mgr/dasboard : Injest certificate mgmt API into services API

[abhidesai6]

fixes : https://tracker.ceph.com/issues/74039
Signed-off-by: Abhishek Desai abhishek.desai1@ibm.com

UTC :

Screencast.From.2025-12-11.13-45-42.mp4

Screencast.From.2025-12-11.13-48-55.mp4

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

• When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins test classic perf Jenkins Job | Jenkins Job Definition
• jenkins test crimson perf Jenkins Job | Jenkins Job Definition
• jenkins test signed Jenkins Job | Jenkins Job Definition
• jenkins test make check Jenkins Job | Jenkins Job Definition
• jenkins test make check arm64 Jenkins Job | Jenkins Job Definition
• jenkins test submodules Jenkins Job | Jenkins Job Definition
• jenkins test dashboard Jenkins Job | Jenkins Job Definition
• jenkins test dashboard cephadm Jenkins Job | Jenkins Job Definition
• jenkins test api Jenkins Job | Jenkins Job Definition
• jenkins test docs ReadTheDocs | Github Workflow Definition
• jenkins test ceph-volume all Jenkins Jobs | Jenkins Jobs Definition
• jenkins test windows Jenkins Job | Jenkins Job Definition
• jenkins test rook e2e Jenkins Job | Jenkins Job Definition

You must only issue one Jenkins command per-comment. Jenkins does not understand
comments with more than one command.

[Pegonzal]

Hey @abhidesai6 I just went over your PR a first time, I'll try to double check it (since it's a big PR) in case I missed anything important. But overall looks good to me, pretty good job.

I've left some code suggestions and some things I believe that should be changed, please let me know what you think.

Also, I see we are completly flattening the provided information, this is what I get when listing:

{
    "cert_name": "cephadm-signed_agent_cert",
    "scope": "HOST",
    "signed_by": "cephadm",
    "status": "valid",
    "days_to_expiration": 1803,
    "expiry_date": null,
    "issuer": null,
    "common_name": "192.168.100.100",
    "target": "ceph-node-00",
    "subject": {
      "commonName": "192.168.100.100"
    },
    "key_type": null,
    "key_size": null
  }

I see common_name and commonName under subject do we want to keep both?

[abhidesai6]

jenkins test make check

[abhidesai6]

jenkins test make check arm64

[abhidesai6]

jenkins test make check arm64

[nizamial09]

@abhidesai6 : here is a first impression review. tbh this is not a full review since I couldn't go through the entire code in the services/certificate.py since it was quite big. For future references, if you think a code will grow bigger, it'd be better if you could split the PR into different PRs so that it'd make it easier for reviewers to give proper review and make it look less scarier :P

[nizamial09]

just to understand the functionality of this function better, can you paste the before and after of the cert_ls result?

[abhidesai6]

Added Before and after of cert_ls_result to docString

:cert_ls_input:
            input: {
                'rgw_ssl_cert': {
                    'scope': 'service',
                    'certificates': {
                        'rgw.nashik': {
                            'subject': {
                                'organizationName': 'ceph',
                                'commonName': '192.168.100.100:8443'
                            },
                            'validity': {'remaining_days': -42}
                        }
                    }
                }
            }
            output: [{
                'cert_name': 'rgw_ssl_cert',
                'scope': 'SERVICE',
                'signed_by': 'user',
                'status': 'expired',
                'days_to_expiration': -42,
                'expiry_date': None,
                'issuer': None,
                'common_name': '192.168.100.100:8443',
                'target': 'rgw.nashik'
            }]
        """

[Pegonzal]

Hey @abhidesai6 pretty good job with this, I left a bunch of comments most are nitpicks and some are things that I believe could be improved, however the most relevant one would be around the methods used to select the services like I asked in the _select_service_certificate.

Would like to understand this better before giving the approval, I'll check this back tomorrow, and thanks again for the great work!

[Pegonzal]

LGTM, thanks for all the effort here @abhidesai6 , good job.

Not enough bandwith to revisit, dm'ed to confirm is ok to proceed