openstack/charm-ceph-radosgw
Code Issues Proposed changes

Implement key rotation on the ceph-radosgw charm

Browse Source 
This patchset implements key rotation in the ceph-radosgw charm,
by replacing the keyring file if it exists and the ceph-mon
relation reports a new key.

Change-Id: I447b5f827e39118e7dbd430b1c63b3ec4ea3e176
func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1195
This commit is contained in:
Luciano Lo Giudice 2024-04-09 12:02:05 -03:00
parent 6f2a7540e8
commit 940be7fdfc
3 changed files with 15 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
hooks/ceph_rgw.py
View File

@ -50,19 +50,20 @@ def import_radosgw_key(key, name=None):
link_path = None link_path = None
owner = group = 'root' owner = group = 'root'
if not os.path.exists(keyring_path): exists = os.path.exists(keyring_path)
if not exists:
mkdir(path=os.path.dirname(keyring_path), mkdir(path=os.path.dirname(keyring_path),
owner=owner, group=group, perms=0o750) owner=owner, group=group, perms=0o750)
cmd = [
'ceph-authtool', cmd = ['ceph-authtool', keyring_path]
keyring_path, if not exists:
'--create-keyring', cmd.append('--create-keyring')
'--name=client.{}'.format( cmd.extend([
name or 'radosgw.gateway' '--name=client.{}'.format(name or 'radosgw.gateway'),
),
'--add-key={}'.format(key) '--add-key={}'.format(key)
] ])
subprocess.check_call(cmd) subprocess.check_call(cmd)
if not exists:
cmd = [ cmd = [
'chown', 'chown',
'{}:{}'.format(owner, group), '{}:{}'.format(owner, group),
@ -74,9 +75,8 @@ def import_radosgw_key(key, name=None):
# operations for multi-site configuration # operations for multi-site configuration
if link_path: if link_path:
symlink(keyring_path, link_path) symlink(keyring_path, link_path)
return True
return False return not exists
def normalize_pool_name(pool): def normalize_pool_name(pool):

4
hooks/hooks.py
View File

@ -335,8 +335,7 @@ def mon_relation(rid=None, unit=None):
key_name = None key_name = None
if key: if key:
new_keyring = ceph.import_radosgw_key(key, ceph.import_radosgw_key(key, name=key_name)
name=key_name)
# NOTE(jamespage): # NOTE(jamespage):
# Deal with switch from radosgw init script to # Deal with switch from radosgw init script to
# systemd named units for radosgw instances by # systemd named units for radosgw instances by
@ -358,7 +357,6 @@ def mon_relation(rid=None, unit=None):
# in systemd and stop the process restarting once # in systemd and stop the process restarting once
# zone configuration is complete. # zone configuration is complete.
if (not is_unit_paused_set() and if (not is_unit_paused_set() and
new_keyring and
not multisite_deployment()): not multisite_deployment()):
log('Resume service "{}" as we now have keys for it.' log('Resume service "{}" as we now have keys for it.'
.format(service_name()), level=DEBUG) .format(service_name()), level=DEBUG)

1
tests/tests.yaml
View File

@ -45,6 +45,7 @@ tests:
- zaza.openstack.charm_tests.swift.tests.S3APITest - zaza.openstack.charm_tests.swift.tests.S3APITest
- zaza.openstack.charm_tests.ceph.tests.CheckPoolTypes - zaza.openstack.charm_tests.ceph.tests.CheckPoolTypes
- zaza.openstack.charm_tests.ceph.tests.BlueStoreCompressionCharmOperation - zaza.openstack.charm_tests.ceph.tests.BlueStoreCompressionCharmOperation
- zaza.openstack.charm_tests.ceph.tests.CephMonKeyRotationTests
tests_options: tests_options:
force_deploy: force_deploy: