Merge pull request #34658 from matthewoliver/cephadm_iscsi_ssl

cephadm: Make ceph-iscsi SSL aware Reviewed-by: Jason Dillaman <dillaman@redhat.com> Reviewed-by: Sebastian Wagner <sebastian.wagner@suse.com>
2025-01-01 08:32:24 +00:00 · 2020-05-05 10:37:07 +02:00 · 2020-05-05 10:37:07 +02:00 · 16c330cba9
commit 16c330cba9
parent af2dae1384 4c942d0594
2 changed files with 28 additions and 1 deletions
--- a/src/pybind/mgr/cephadm/module.py
+++ b/src/pybind/mgr/cephadm/module.py
@ -2863,10 +2863,34 @@ class CephadmOrchestrator(orchestrator.Orchestrator, MgrModule):
        ret, keyring, err = self.check_mon_command({
            'prefix': 'auth get-or-create',
            'entity': utils.name_to_config_section('iscsi') + '.' + igw_id,
-            'caps': ['mon', 'allow rw',
+            'caps': ['mon', 'profile rbd, '
+                            'allow command "osd blacklist", '
+                            'allow command "config-key get" with "key" prefix "iscsi/"',
                     'osd', f'allow rwx pool={spec.pool}'],
        })

+        if spec.ssl_cert:
+            if isinstance(spec.ssl_cert, list):
+                cert_data = '\n'.join(spec.ssl_cert)
+            else:
+                cert_data = spec.ssl_cert
+            ret, out, err = self.mon_command({
+                'prefix': 'config-key set',
+                'key': f'iscsi/{utils.name_to_config_section("iscsi")}.{igw_id}/iscsi-gateway.crt',
+                'val': cert_data,
+            })
+
+        if spec.ssl_key:
+            if isinstance(spec.ssl_key, list):
+                key_data = '\n'.join(spec.ssl_key)
+            else:
+                key_data = spec.ssl_key
+            ret, out, err = self.mon_command({
+                'prefix': 'config-key set',
+                'key': f'iscsi/{utils.name_to_config_section("iscsi")}.{igw_id}/iscsi-gateway.key',
+                'val': key_data,
+            })
+
        api_secure = 'false' if spec.api_secure is None else spec.api_secure
        igw_conf = f"""
 # generated by cephadm
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@ -597,6 +597,9 @@ class IscsiServiceSpec(ServiceSpec):
        self.ssl_cert = ssl_cert
        self.ssl_key = ssl_key

+        if not self.api_secure and self.ssl_cert and self.ssl_key:
+            self.api_secure = True
+
    def validate_add(self):
        servicespec_validate_add(self)