mgr/cephadm: fixing docs and defaults for some options

Signed-off-by: Redouane Kachach <[email protected]>

Author: rkachach

doc/cephadm/certmgr.rst

@@ -46,8 +46,8 @@ and applies renewal policies based on the certificate type and configured
 parameters. Cephadm provides several configuration options to manage certificate
 lifecycle and renewal:
 
-- **`mgr/cephadm/certificate_automated_rotation_enabled`** (default: `False`):
-  Disabled by default, this configuration option controls
+- **`mgr/cephadm/certificate_automated_rotation_enabled`** (default: `True`):
+  Enabled by default, this configuration option controls
   whether Cephadm automatically rotates certificates upon expiration. This helps
   ensure continuity and security without manual intervention. When disabled cephadm will
   still check periodically the certificates but instead of automatically renewing self-signed
@@ -58,14 +58,18 @@ lifecycle and renewal:
   and signed by the Cephadm root CA. This determines the validity period before
   renewal is required.
 
-- **`certificate_renewal_threshold_days`** (default: `30`, min: `10`, max:
+- **`mgr/cephadm/certificate_renewal_threshold_days`** (default: `30`, min: `10`, max:
   `90`): Defines the number of days before a certificate's expiration when
   Cephadm should initiate renewal. This ensures timely replacement before
   expiration occurs. This applies to both self-signed and user-provided
   certificates. In the case of user-provided certificates, Cephadm will issue a
   health error or warning alerting administrators about the upcoming renewal
   period proximity.
 
+- **`mgr/cephadm/certificate_check_period`** (default: `1`, min: `0`, max: `30`):
+  Specifies how often (in days) the certificate should be checked for validity.
+  This ensures timely detection of any issues related to certificate expiration.
+  Setting this to `0` disables the certificate check functionality.
 
 Certificate Health Monitoring
 =============================
@@ -201,11 +205,14 @@ To associate a certificate with a private key:
 
 .. prompt:: bash #
 
-   ceph orch certmgr cert-key set <entity> [--cert <value>] [--key <value>] [--service_name <value>] [--hostname <value>] [--force]
+   ceph orch certmgr cert-key set <entity> [--cert <value>] [--key <value>] [--service_name <value>] [--hostname <value>] [-i <cert-key-path>] [--force]
 
-Use this command to upload or replace an existing certificate/key pair for a
-certain service. Replace `<entiy-name>` with the actual certificate name from
-`ceph orch certmgr entity ls`.
+Use this command to upload or replace an existing certificate/key pair
+for a certain service. Replace `<entity-name>` with the actual
+certificate name from `ceph orch certmgr entity ls`. The -i option
+can be used to specify a file containing a combined certificate and
+key in PEM format. This file should include both the certificate and
+private key concatenated together.
 
 Setting a Certificate
 =====================

src/pybind/mgr/cephadm/module.py

@@ -413,16 +413,16 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule,
         Option(
             'certificate_automated_rotation_enabled',
             type='bool',
-            default=False,
+            default=True,
             desc='This flag controls whether cephadm automatically rotates certificates upon expiration.',
         ),
         Option(
             'certificate_check_period',
             type='int',
             default=1,  # Default to checking certificates once per day
             desc='Specifies how often (in days) the certificate should be checked for validity.',
-            min=1,
-            max=3,  # must be lesr than min of certificate_renewal_threshold_days
+            min=0,  # 0 will disable the certificate checking
+            max=30,  # must be less than the min of certificate_renewal_threshold_days.
         ),
         Option(
             'certificate_duration_days',

src/pybind/mgr/cephadm/serve.py

@@ -142,6 +142,10 @@ def serve(self) -> None:
 
     def _check_certificates(self) -> None:
 
+        if self.mgr.certificate_check_period == 0:
+            # certificate check has been disabled by the user
+            return
+
         # Check certificates if:
         # - This is the first time (startup, last_certificates_check is None)
         # - Or the elapsed time is greater than or equal to the configured check period