Skip to content

Commit 66e9ef1

Browse files
adk3798adk3798
committed
mgr/cephadm: sign generated RGW certs
Previously the "generate_cert" field would just cause cephadm to generate self-signed certificates. This was an issue when trying to sync the secondary site in a multisite situation, resulting in ``` SL peer certificate or SSH remote key was not OK req_data->error_buf=SSL certificate problem: self-signed certificate request failed: (2200) Unknown error 2200 ``` This change makes it so the certificate are signed by cephadm's root CA cert so that users may grab that cert via "ceph orch cert-store get cert cephadm_root_ca_cert" and set that as a trusted CA cert on their secondary cluster. Additionally, we now generate a cert per RGW daemon so that we can include the hostname/addr of the node we are deploying the RGW daemon on in the cert. Signed-off-by: Adam King <[email protected]>
1 parent a3cf842 commit 66e9ef1

File tree

4 files changed

+45
-12
lines changed

4 files changed

+45
-12
lines changed

src/pybind/mgr/cephadm/cert_mgr.py

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11

22
from cephadm.ssl_cert_utils import SSLCerts, SSLConfigException
3-
from typing import TYPE_CHECKING, Tuple, Union, List
3+
from typing import TYPE_CHECKING, Tuple, Union, List, Optional
44

55
if TYPE_CHECKING:
66
from cephadm.module import CephadmOrchestrator
@@ -28,5 +28,10 @@ def __init__(self, mgr: "CephadmOrchestrator", ip: str) -> None:
2828
def get_root_ca(self) -> str:
2929
return self.ssl_certs.get_root_cert()
3030

31-
def generate_cert(self, host_fqdn: Union[str, List[str]], node_ip: Union[str, List[str]]) -> Tuple[str, str]:
32-
return self.ssl_certs.generate_cert(host_fqdn, node_ip)
31+
def generate_cert(
32+
self,
33+
host_fqdn: Union[str, List[str]],
34+
node_ip: Union[str, List[str]],
35+
custom_san_list: Optional[List[str]] = None,
36+
) -> Tuple[str, str]:
37+
return self.ssl_certs.generate_cert(host_fqdn, node_ip, custom_san_list=custom_san_list)

src/pybind/mgr/cephadm/services/cephadmservice.py

Lines changed: 25 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1015,12 +1015,6 @@ def config(self, spec: RGWSpec) -> None: # type: ignore
10151015
# set rgw_realm rgw_zonegroup and rgw_zone, if present
10161016
self.set_realm_zg_zone(spec)
10171017

1018-
if spec.generate_cert and not spec.rgw_frontend_ssl_certificate:
1019-
# generate a self-signed cert for the rgw service
1020-
cert, key = self.mgr.cert_mgr.ssl_certs.generate_root_cert(custom_san_list=spec.zonegroup_hostnames)
1021-
spec.rgw_frontend_ssl_certificate = ''.join([key, cert])
1022-
self.mgr.spec_store.save(spec)
1023-
10241018
if spec.rgw_frontend_ssl_certificate:
10251019
if isinstance(spec.rgw_frontend_ssl_certificate, list):
10261020
cert_data = '\n'.join(spec.rgw_frontend_ssl_certificate)
@@ -1068,6 +1062,19 @@ def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonD
10681062
# and it matches the spec.
10691063
port = spec.get_port()
10701064

1065+
if spec.generate_cert:
1066+
cert, key = self.mgr.cert_mgr.generate_cert(
1067+
daemon_spec.host,
1068+
self.mgr.inventory.get_addr(daemon_spec.host),
1069+
custom_san_list=spec.zonegroup_hostnames
1070+
)
1071+
pem = ''.join([key, cert])
1072+
ret, out, err = self.mgr.check_mon_command({
1073+
'prefix': 'config-key set',
1074+
'key': f'rgw/cert/{daemon_spec.name()}',
1075+
'val': pem,
1076+
})
1077+
10711078
# configure frontend
10721079
args = []
10731080
ftype = spec.rgw_frontend_type or "beast"
@@ -1078,7 +1085,10 @@ def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonD
10781085
f"ssl_endpoint={build_url(host=daemon_spec.ip, port=port).lstrip('/')}")
10791086
else:
10801087
args.append(f"ssl_port={port}")
1081-
args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}")
1088+
if spec.generate_cert:
1089+
args.append(f"ssl_certificate=config://rgw/cert/{daemon_spec.name()}")
1090+
else:
1091+
args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}")
10821092
else:
10831093
if daemon_spec.ip:
10841094
args.append(f"endpoint={build_url(host=daemon_spec.ip, port=port).lstrip('/')}")
@@ -1091,7 +1101,10 @@ def prepare_create(self, daemon_spec: CephadmDaemonDeploySpec) -> CephadmDaemonD
10911101
args.append(f"port={build_url(host=daemon_spec.ip, port=port).lstrip('/')}s")
10921102
else:
10931103
args.append(f"port={port}s") # note the 's' suffix on port
1094-
args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}")
1104+
if spec.generate_cert:
1105+
args.append(f"ssl_certificate=config://rgw/cert/{daemon_spec.name()}")
1106+
else:
1107+
args.append(f"ssl_certificate=config://rgw/cert/{spec.service_name()}")
10951108
else:
10961109
if daemon_spec.ip:
10971110
args.append(f"port={build_url(host=daemon_spec.ip, port=port).lstrip('/')}")
@@ -1180,6 +1193,10 @@ def post_remove(self, daemon: DaemonDescription, is_failed_deploy: bool) -> None
11801193
'who': utils.name_to_config_section(daemon.name()),
11811194
'name': 'rgw_frontends',
11821195
})
1196+
self.mgr.check_mon_command({
1197+
'prefix': 'config-key rm',
1198+
'key': f'rgw/cert/{daemon.name()}',
1199+
})
11831200

11841201
def ok_to_stop(
11851202
self,

src/pybind/mgr/cephadm/ssl_cert_utils.py

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,12 @@ def generate_root_cert(
7070

7171
return (cert_str, key_str)
7272

73-
def generate_cert(self, _hosts: Union[str, List[str]], _addrs: Union[str, List[str]]) -> Tuple[str, str]:
73+
def generate_cert(
74+
self,
75+
_hosts: Union[str, List[str]],
76+
_addrs: Union[str, List[str]],
77+
custom_san_list: Optional[List[str]] = None,
78+
) -> Tuple[str, str]:
7479

7580
addrs = [_addrs] if isinstance(_addrs, str) else _addrs
7681
hosts = [_hosts] if isinstance(_hosts, str) else _hosts
@@ -97,6 +102,8 @@ def generate_cert(self, _hosts: Union[str, List[str]], _addrs: Union[str, List[s
97102
san_list: List[x509.GeneralName] = [x509.DNSName(host) for host in hosts]
98103
if valid_ips:
99104
san_list.extend(ips)
105+
if custom_san_list:
106+
san_list.extend([x509.DNSName(n) for n in custom_san_list])
100107

101108
builder = builder.add_extension(
102109
x509.SubjectAlternativeName(

src/python-common/ceph/deployment/service_spec.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1313,6 +1313,10 @@ def validate(self) -> None:
13131313
raise SpecValidationError('"ssl" field must be set to true when "generate_cert" '
13141314
'is set to true')
13151315

1316+
if self.generate_cert and self.rgw_frontend_ssl_certificate:
1317+
raise SpecValidationError('"generate_cert" field and "rgw_frontend_ssl_certificate" '
1318+
'field are mutually exclusive')
1319+
13161320

13171321
yaml.add_representer(RGWSpec, ServiceSpec.yaml_representer)
13181322

0 commit comments

Comments
 (0)