update source to Ceph Pacific 16.2.2

[ceph.git] / ceph / qa / tasks / openssl_keys.py

diff --git a/ceph/qa/tasks/openssl_keys.py b/ceph/qa/tasks/openssl_keys.py
index 3cc4ed8a5ec6fa6a711092dfa0709d6624a713da..f9a7f7edecca96a86fb24b864ffd653ca82d0bcd 100644 (file)
--- a/ceph/qa/tasks/openssl_keys.py
+++ b/ceph/qa/tasks/openssl_keys.py
@@ -108,11 +108,21 @@ class OpenSSLKeys(Task):
 
         cert.remote.run(args=['mkdir', '-p', self.cadir])
 
-        cert.key = '{}/{}.key'.format(self.cadir, cert.name)
-        cert.certificate = '{}/{}.crt'.format(self.cadir, cert.name)
+        cert.key = f'{self.cadir}/{cert.name}.key'
+        cert.certificate = f'{self.cadir}/{cert.name}.crt'
+
+        san_ext = []
+        add_san_default = False
+        cn = config.get('cn', '')
+        if cn == '':
+            cn = cert.remote.hostname
+            add_san_default = True
+        if config.get('add-san', add_san_default):
+            ext = f'{self.cadir}/{cert.name}.ext'
+            san_ext = ['-extfile', ext]
 
         # provide the common name in -subj to avoid the openssl command prompts
-        subject = '/CN={}'.format(config.get('cn', cert.remote.hostname))
+        subject = f'/CN={cn}'
 
         # if a ca certificate is provided, use it to sign the new certificate
         ca = config.get('ca', None)
@@ -120,25 +130,33 @@ class OpenSSLKeys(Task):
             # the ca certificate must have been created by a prior ssl task
             ca_cert = self.ctx.ssl_certificates.get(ca, None)
             if not ca_cert:
-                raise ConfigError('ssl: ca {} not found for certificate {}'
-                        .format(ca, cert.name))
+                raise ConfigError(f'ssl: ca {ca} not found for certificate {cert.name}')
+
+            csr = f'{self.cadir}/{cert.name}.csr'
+            srl = f'{self.cadir}/{ca_cert.name}.srl'
+            remove_files = ['rm', csr, srl]
 
             # these commands are run on the ca certificate's client because
             # they need access to its private key and cert
 
             # generate a private key and signing request
-            csr = '{}/{}.csr'.format(self.cadir, cert.name)
             ca_cert.remote.run(args=['openssl', 'req', '-nodes',
                 '-newkey', cert.key_type, '-keyout', cert.key,
                 '-out', csr, '-subj', subject])
 
+            if san_ext:
+                remove_files.append(ext)
+                ca_cert.remote.write_file(path=ext,
+                    data='subjectAltName = DNS:{},IP:{}'.format(
+                        cn,
+                        config.get('ip', cert.remote.ip_address)))
+
             # create the signed certificate
             ca_cert.remote.run(args=['openssl', 'x509', '-req', '-in', csr,
                 '-CA', ca_cert.certificate, '-CAkey', ca_cert.key, '-CAcreateserial',
-                '-out', cert.certificate, '-days', '365', '-sha256'])
+                '-out', cert.certificate, '-days', '365', '-sha256'] + san_ext)
 
-            srl = '{}/{}.srl'.format(self.cadir, ca_cert.name)
-            ca_cert.remote.run(args=['rm', csr, srl]) # clean up the signing request and serial
+            ca_cert.remote.run(args=remove_files) # clean up the signing request and serial
 
             # verify the new certificate against its ca cert
             ca_cert.remote.run(args=['openssl', 'verify',