diff options
| author | Ali Maredia <amaredia@redhat.com> | 2022-01-17 14:01:34 -0500 |
|---|---|---|
| committer | Ali Maredia <amaredia@redhat.com> | 2022-01-20 17:43:55 -0500 |
| commit | 99f0e82a9590ea20804651e0a8422fd895800ae3 (patch) | |
| tree | 681a64c4b71846c167b331adb0afb14c3f680ef4 | |
| parent | e73755faa10bed384772d2d71b1a556a5f38213e (diff) | |
| download | ceph-99f0e82a9590ea20804651e0a8422fd895800ae3.tar.gz | |
qa: move certificates for kmip task into /etc/ceph
On rhel/centos the ceph user does not have permission
to access these certs which leads to s3-test failures
in teuthology.
Signed-off-by: Ali Maredia <amaredia@redhat.com>
| -rw-r--r-- | qa/suites/rgw/crypt/2-kms/kmip.yaml | 6 | ||||
| -rw-r--r-- | qa/tasks/rgw.py | 29 |
2 files changed, 32 insertions, 3 deletions
diff --git a/qa/suites/rgw/crypt/2-kms/kmip.yaml b/qa/suites/rgw/crypt/2-kms/kmip.yaml index 4b2a13f4278..0057d954e32 100644 --- a/qa/suites/rgw/crypt/2-kms/kmip.yaml +++ b/qa/suites/rgw/crypt/2-kms/kmip.yaml @@ -3,9 +3,9 @@ overrides: conf: client: rgw crypt s3 kms backend: kmip - rgw crypt kmip ca path: /home/ubuntu/cephtest/ca/kmiproot.crt - rgw crypt kmip client cert: /home/ubuntu/cephtest/ca/kmip-client.crt - rgw crypt kmip client key: /home/ubuntu/cephtest/ca/kmip-client.key + rgw crypt kmip ca path: /etc/ceph/kmiproot.crt + rgw crypt kmip client cert: /etc/ceph/kmip-client.crt + rgw crypt kmip client key: /etc/ceph/kmip-client.key rgw crypt kmip kms key template: pykmip-$keyid rgw: client.0: diff --git a/qa/tasks/rgw.py b/qa/tasks/rgw.py index 693d3d4d6d7..3d2542981b1 100644 --- a/qa/tasks/rgw.py +++ b/qa/tasks/rgw.py @@ -150,6 +150,35 @@ def start_rgw(ctx, config, clients): '--rgw_crypt_kmip_addr', "{}:{}".format(*ctx.pykmip.endpoints[pykmip_role]), ]) + clientcert = ctx.ssl_certificates.get('kmip-client') + servercert = ctx.ssl_certificates.get('kmip-server') + clientca = ctx.ssl_certificates.get('kmiproot') + + clientkey = clientcert.key + clientcert = clientcert.certificate + serverkey = servercert.key + servercert = servercert.certificate + rootkey = clientca.key + rootcert = clientca.certificate + + cert_path = '/etc/ceph/' + ctx.cluster.only(client).run(args=['sudo', 'cp', clientcert, cert_path]) + ctx.cluster.only(client).run(args=['sudo', 'cp', clientkey, cert_path]) + ctx.cluster.only(client).run(args=['sudo', 'cp', servercert, cert_path]) + ctx.cluster.only(client).run(args=['sudo', 'cp', serverkey, cert_path]) + ctx.cluster.only(client).run(args=['sudo', 'cp', rootkey, cert_path]) + ctx.cluster.only(client).run(args=['sudo', 'cp', rootcert, cert_path]) + + clientcert = cert_path + 'kmip-client.crt' + clientkey = cert_path + 'kmip-client.key' + servercert = cert_path + 'kmip-server.crt' + serverkey = cert_path + 'kmip-server.key' + rootkey = cert_path + 'kmiproot.key' + rootcert = cert_path + 'kmiproot.crt' + + ctx.cluster.only(client).run(args=['sudo', 'chmod', '600', clientcert, clientkey, servercert, serverkey, rootkey, rootcert]) + ctx.cluster.only(client).run(args=['sudo', 'chown', 'ceph', clientcert, clientkey, servercert, serverkey, rootkey, rootcert]) + rgw_cmd.extend([ '--foreground', run.Raw('|'), |