Merge pull request ceph#61694 from rkachach/fix_issue_69863

adk3798 · web-flow · commit 34e8dee7b939 · 2025-02-19T13:00:09.000-05:00
mgr/cephadm: reconfig rgw and ingress daemons when certificate changes

Reviewed-by: Adam King &lt;adking@redhat.com&gt;
diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -996,6 +996,21 @@ class RgwService(CephService):
     def allow_colo(self) -> bool:
         return True
 
+    @classmethod
+    def get_dependencies(cls, mgr: "CephadmOrchestrator",
+                         spec: Optional[ServiceSpec] = None,
+                         daemon_type: Optional[str] = None) -> List[str]:
+
+        deps = []
+        rgw_spec = cast(RGWSpec, spec)
+        ssl_cert = getattr(rgw_spec, 'rgw_frontend_ssl_certificate', None)
+        if ssl_cert:
+            if isinstance(ssl_cert, list):
+                ssl_cert = '\n'.join(ssl_cert)
+            deps.append(f'ssl-cert:{str(utils.md5_hash(ssl_cert))}')
+
+        return sorted(deps)
+
     def set_realm_zg_zone(self, spec: RGWSpec) -> None:
         assert self.TYPE == spec.service_type
 
@@ -1271,6 +1286,12 @@ def ingress_present() -> bool:
     def config_dashboard(self, daemon_descrs: List[DaemonDescription]) -> None:
         self.mgr.trigger_connect_dashboard_rgw()
 
+    def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[str, Any], List[str]]:
+        svc_spec = cast(RGWSpec, self.mgr.spec_store[daemon_spec.service_name].spec)
+        config, parent_deps = super().generate_config(daemon_spec)
+        rgw_deps = parent_deps + self.get_dependencies(self.mgr, svc_spec)
+        return config, rgw_deps
+
 
 @register_cephadm_service
 class RbdMirrorService(CephService):
diff --git a/src/pybind/mgr/cephadm/services/ingress.py b/src/pybind/mgr/cephadm/services/ingress.py
@@ -97,10 +97,18 @@ def get_haproxy_dependencies(mgr: "CephadmOrchestrator", spec: Optional[ServiceS
         # sufficient to detect changes.
         if not spec:
             return []
+
         ingress_spec = cast(IngressSpec, spec)
         assert ingress_spec.backend_service
         daemons = mgr.cache.get_daemons_by_service(ingress_spec.backend_service)
-        return sorted([d.name() for d in daemons])
+        deps = [d.name() for d in daemons]
+        for attr in ['ssl_cert', 'ssl_key']:
+            ssl_cert_key = getattr(ingress_spec, attr, None)
+            if ssl_cert_key:
+                assert isinstance(ssl_cert_key, str)
+                deps.append(f'ssl-cert-key:{str(utils.md5_hash(ssl_cert_key))}')
+
+        return sorted(deps)
 
     def haproxy_generate_config(
             self,
@@ -224,11 +232,12 @@ def haproxy_generate_config(
                 "haproxy.cfg": haproxy_conf,
             }
         }
+
         if spec.ssl_cert:
-            ssl_cert = spec.ssl_cert
-            if isinstance(ssl_cert, list):
-                ssl_cert = '\n'.join(ssl_cert)
-            config_files['files']['haproxy.pem'] = ssl_cert
+            config_files['files']['haproxy.pem'] = spec.ssl_cert
+
+        if spec.ssl_key:
+            config_files['files']['haproxy.pem.key'] = spec.ssl_key
 
         return config_files, self.get_haproxy_dependencies(self.mgr, spec)
 
