cephadm: Ensure wildcard SAN is included in RGW self-signed certs

Fix:
- Updated `RgwService` in `cephadmservice.py` to append `*.` before each hostname
  in `zonegroup_hostnames` when generating certificates if wildcard_enabled flag is set to true.
- This ensures that both the entries including the wildcard entry (example: 's3.cephlab.com' and '*.s3.cephlab.com') are included in the SAN.
- After this fix, virtual host bucket access works without SSL errors.

Signed-off-by: Kushal Deb <[email protected]>

Author: Kushal-deb

doc/cephadm/services/rgw.rst

@@ -173,6 +173,36 @@ Then apply this yaml document:
 Note the value of ``rgw_frontend_ssl_certificate`` is a literal string as
 indicated by a ``|`` character preserving newline characters.
 
+Setting up HTTPS with Wildcard SANs
+-----------------------------------
+
+To enable HTTPS for RGW services, apply a spec file following this scheme:
+
+.. code-block:: yaml
+
+  service_type: rgw
+  service_id: foo
+  placement:
+    label: rgw
+    count_per_host: 1
+  spec:
+    ssl: true
+    generate_cert: true  
+    rgw_frontend_port: 8080
+    wildcard_enabled: true  # Enables wildcard SANs in the certificate
+    zonegroup_hostnames:
+    - s3.cephlab.com
+
+Then apply this yaml document:
+
+.. prompt:: bash #
+
+  ceph orch apply -i myrgw.yaml
+
+The ``wildcard_enabled`` flag ensures that a wildcard SAN entry is included in the self-signed certificate,
+allowing access to buckets in virtual host mode. By default, this flag is disabled.
+example: wildcard SAN - (*.s3.cephlab.com)
+
 Disabling multisite sync traffic
 --------------------------------
 

src/pybind/mgr/cephadm/services/cephadmservice.py

@@ -1043,12 +1043,15 @@ def config(self, spec: RGWSpec) -> None:  # type: ignore
             })
 
         if spec.zonegroup_hostnames:
+            san_list = spec.zonegroup_hostnames or []
+            hostnames = san_list + [f"*.{h}" for h in san_list] if spec.wildcard_enabled else san_list
+
             zg_update_cmd = {
                 'prefix': 'rgw zonegroup modify',
                 'realm_name': spec.rgw_realm,
                 'zonegroup_name': spec.rgw_zonegroup,
                 'zone_name': spec.rgw_zone,
-                'hostnames': spec.zonegroup_hostnames,
+                'hostnames': hostnames,
             }
             logger.debug(f'rgw cmd: {zg_update_cmd}')
             ret, out, err = self.mgr.check_mon_command(zg_update_cmd)
@@ -1075,10 +1078,13 @@ def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonD
             port = spec.get_port()
 
         if spec.generate_cert:
+            san_list = spec.zonegroup_hostnames or []
+            custom_san_list = san_list + [f"*.{h}" for h in san_list] if spec.wildcard_enabled else san_list
+
             cert, key = self.mgr.cert_mgr.generate_cert(
                 daemon_spec.host,
                 self.mgr.inventory.get_addr(daemon_spec.host),
-                custom_san_list=spec.zonegroup_hostnames
+                custom_san_list=custom_san_list
             )
             pem = ''.join([key, cert])
             ret, out, err = self.mgr.check_mon_command({

src/python-common/ceph/deployment/service_spec.py

@@ -1234,6 +1234,7 @@ def __init__(self,
                  rgw_bucket_counters_cache_size: Optional[int] = None,
                  generate_cert: bool = False,
                  disable_multisite_sync_traffic: Optional[bool] = None,
+                 wildcard_enabled: Optional[bool] = False,
                  ):
         assert service_type == 'rgw', service_type
 
@@ -1288,6 +1289,7 @@ def __init__(self,
         self.generate_cert = generate_cert
         #: Used to make RGW not do multisite replication so it can dedicate to IO
         self.disable_multisite_sync_traffic = disable_multisite_sync_traffic
+        self.wildcard_enabled = wildcard_enabled
 
     def get_port_start(self) -> List[int]:
         return [self.get_port()]