(root_public_key)
 
         san_list: List[x509.GeneralName] = []
+        san_list.append(x509.DNSName(f'fsid-{self.cluster_fsid}'))
         if addr:
             san_list.extend([x509.IPAddress(ipaddress.ip_address(addr))])
         if custom_san_list:

src/pybind/mgr/cephadm/tests/test_node_proxy.py

@@ -36,7 +36,7 @@ def __init__(self) -> None:
         self.node_proxy = MagicMock()
         self.http_server = MagicMock()
         self.http_server.agent = MagicMock()
-        self.http_server.agent.ssl_certs = SSLCerts()
+        self.http_server.agent.ssl_certs = SSLCerts("59d1b32e-xxxx-11ef-xxxx-52540060267a")
         self.http_server.agent.ssl_certs.generate_root_cert(addr=self.get_mgr_ip())
         self.cert_mgr = FakeCertMgr()