Implement key rotation on the ceph-radosgw charm

This patchset implements key rotation in the ceph-radosgw charm, by replacing the keyring file if it exists and the ceph-mon relation reports a new key. Change-Id: I447b5f827e39118e7dbd430b1c63b3ec4ea3e176 func-test-pr: openstack-charmers/zaza-openstack-tests#1195
canonical · Apr 16, 2024 · a4a84b7 · a4a84b7
1 parent aef9cd2
commit a4a84b7
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 16 deletions.
diff --git a/ceph-radosgw/hooks/ceph_rgw.py b/ceph-radosgw/hooks/ceph_rgw.py
@@ -50,19 +50,20 @@ def import_radosgw_key(key, name=None):
         link_path = None
         owner = group = 'root'
 
-    if not os.path.exists(keyring_path):
+    exists = os.path.exists(keyring_path)
+    if not exists:
         mkdir(path=os.path.dirname(keyring_path),
               owner=owner, group=group, perms=0o750)
-        cmd = [
-            'ceph-authtool',
-            keyring_path,
-            '--create-keyring',
-            '--name=client.{}'.format(
-                name or 'radosgw.gateway'
-            ),
-            '--add-key={}'.format(key)
-        ]
-        subprocess.check_call(cmd)
+
+    cmd = ['ceph-authtool', keyring_path]
+    if not exists:
+        cmd.append('--create-keyring')
+    cmd.extend([
+        '--name=client.{}'.format(name or 'radosgw.gateway'),
+        '--add-key={}'.format(key)
+    ])
+    subprocess.check_call(cmd)
+    if not exists:
         cmd = [
             'chown',
             '{}:{}'.format(owner, group),
@@ -74,9 +75,8 @@ def import_radosgw_key(key, name=None):
         # operations for multi-site configuration
         if link_path:
             symlink(keyring_path, link_path)
-        return True
 
-    return False
+    return not exists
 
 
 def normalize_pool_name(pool):

diff --git a/ceph-radosgw/hooks/hooks.py b/ceph-radosgw/hooks/hooks.py
@@ -335,8 +335,7 @@ def _mon_relation():
                 key_name = None
 
             if key:
-                new_keyring = ceph.import_radosgw_key(key,
-                                                      name=key_name)
+                ceph.import_radosgw_key(key, name=key_name)
                 # NOTE(jamespage):
                 # Deal with switch from radosgw init script to
                 # systemd named units for radosgw instances by
@@ -358,7 +357,6 @@ def _mon_relation():
                 # in systemd and stop the process restarting once
                 # zone configuration is complete.
                 if (not is_unit_paused_set() and
-                        new_keyring and
                         not multisite_deployment()):
                     log('Resume service "{}" as we now have keys for it.'
                         .format(service_name()), level=DEBUG)

diff --git a/ceph-radosgw/tests/tests.yaml b/ceph-radosgw/tests/tests.yaml
@@ -45,6 +45,7 @@ tests:
     - zaza.openstack.charm_tests.swift.tests.S3APITest
     - zaza.openstack.charm_tests.ceph.tests.CheckPoolTypes
     - zaza.openstack.charm_tests.ceph.tests.BlueStoreCompressionCharmOperation
+    - zaza.openstack.charm_tests.ceph.tests.CephMonKeyRotationTests
 
 tests_options:
   force_deploy: