Implement key rotation on the ceph-radosgw charm

This patchset implements key rotation in the ceph-radosgw charm, by replacing the keyring file if it exists and the ceph-mon relation reports a new key. Change-Id: I447b5f827e39118e7dbd430b1c63b3ec4ea3e176 func-test-pr: https://github.com/openstack-charmers/zaza-openstack-tests/pull/1195
2024-04-09 12:02:05 -03:00 · 2024-04-09 12:02:05 -03:00 · 940be7fdfc
parent 6f2a7540e8
commit 940be7fdfc
3 changed files with 15 additions and 16 deletions
--- a/hooks/ceph_rgw.py
+++ b/hooks/ceph_rgw.py
@ -50,19 +50,20 @@ def import_radosgw_key(key, name=None):
        link_path = None
        owner = group = 'root'

-    if not os.path.exists(keyring_path):
+    exists = os.path.exists(keyring_path)
+    if not exists:
        mkdir(path=os.path.dirname(keyring_path),
              owner=owner, group=group, perms=0o750)
-        cmd = [
-            'ceph-authtool',
-            keyring_path,
-            '--create-keyring',
-            '--name=client.{}'.format(
-                name or 'radosgw.gateway'
-            ),
-            '--add-key={}'.format(key)
-        ]
-        subprocess.check_call(cmd)
+
+    cmd = ['ceph-authtool', keyring_path]
+    if not exists:
+        cmd.append('--create-keyring')
+    cmd.extend([
+        '--name=client.{}'.format(name or 'radosgw.gateway'),
+        '--add-key={}'.format(key)
+    ])
+    subprocess.check_call(cmd)
+    if not exists:
        cmd = [
            'chown',
            '{}:{}'.format(owner, group),
@ -74,9 +75,8 @@ def import_radosgw_key(key, name=None):
        # operations for multi-site configuration
        if link_path:
            symlink(keyring_path, link_path)
-        return True

-    return False
+    return not exists


 def normalize_pool_name(pool):
--- a/hooks/hooks.py
+++ b/hooks/hooks.py
@ -335,8 +335,7 @@ def mon_relation(rid=None, unit=None):
                key_name = None

            if key:
-                new_keyring = ceph.import_radosgw_key(key,
-                                                      name=key_name)
+                ceph.import_radosgw_key(key, name=key_name)
                # NOTE(jamespage):
                # Deal with switch from radosgw init script to
                # systemd named units for radosgw instances by
@ -358,7 +357,6 @@ def mon_relation(rid=None, unit=None):
                # in systemd and stop the process restarting once
                # zone configuration is complete.
                if (not is_unit_paused_set() and
-                        new_keyring and
                        not multisite_deployment()):
                    log('Resume service "{}" as we now have keys for it.'
                        .format(service_name()), level=DEBUG)
--- a/tests/tests.yaml
+++ b/tests/tests.yaml
@ -45,6 +45,7 @@ tests:
    - zaza.openstack.charm_tests.swift.tests.S3APITest
    - zaza.openstack.charm_tests.ceph.tests.CheckPoolTypes
    - zaza.openstack.charm_tests.ceph.tests.BlueStoreCompressionCharmOperation
+    - zaza.openstack.charm_tests.ceph.tests.CephMonKeyRotationTests

 tests_options:
  force_deploy: