Merge pull request ceph#59174 from adk3798/cephadm-rgw-generate-cert

adk3798 · web-flow · commit c0d5b9a9c6ec · 2024-09-18T14:54:29.000-04:00
mgr/cephadm: add ability for cephadm to generate frontend cert for rgw

Reviewed-by: John Mulligan &lt;jmulligan@redhat.com&gt;
diff --git a/src/pybind/mgr/cephadm/cert_mgr.py b/src/pybind/mgr/cephadm/cert_mgr.py
@@ -21,7 +21,7 @@ def __init__(self, mgr: "CephadmOrchestrator", ip: str) -> None:
             except SSLConfigException:
                 raise Exception("Cannot load cephadm root CA certificates.")
         else:
-            self.ssl_certs.generate_root_cert(ip)
+            self.ssl_certs.generate_root_cert(addr=ip)
             mgr.cert_key_store.save_cert(self.CEPHADM_ROOT_CA_CERT, self.ssl_certs.get_root_cert())
             mgr.cert_key_store.save_key(self.CEPHADM_ROOT_CA_KEY, self.ssl_certs.get_root_key())
 
diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -1010,6 +1010,12 @@ def config(self, spec: RGWSpec) -> None:  # type: ignore
                 'value': spec.rgw_zone,
             })
 
+        if spec.generate_cert and not spec.rgw_frontend_ssl_certificate:
+            # generate a self-signed cert for the rgw service
+            cert, key = self.mgr.cert_mgr.ssl_certs.generate_root_cert(custom_san_list=spec.zonegroup_hostnames)
+            spec.rgw_frontend_ssl_certificate = ''.join([key, cert])
+            self.mgr.spec_store.save(spec)
+
         if spec.rgw_frontend_ssl_certificate:
             if isinstance(spec.rgw_frontend_ssl_certificate, list):
                 cert_data = '\n'.join(spec.rgw_frontend_ssl_certificate)
diff --git a/src/pybind/mgr/cephadm/ssl_cert_utils.py b/src/pybind/mgr/cephadm/ssl_cert_utils.py
@@ -1,5 +1,5 @@
 
-from typing import Any, Tuple, IO, List, Union
+from typing import Any, Tuple, IO, List, Union, Optional
 import ipaddress
 
 from datetime import datetime, timedelta
@@ -21,7 +21,11 @@ def __init__(self) -> None:
         self.key_file: IO[bytes]
         self.cert_file: IO[bytes]
 
-    def generate_root_cert(self, addr: str) -> Tuple[str, str]:
+    def generate_root_cert(
+        self,
+        addr: Optional[str] = None,
+        custom_san_list: Optional[List[str]] = None
+    ) -> Tuple[str, str]:
         self.root_key = rsa.generate_private_key(
             public_exponent=65537, key_size=4096, backend=default_backend())
         root_public_key = self.root_key.public_key()
@@ -36,12 +40,19 @@ def generate_root_cert(self, addr: str) -> Tuple[str, str]:
         root_builder = root_builder.not_valid_after(datetime.now() + timedelta(days=(365 * 10 + 3)))
         root_builder = root_builder.serial_number(x509.random_serial_number())
         root_builder = root_builder.public_key(root_public_key)
+
+        san_list: List[x509.GeneralName] = []
+        if addr:
+            san_list.extend([x509.IPAddress(ipaddress.ip_address(addr))])
+        if custom_san_list:
+            san_list.extend([x509.DNSName(n) for n in custom_san_list])
         root_builder = root_builder.add_extension(
             x509.SubjectAlternativeName(
-                [x509.IPAddress(ipaddress.ip_address(addr))]
+                san_list
             ),
             critical=False
         )
+
         root_builder = root_builder.add_extension(
             x509.BasicConstraints(ca=True, path_length=None), critical=True,
         )
diff --git a/src/pybind/mgr/cephadm/tests/test_node_proxy.py b/src/pybind/mgr/cephadm/tests/test_node_proxy.py
@@ -37,7 +37,7 @@ def __init__(self) -> None:
         self.http_server = MagicMock()
         self.http_server.agent = MagicMock()
         self.http_server.agent.ssl_certs = SSLCerts()
-        self.http_server.agent.ssl_certs.generate_root_cert(self.get_mgr_ip())
+        self.http_server.agent.ssl_certs.generate_root_cert(addr=self.get_mgr_ip())
         self.cert_mgr = FakeCertMgr()
 
     def get_mgr_ip(self) -> str:
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
@@ -1208,7 +1208,7 @@ def __init__(self,
                  rgw_zonegroup: Optional[str] = None,
                  rgw_zone: Optional[str] = None,
                  rgw_frontend_port: Optional[int] = None,
-                 rgw_frontend_ssl_certificate: Optional[List[str]] = None,
+                 rgw_frontend_ssl_certificate: Optional[Union[str, List[str]]] = None,
                  rgw_frontend_type: Optional[str] = None,
                  rgw_frontend_extra_args: Optional[List[str]] = None,
                  unmanaged: bool = False,
@@ -1223,11 +1223,12 @@ def __init__(self,
                  rgw_realm_token: Optional[str] = None,
                  update_endpoints: Optional[bool] = False,
                  zone_endpoints: Optional[str] = None,  # comma separated endpoints list
-                 zonegroup_hostnames: Optional[str] = None,
+                 zonegroup_hostnames: Optional[List[str]] = None,
                  rgw_user_counters_cache: Optional[bool] = False,
                  rgw_user_counters_cache_size: Optional[int] = None,
                  rgw_bucket_counters_cache: Optional[bool] = False,
                  rgw_bucket_counters_cache_size: Optional[int] = None,
+                 generate_cert: bool = False,
                  ):
         assert service_type == 'rgw', service_type
 
@@ -1257,7 +1258,8 @@ def __init__(self,
         #: Port of the RGW daemons
         self.rgw_frontend_port: Optional[int] = rgw_frontend_port
         #: List of SSL certificates
-        self.rgw_frontend_ssl_certificate: Optional[List[str]] = rgw_frontend_ssl_certificate
+        self.rgw_frontend_ssl_certificate: Optional[Union[str, List[str]]] \
+            = rgw_frontend_ssl_certificate
         #: civetweb or beast (default: beast). See :ref:`rgw_frontends`
         self.rgw_frontend_type: Optional[str] = rgw_frontend_type
         #: List of extra arguments for rgw_frontend in the form opt=value. See :ref:`rgw_frontends`
@@ -1277,6 +1279,8 @@ def __init__(self,
         self.rgw_bucket_counters_cache = rgw_bucket_counters_cache
         #: Used to set number of entries in each cache of bucket counters
         self.rgw_bucket_counters_cache_size = rgw_bucket_counters_cache_size
+        #: Whether we should generate a cert/key for the user if not provided
+        self.generate_cert = generate_cert
 
     def get_port_start(self) -> List[int]:
         return [self.get_port()]
@@ -1305,6 +1309,10 @@ def validate(self) -> None:
                     'Additional rgw type parameters can be passed using rgw_frontend_extra_args.'
                 )
 
+        if self.generate_cert and not self.ssl:
+            raise SpecValidationError('"ssl" field must be set to true when "generate_cert" '
+                                      'is set to true')
+
 
 yaml.add_representer(RGWSpec, ServiceSpec.yaml_representer)
 
