-
Notifications
You must be signed in to change notification settings - Fork 6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mgr/cephadm: allow passing client/server cert/key in nvmeof spec #57672
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seem OK on first look. ping me to look again when it's out of draft.
self.mgr.cert_key_store.rm_cert('nvmeof_server_cert', service_name=spec.service_name()) | ||
self.mgr.cert_key_store.rm_cert('nvmeof_client_cert', service_name=spec.service_name()) | ||
self.mgr.cert_key_store.rm_cert('nvmeof_root_ca_cert', service_name=spec.service_name()) | ||
self.mgr.cert_key_store.rm_key('nvmeof_server_key', service_name=spec.service_name()) | ||
self.mgr.cert_key_store.rm_key('nvmeof_client_key', service_name=spec.service_name()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit. What about?
self.mgr.cert_key_store.rm_cert('nvmeof_server_cert', service_name=spec.service_name()) | |
self.mgr.cert_key_store.rm_cert('nvmeof_client_cert', service_name=spec.service_name()) | |
self.mgr.cert_key_store.rm_cert('nvmeof_root_ca_cert', service_name=spec.service_name()) | |
self.mgr.cert_key_store.rm_key('nvmeof_server_key', service_name=spec.service_name()) | |
self.mgr.cert_key_store.rm_key('nvmeof_client_key', service_name=spec.service_name()) | |
CERTS = [ | |
'server_cert', | |
'client_cert', | |
'root_ca_cert', | |
] | |
KEYS = [ | |
'server_key', | |
'client_key', | |
] | |
for cert in CERTS: | |
self.mgr.cert_key_store.rm_cert(f'nvmeof_{cert}', service_name=spec.service_name()) | |
for key in KEYS: | |
self.mgr.cert_key_store.rm_key(f'nvmeof_{key}', service_name=spec.service_name()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is absolutely better, but I have plans for a follow up PR that will address some of the code ugliness in the original and I don't want to mix those changes in with this sort of new feature being done here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't know (or forgot) about this feature. Like it!
Before this patch the client/server cert/key fields were just filepaths that told the nvmeof gw daemon where to look for the cert/key. There's not much reason why users would care where in the nvmeof gw container the cert goes. It's more useful to use these fields as a way to pass the certs/keys to the daemon and then just hardcode where in the container we'll place the certs/keys Signed-off-by: Adam King <adking@redhat.com>
Also improves the error messaging around when spec/key attributes are missing when enable_auth is set to true Signed-off-by: Adam King <adking@redhat.com>
Now that we're taking actual certs/keys in the spec, they should go into the cert/key store with the others Signed-off-by: Adam King <adking@redhat.com>
In order to be able to grab certs/keys stored in the new CertKeyStore class Signed-off-by: Adam King <adking@redhat.com>
This needed changes to reflect changes made to the conf to not have the certs stored at a relative path and the addition of the root ca cert Signed-off-by: Adam King <adking@redhat.com>
This exception type is made to handle the formatting of errors where we try to find a cert/key in the cert/key store and can't Signed-off-by: Adam King <adking@redhat.com>
This pull request can no longer be automatically merged: a rebase is needed and changes have to be manually resolved |
Before this patch the client/server cert/key fields were just filepaths that told the nvmeof gw daemon where to look for the cert/key. There's not much reason why users would care where in the nvmeof gw container the cert goes. It's more useful to use these fields as a way to pass the certs/keys to the daemon and then just hardcode where in the container we'll place the certs/keys
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
x
between the brackets:[x]
. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows
jenkins test rook e2e