mgr/cephadm: allow passing client/server cert/key in nvmeof spec #57672
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
epuertat
reviewed
Jul 4, 2024
Comment on lines
+458
to
+482
| self.mgr.cert_key_store.rm_cert('nvmeof_server_cert', service_name=spec.service_name()) | ||
| self.mgr.cert_key_store.rm_cert('nvmeof_client_cert', service_name=spec.service_name()) | ||
| self.mgr.cert_key_store.rm_cert('nvmeof_root_ca_cert', service_name=spec.service_name()) | ||
| self.mgr.cert_key_store.rm_key('nvmeof_server_key', service_name=spec.service_name()) | ||
| self.mgr.cert_key_store.rm_key('nvmeof_client_key', service_name=spec.service_name()) |
There was a problem hiding this comment.
Nit. What about?
Suggested change
| self.mgr.cert_key_store.rm_cert('nvmeof_server_cert', service_name=spec.service_name()) | |
| self.mgr.cert_key_store.rm_cert('nvmeof_client_cert', service_name=spec.service_name()) | |
| self.mgr.cert_key_store.rm_cert('nvmeof_root_ca_cert', service_name=spec.service_name()) | |
| self.mgr.cert_key_store.rm_key('nvmeof_server_key', service_name=spec.service_name()) | |
| self.mgr.cert_key_store.rm_key('nvmeof_client_key', service_name=spec.service_name()) | |
| CERTS = [ | |
| 'server_cert', | |
| 'client_cert', | |
| 'root_ca_cert', | |
| ] | |
| KEYS = [ | |
| 'server_key', | |
| 'client_key', | |
| ] | |
| for cert in CERTS: | |
| self.mgr.cert_key_store.rm_cert(f'nvmeof_{cert}', service_name=spec.service_name()) | |
| for key in KEYS: | |
| self.mgr.cert_key_store.rm_key(f'nvmeof_{key}', service_name=spec.service_name()) |
There was a problem hiding this comment.
This is absolutely better, but I have plans for a follow up PR that will address some of the code ugliness in the original and I don't want to mix those changes in with this sort of new feature being done here.
epuertat
reviewed
Jul 4, 2024
epuertat
reviewed
Jul 4, 2024
Before this patch the client/server cert/key fields were just filepaths that told the nvmeof gw daemon where to look for the cert/key. There's not much reason why users would care where in the nvmeof gw container the cert goes. It's more useful to use these fields as a way to pass the certs/keys to the daemon and then just hardcode where in the container we'll place the certs/keys Signed-off-by: Adam King <adking@redhat.com>
Also improves the error messaging around when spec/key attributes are missing when enable_auth is set to true Signed-off-by: Adam King <adking@redhat.com>
Now that we're taking actual certs/keys in the spec, they should go into the cert/key store with the others Signed-off-by: Adam King <adking@redhat.com>
In order to be able to grab certs/keys stored in the new CertKeyStore class Signed-off-by: Adam King <adking@redhat.com>
This needed changes to reflect changes made to the conf to not have the certs stored at a relative path and the addition of the root ca cert Signed-off-by: Adam King <adking@redhat.com>
This exception type is made to handle the formatting of errors where we try to find a cert/key in the cert/key store and can't Signed-off-by: Adam King <adking@redhat.com>
|
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Before this patch the client/server cert/key fields were just filepaths that told the nvmeof gw daemon where to look for the cert/key. There's not much reason why users would care where in the nvmeof gw container the cert goes. It's more useful to use these fields as a way to pass the certs/keys to the daemon and then just hardcode where in the container we'll place the certs/keys
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
xbetween the brackets:[x]. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windowsjenkins test rook e2e