Update ceph-manager to recover TLS certificate

Code changes in client.py to recreate the TLS CA certificate temporary file if it had been unexpectedly removed or not found. Without this temporary file, ceph-manager can not check health of ceph by ceph-api and raise Ceph-Down alarm even if the cluster were operational. The exception thrown by the request lib is an IOError raised in the cert_verify method. The _refresh_session is a method that set the certification file if it has not been set before. But if the certification file has been set and after it were removed, the method do not try to reset it. To avoid duplicated code, a flag has been added to this method to force the recover of the TLS certification. Closes-Bug: #1940471 Signed-off-by: Daniel Pinto Barros <DanielPinto.Barros@windriver.com> Change-Id: Icb15337e1e76ae92cd62631190a6739960f6245d
2021-08-18 16:18:14 -04:00 · 2021-08-18 16:18:14 -04:00 · 6bdea932bd
commit 6bdea932bd
parent d97698505e
1 changed files with 12 additions and 7 deletions
--- a/ceph/python-cephclient/python-cephclient/cephclient/client.py
+++ b/ceph/python-cephclient/python-cephclient/cephclient/client.py
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2019 Wind River Systems, Inc.
+# Copyright (c) 2019-2021 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@ -70,10 +70,10 @@ class CephClient(object):
        atexit.register(
            self._cleanup_certificate)

-    def _refresh_session(self):
+    def _refresh_session(self, force_certificate_refresh=False):
        self.session = requests.Session()
        self.session.auth = (self.username, self.password)
-        if not self.cert_file:
+        if not self.cert_file or force_certificate_refresh:
            self._get_certificate()
            self.session.verify = self.cert_file.name
        else:
@ -234,8 +234,6 @@ class CephClient(object):
                LOG.warning('Incorrect password for user \'{}\'. '
                            'Fetch user password via list-keys '
                            'and retry.'.format(self.username))
-                if self.retry_timeout > 0:
-                    time.sleep(self.retry_timeout)
                self._get_password()
                self._refresh_session()
            except (requests.ConnectionError,
@ -246,10 +244,17 @@ class CephClient(object):
                LOG.warning(
                    'Request error: {}. '
                    'Refresh restful service URL and retry'.format(e))
-                if self.retry_timeout > 0:
-                    time.sleep(self.retry_timeout)
                self._get_service_url()
                self._refresh_session()
+            except IOError as e:
+                if not credit:
+                    raise
+                LOG.warning(
+                    'Request error: {}. '
+                    'Recovering TLS CA certificate and retrying'.format(e))
+                self._refresh_session(force_certificate_refresh=True)
+            if self.retry_timeout > 0:
+                time.sleep(self.retry_timeout)
        if format == 'json':
            return self._make_json_result(prefix, result)
        elif format == 'text':