From 940be7fdfc6729ffeb7dd37d50943a2aeecdcda6 Mon Sep 17 00:00:00 2001 From: Luciano Lo Giudice Date: Tue, 9 Apr 2024 12:02:05 -0300 Subject: [PATCH] Implement key rotation on the ceph-radosgw charm This patchset implements key rotation in the ceph-radosgw charm, by replacing the keyring file if it exists and the ceph-mon relation reports a new key. Change-Id: I447b5f827e39118e7dbd430b1c63b3ec4ea3e176 func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1195 --- hooks/ceph_rgw.py | 26 +++++++++++++------------- hooks/hooks.py | 4 +--- tests/tests.yaml | 1 + 3 files changed, 15 insertions(+), 16 deletions(-) diff --git a/hooks/ceph_rgw.py b/hooks/ceph_rgw.py index d3a98604..85067dd6 100644 --- a/hooks/ceph_rgw.py +++ b/hooks/ceph_rgw.py @@ -50,19 +50,20 @@ def import_radosgw_key(key, name=None): link_path = None owner = group = 'root' - if not os.path.exists(keyring_path): + exists = os.path.exists(keyring_path) + if not exists: mkdir(path=os.path.dirname(keyring_path), owner=owner, group=group, perms=0o750) - cmd = [ - 'ceph-authtool', - keyring_path, - '--create-keyring', - '--name=client.{}'.format( - name or 'radosgw.gateway' - ), - '--add-key={}'.format(key) - ] - subprocess.check_call(cmd) + + cmd = ['ceph-authtool', keyring_path] + if not exists: + cmd.append('--create-keyring') + cmd.extend([ + '--name=client.{}'.format(name or 'radosgw.gateway'), + '--add-key={}'.format(key) + ]) + subprocess.check_call(cmd) + if not exists: cmd = [ 'chown', '{}:{}'.format(owner, group), @@ -74,9 +75,8 @@ def import_radosgw_key(key, name=None): # operations for multi-site configuration if link_path: symlink(keyring_path, link_path) - return True - return False + return not exists def normalize_pool_name(pool): diff --git a/hooks/hooks.py b/hooks/hooks.py index ffecae3a..d362a9bb 100755 --- a/hooks/hooks.py +++ b/hooks/hooks.py @@ -335,8 +335,7 @@ def mon_relation(rid=None, unit=None): key_name = None if key: - new_keyring = ceph.import_radosgw_key(key, - name=key_name) + ceph.import_radosgw_key(key, name=key_name) # NOTE(jamespage): # Deal with switch from radosgw init script to # systemd named units for radosgw instances by @@ -358,7 +357,6 @@ def mon_relation(rid=None, unit=None): # in systemd and stop the process restarting once # zone configuration is complete. if (not is_unit_paused_set() and - new_keyring and not multisite_deployment()): log('Resume service "{}" as we now have keys for it.' .format(service_name()), level=DEBUG) diff --git a/tests/tests.yaml b/tests/tests.yaml index 1fe9b0fc..6b2be35c 100644 --- a/tests/tests.yaml +++ b/tests/tests.yaml @@ -45,6 +45,7 @@ tests: - zaza.openstack.charm_tests.swift.tests.S3APITest - zaza.openstack.charm_tests.ceph.tests.CheckPoolTypes - zaza.openstack.charm_tests.ceph.tests.BlueStoreCompressionCharmOperation + - zaza.openstack.charm_tests.ceph.tests.CephMonKeyRotationTests tests_options: force_deploy: