Bug 1839336

Summary: [ceph][doc] beast frontend ssl and ceph-ansible configuration
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Mustafa Aydın <maydin>
Component: DocumentationAssignee: Anjana Suparna Sriram <asriram>
Documentation sub component: Object Gateway Guide QA Contact: Madhavi Kasturi <mkasturi>
Status: NEW --- Docs Contact:
Severity: medium    
Priority: unspecified CC: asriram, kdreyer, vereddy
Version: 4.0   
Target Milestone: rc   
Target Release: Backlog   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mustafa Aydın 2020-05-23 13:17:09 UTC 
Description of problem:

At the following section , we should mention that the certification file should be copied to the RGWs into a folder which is accessible by the container (ex: /etc/ceph/).  We should also show an example how to configure beast rgw ( SSL and w/o SSL) with ceph-ansible.

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-single/object_gateway_guide_for_red_hat_enterprise_linux/index#using-the-beast-front-end-rgw

Version-Release number of selected component (if applicable):
4.0
Comment 1 John Brier 2020-06-19 20:51:37 UTC 
Thanks Mustafa.

Can you provide those steps, in particular the config of beast using ceph-ansible (with and without SSL)?
Comment 2 Mustafa Aydın 2020-06-23 08:53:12 UTC 

I think there are many ways to achieve it (through group_vars or host_vars),for instance at one of my case where I used host_vars since only some of the RGWs was supposed  to communicate through SSL;

- Copy the file rgwcertificate.pem (this file should contain  the certificate and the key)  to /etc/pki/ca-trust/extracted/ directory of the RGWs where SSL is required
- Add the host based variables under host_vars directory

[root@mustafa host_vars]# cat klcphdrgt1 
radosgw_address: 4.4.4.4
radosgw_frontend_port: 443
radosgw_frontend_ssl_certificate: "/etc/pki/ca-trust/extracted/rgwcertificate.pem"

This is where these variables are rendered and ceph-ansible;

roles/ceph-config/templates/ceph.conf.j2

...
[client.rgw.{{ _rgw_hostname + '.' + instance['instance_name'] }}]
host = {{ _rgw_hostname }}
keyring = /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ _rgw_hostname + '.' + instance['instance_name'] }}/keyring
log file = /var/log/ceph/{{ cluster }}-rgw-{{ hostvars[host]['ansible_hostname'] + '.' + instance['instance_name'] }}.log
{% set _rgw_binding_socket = instance['radosgw_address'] | default(_radosgw_address) | string + ':' + instance['radosgw_frontend_port'] | default(radosgw_frontend_port) | string %}
{%- macro frontend_line(frontend_type) -%}
{%- if frontend_type == 'civetweb' -%}
{{ radosgw_frontend_type }} port={{ _rgw_binding_socket }}{{ 's ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }}
{%- elif frontend_type == 'beast' -%}
{{ radosgw_frontend_type }} {{ 'ssl_' if radosgw_frontend_ssl_certificate else '' }}endpoint={{ _rgw_binding_socket }}{{ ' ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }}
{%- endif -%}
{%- endmacro -%}
rgw frontends = {{ frontend_line(radosgw_frontend_type) }} {{ radosgw_frontend_options }}
{% if 'num_threads' not in radosgw_frontend_options %}
rgw thread pool size = {{ radosgw_thread_pool_size }}
{% endif %}
...

There are also some other options you can set such as "radosgw_thread_pool_size".

radosgw_frontend_port is an important variable for non-ssl use case (https://bugzilla.redhat.com/show_bug.cgi?id=1828066);

roles/ceph-defaults/defaults/main.yml:radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}"