mgr/cephadm: harmonize mgmt-gateway and oauth2-proxy spec fields

Let's rename the spec fields for mgmt-gateway and oauth2-proxy from
ssl_certificate to ssl_cert, and from ssl_certificate_key to ssl_key,
to align with the naming conventions used by other Cephadm services
such as iscsi and ingress.

Fixes: https://tracker.ceph.com/issues/70359

Signed-off-by: Redouane Kachach <[email protected]>

Author: rkachach

doc/cephadm/services/mgmt-gateway.rst

@@ -128,6 +128,7 @@ A ``mgmt-gateway`` service can be applied using a specification. An example in Y
         - ceph0
     spec:
      port: 5000
+     ssl: True
      ssl_protocols:
        - TLSv1.2
        - TLSv1.3
@@ -136,13 +137,13 @@ A ``mgmt-gateway`` service can be applied using a specification. An example in Y
        - AES128-SHA
        - AES256-SHA
        - ...
-     ssl_certificate: |
+     ssl_cert: |
        -----BEGIN CERTIFICATE-----
        MIIDtTCCAp2gAwIBAgIYMC4xNzc1NDQxNjEzMzc2MjMyXzxvQ7EcMA0GCSqGSIb3
        DQEBCwUAMG0xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMRcwFQYDVQQHDA5T
        [...]
        -----END CERTIFICATE-----
-    ssl_certificate_key: |
+     ssl_key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5jdYbjtNTAKW4
        /CwQr/7wOiLGzVxChn3mmCIF3DwbL/qvTFTX2d8bDf6LjGwLYloXHscRfxszX/4h

src/pybind/mgr/cephadm/module.py

@@ -751,7 +751,7 @@ def _get_mgmt_gw_endpoint(self, is_internal: bool) -> Optional[str]:
             endpoint_suffix = '/internal'
         else:
             mgmt_gw_port = dd.ports[0] if dd.ports else None
-            protocol = 'http' if mgmt_gw_spec.disable_https else 'https'
+            protocol = 'https' if mgmt_gw_spec.ssl else 'http'
             endpoint_suffix = ''
 
         mgmt_gw_endpoint = build_url(scheme=protocol, host=mgmt_gw_addr, port=mgmt_gw_port)

src/pybind/mgr/cephadm/services/mgmt_gateway.py

@@ -57,10 +57,10 @@ def get_external_certificates(self, svc_spec: MgmtGatewaySpec, daemon_spec: Ceph
         user_made = False
         if not (cert and key):
             # not available on store, check if provided on the spec
-            if svc_spec.ssl_certificate and svc_spec.ssl_certificate_key:
+            if svc_spec.ssl_cert and svc_spec.ssl_key:
                 user_made = True
-                cert = svc_spec.ssl_certificate
-                key = svc_spec.ssl_certificate_key
+                cert = svc_spec.ssl_cert
+                key = svc_spec.ssl_key
             else:
                 # not provided on the spec, let's generate self-sigend certificates
                 ip = self.get_mgmt_gw_ip(svc_spec, daemon_spec)
@@ -147,7 +147,6 @@ def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[st
             'enable_oauth2_proxy': bool(oauth2_proxy_endpoints),
         }
 
-        cert, key = self.get_external_certificates(svc_spec, daemon_spec)
         internal_cert, internal_pkey = self.get_internal_certificates(svc_spec, daemon_spec)
         daemon_config = {
             "files": {
@@ -159,7 +158,8 @@ def generate_config(self, daemon_spec: CephadmDaemonDeploySpec) -> Tuple[Dict[st
                 "ca.crt": self.mgr.cert_mgr.get_root_ca()
             }
         }
-        if not svc_spec.disable_https:
+        if svc_spec.ssl:
+            cert, key = self.get_external_certificates(svc_spec, daemon_spec)
             daemon_config["files"]["nginx.crt"] = cert
             daemon_config["files"]["nginx.key"] = key
 

src/pybind/mgr/cephadm/services/oauth2_proxy.py

@@ -48,10 +48,10 @@ def get_certificates(self, svc_spec: OAuth2ProxySpec, daemon_spec: CephadmDaemon
         user_made = False
         if not (cert and key):
             # not available on store, check if provided on the spec
-            if svc_spec.ssl_certificate and svc_spec.ssl_certificate_key:
+            if svc_spec.ssl_cert and svc_spec.ssl_key:
                 user_made = True
-                cert = svc_spec.ssl_certificate
-                key = svc_spec.ssl_certificate_key
+                cert = svc_spec.ssl_cert
+                key = svc_spec.ssl_key
             else:
                 # not provided on the spec, let's generate self-sigend certificates
                 addr = self.mgr.inventory.get_addr(daemon_spec.host)

src/pybind/mgr/cephadm/templates/services/mgmt-gateway/external_server.conf.j2

@@ -1,6 +1,6 @@
 
 server {
-{% if spec.disable_https %}
+{% if not spec.ssl %}
     listen {{ spec.port or 80 }};
 {% else %}
     listen                    {{ spec.port or 443 }} ssl;

src/pybind/mgr/cephadm/tests/test_services.py

@@ -1588,8 +1588,8 @@ def inline_certificate(multi_line_cert):
                                       client_secret='my_client_secret',
                                       oidc_issuer_url='http://192.168.10.10:8888/dex',
                                       cookie_secret='kbAEM9opAmuHskQvt0AW8oeJRaOM2BYy5Loba0kZ0SQ=',
-                                      ssl_certificate=ceph_generated_cert,
-                                      ssl_certificate_key=ceph_generated_key)
+                                      ssl_cert=ceph_generated_cert,
+                                      ssl_key=ceph_generated_key)
 
         with with_host(cephadm_module, "test"):
             cephadm_module.cert_mgr.save_cert('grafana_cert', ceph_generated_cert, host='test')
@@ -4005,8 +4005,8 @@ def get_services_endpoints(name):
 
         server_port = 5555
         spec = MgmtGatewaySpec(port=server_port,
-                               ssl_certificate=ceph_generated_cert,
-                               ssl_certificate_key=ceph_generated_key)
+                               ssl_cert=ceph_generated_cert,
+                               ssl_key=ceph_generated_key)
 
         expected = {
             "fsid": "fsid",
@@ -4253,8 +4253,8 @@ def get_services_endpoints(name):
 
         server_port = 5555
         spec = MgmtGatewaySpec(port=server_port,
-                               ssl_certificate=ceph_generated_cert,
-                               ssl_certificate_key=ceph_generated_key,
+                               ssl_cert=ceph_generated_cert,
+                               ssl_key=ceph_generated_key,
                                enable_auth=True)
 
         expected = {
@@ -4603,8 +4603,8 @@ def get_services_endpoints(name):
 
         server_port = 5555
         mgmt_gw_spec = MgmtGatewaySpec(port=server_port,
-                                       ssl_certificate=ceph_generated_cert,
-                                       ssl_certificate_key=ceph_generated_key,
+                                       ssl_cert=ceph_generated_cert,
+                                       ssl_key=ceph_generated_key,
                                        enable_auth=True,
                                        virtual_ip=virtual_ip)
 
@@ -4614,8 +4614,8 @@ def get_services_endpoints(name):
                                       client_secret='my_client_secret',
                                       oidc_issuer_url='http://192.168.10.10:8888/dex',
                                       cookie_secret='kbAEM9opAmuHskQvt0AW8oeJRaOM2BYy5Loba0kZ0SQ=',
-                                      ssl_certificate=ceph_generated_cert,
-                                      ssl_certificate_key=ceph_generated_key,
+                                      ssl_cert=ceph_generated_cert,
+                                      ssl_key=ceph_generated_key,
                                       allowlist_domains=[allowed_domain])
 
         whitelist_domains = f"{allowed_domain},1::4,ceph-node" if virtual_ip is None else f"{allowed_domain},{virtual_ip},1::4,ceph-node"

src/pybind/mgr/orchestrator/module.py

@@ -2048,7 +2048,7 @@ def _apply_iscsi(self,
     @_cli_write_command('orch apply mgmt-gateway')
     def _apply_mgmt_gateway(self,
                             port: Optional[int] = None,
-                            disable_https: Optional[bool] = False,
+                            ssl: Optional[bool] = True,
                             enable_auth: Optional[bool] = False,
                             virtual_ip: Optional[str] = None,
                             placement: Optional[str] = None,
@@ -2066,7 +2066,7 @@ def _apply_mgmt_gateway(self,
             unmanaged=unmanaged,
             port=port,
             virtual_ip=virtual_ip,
-            disable_https=disable_https,
+            ssl=ssl,
             enable_auth=enable_auth,
             preview_only=dry_run
         )

src/python-common/ceph/deployment/service_spec.py

@@ -1853,11 +1853,11 @@ def __init__(self,
                  config: Optional[Dict[str, str]] = None,
                  networks: Optional[List[str]] = None,
                  placement: Optional[PlacementSpec] = None,
-                 disable_https: Optional[bool] = False,
+                 ssl: Optional[bool] = True,
                  enable_auth: Optional[bool] = False,
                  port: Optional[int] = None,
-                 ssl_certificate: Optional[str] = None,
-                 ssl_certificate_key: Optional[str] = None,
+                 ssl_cert: Optional[str] = None,
+                 ssl_key: Optional[str] = None,
                  ssl_prefer_server_ciphers: Optional[str] = None,
                  ssl_session_tickets: Optional[str] = None,
                  ssl_session_timeout: Optional[str] = None,
@@ -1886,16 +1886,16 @@ def __init__(self,
             extra_entrypoint_args=extra_entrypoint_args,
             custom_configs=custom_configs
         )
-        #: Is a flag to disable HTTPS. If True, the server will use unsecure HTTP
-        self.disable_https = disable_https
+        #: Is a flag to enable/disable HTTPS. By default set to True.
+        self.ssl = ssl
         #: Is a flag to enable SSO auth. Requires oauth2-proxy to be active for SSO authentication.
         self.enable_auth = enable_auth
         #: The port number on which the server will listen
         self.port = port
         #: A multi-line string that contains the SSL certificate
-        self.ssl_certificate = ssl_certificate
+        self.ssl_cert = ssl_cert
         #: A multi-line string that contains the SSL key
-        self.ssl_certificate_key = ssl_certificate_key
+        self.ssl_key = ssl_key
         #: Prefer server ciphers over client ciphers: on | off
         self.ssl_prefer_server_ciphers = ssl_prefer_server_ciphers
         #: A multioption flag to control session tickets: on | off
@@ -1927,8 +1927,8 @@ def get_port_start(self) -> List[int]:
     def validate(self) -> None:
         super(MgmtGatewaySpec, self).validate()
         self._validate_port(self.port)
-        self._validate_certificate(self.ssl_certificate, "ssl_certificate")
-        self._validate_private_key(self.ssl_certificate_key, "ssl_certificate_key")
+        self._validate_certificate(self.ssl_cert, "ssl_cert")
+        self._validate_private_key(self.ssl_key, "ssl_key")
         self._validate_boolean_switch(self.ssl_prefer_server_ciphers, "ssl_prefer_server_ciphers")
         self._validate_boolean_switch(self.ssl_session_tickets, "ssl_session_tickets")
         self._validate_session_timeout(self.ssl_session_timeout)
@@ -1997,8 +1997,8 @@ def __init__(self,
                  oidc_issuer_url: Optional[str] = None,
                  redirect_url: Optional[str] = None,
                  cookie_secret: Optional[str] = None,
-                 ssl_certificate: Optional[str] = None,
-                 ssl_certificate_key: Optional[str] = None,
+                 ssl_cert: Optional[str] = None,
+                 ssl_key: Optional[str] = None,
                  allowlist_domains: Optional[List[str]] = None,
                  unmanaged: bool = False,
                  extra_container_args: Optional[GeneralArgList] = None,
@@ -2032,9 +2032,9 @@ def __init__(self,
         # 24, or 32 bytes to create an AES cipher.
         self.cookie_secret = cookie_secret or self.generate_random_secret()
         #: The multi-line SSL certificate for encrypting communications.
-        self.ssl_certificate = ssl_certificate
+        self.ssl_cert = ssl_cert
         #: The multi-line SSL certificate private key for decrypting communications.
-        self.ssl_certificate_key = ssl_certificate_key
+        self.ssl_key = ssl_key
         #: List of allowed domains for safe redirection after login or logout,
         # preventing unauthorized redirects.
         self.allowlist_domains = allowlist_domains