Description of problem: Need documentation to configure SSL for calamari-Lite. The BZ 1332313 implemented SSL for calamari. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
https://gitlab.cee.redhat.com/red-hat-ceph-storage-documentation/doc-Red_Hat_Ceph_Storage_2-Installation_Guide/blob/bde1932e94b59d609b1f633b3ab465800f1d449c/RHEL/topics/cli-calamari-server.adoc
Hi John, I have following comments: 1) The contents of doc mentioned in comment 2 needs to be part of 2.0 installation doc - RHEL and Ubuntu. 2) "Install calamari-server" does not have any instructions to do so. Need this to be updated with ceph-ansible, manual and USM way of doing it. 3) "Save a certificate to a path, preferably under /etc/calamari/ssl/private/." Need to mention how to get the certificate file 4) "Save a key associated to the certificate to a path, preferably under /etc/calamari/ssl/private/." clarify whether this key is "/etc/calamari/ssl/private/calamari-lite.key" or something else & how to get it? 5) Please add one more section on how to configure calamari ssl using self signed key Thanks, Harish
1. I've added it to the Ubuntu documentation as well. 2. There are CLI instructions. You install it on a monitor node that already has the monitor running and the mon packages enabled. RHSC already does this automatically. There is no discrete step. There is a [restapi] role in Ansible, but I was expressly asked by engineering to omit it. 3. A few thing: calamari-ctl initialize already creates a self signed certificate and key for you. So you should not have to create a key and certificate unless you're adamant about spending money with a CA. It's the same process as generating a key and cert for any web server. I've added a link to RHEL 7 docs on this. However, HTTPS should work right after you initialize. 4. You may call the files anything you like. The key and secret are provided by the CA process. It's just like generating it for a web server. You can call the files anything you like, but you need to specify the path and filename in the config file if they are different from the defaults in the config file. 5) It's more or less the same process. See the link in the updated doc.
(In reply to John Wilkins from comment #4) > 1. I've added it to the Ubuntu documentation as well. Can you please share the link? > > 2. There are CLI instructions. You install it on a monitor node that already > has the monitor running and the mon packages enabled. RHSC already does this > automatically. There is no discrete step. There is a [restapi] role in > Ansible, but I was expressly asked by engineering to omit it. What do we tell customers on how to install/configure calamari-lite via ceph-ansible? > > 3. A few thing: calamari-ctl initialize already creates a self signed > certificate and key for you. So you should not have to create a key and > certificate unless you're adamant about spending money with a CA. It's the > same process as generating a key and cert for any web server. I've added a > link to RHEL 7 docs on this. However, HTTPS should work right after you > initialize. Please share the latest link to the docs. > > 4. You may call the files anything you like. The key and secret are provided > by the CA process. It's just like generating it for a web server. You can > call the files anything you like, but you need to specify the path and > filename in the config file if they are different from the defaults in the > config file. > > 5) It's more or less the same process. See the link in the updated doc. I have used the same steps to configure ssl using self signed key. you may want to mention as a note that those steps are common to both the methods...
John, please share the link to the latest docs.
(In reply to Harish NV Rao from comment #5) > (In reply to John Wilkins from comment #4) > > 1. I've added it to the Ubuntu documentation as well. > Can you please share the link? https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/installation-guide-for-red-hat-enterprise-linux/#installing_calamari_server > > > > 2. There are CLI instructions. You install it on a monitor node that already > > has the monitor running and the mon packages enabled. RHSC already does this > > automatically. There is no discrete step. There is a [restapi] role in > > Ansible, but I was expressly asked by engineering to omit it. > What do we tell customers on how to install/configure calamari-lite via > ceph-ansible? We don't tell them how to do it. Greg Meno who manages the installation expressly told me that we are not supporting that role at this time. So I have omitted it from the docs per his instructions.
comments: 1) The section 3.3.3 in https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/installation-guide-for-red-hat-enterprise-linux/#calamari_server_installation tells about self-signed cert and key generated by calamari but does not mention explicitly how to use them. 2) The command "systemctl enable diamond" in step 7 in section 3.3.3 does not work. It fails with: "Failed to execute operation: Access denied". The "rpm -qa | grep diamond" on my calamari(mon) node returned nothing. Diamond pkgs are not installed. Do we need this? 3) Step 7 in 3.3.3 does not contain command re-initializing calamari-lite (calamari-ctl initilize). Don't we need it?
(In reply to Harish NV Rao from comment #9) > comments: > 1) The section 3.3.3 in > https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/ > installation-guide-for-red-hat-enterprise-linux/ > #calamari_server_installation tells about self-signed cert and key generated > by calamari but does not mention explicitly how to use them. They are enabled by default. There is no need to explain their usage. > > 2) The command "systemctl enable diamond" in step 7 in section 3.3.3 does > not work. It fails with: "Failed to execute operation: Access denied". > The "rpm -qa | grep diamond" on my calamari(mon) node returned nothing. > Diamond pkgs are not installed. Do we need this? No Step 7 is completely incorrect. It should be replaced by an invocation of calamari-ctl initialize like you suggest below. > > 3) Step 7 in 3.3.3 does not contain command re-initializing calamari-lite > (calamari-ctl initilize). Don't we need it? Yes, see above Also John: where you describe "To use a key and certificate from a CA, perform the following: " I recommend omitting step 1: delete keys -- this will cause all traffic to calamari to fail until the keys are replaced alternatively you could move it to the end.
https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/single/installation-guide-for-red-hat-enterprise-linux#calamari_server_installation
A) The note section says: "Note: During initialization, the calamari-server will generate a self-signed certificate and a private key and place them in the /etc/calamari/ssl/private/". Please change this to "Note: During initialization, the calamari-server will generate a self-signed certificate and a private key and place them in the /etc/calamari/ssl/certs/ and /etc/calamari/ssl/private respectively" B) Both RHEL and Ubuntu docs have this: "To use a key and certificate from a CA, perform the following: Purchase a certificate from a CA. During the process, you will generate a private key and a certificate for CA. Or you can also use a self-signed certificate. See Generate a New Key and Certificate for details. " When I click on the link "Generate a New Key and Certificate" in above mentioned step, it takes me to RHEL Admin guide. Couple of questions/comments: 1) Is this link really needed? Calamari anyways creates a self signed key and cert. Can we suggest the user to use them instead of creating new one ? 2) The link actually points to RHEL admin doc. But the same link is referred to from Ubuntu installation doc also. The instructions from RHEL admin doc may not work on Ubuntu mon node. Please point to the right doc on Ubuntu. 3) Can we assume that the user has already got the key & cert (self signed or CA provided) and document just the steps to use those certificates in ceph environment? Please check and consider, if possible, removing this link as we have already got calamari generating self signed key and cert.
Updated the note and removed the hyperlink. See https://access.qa.redhat.com/documentation/en/red-hat-ceph-storage/2/single/installation-guide-for-red-hat-enterprise-linux#calamari_server_installation 3) I think it is simpler to use the self-signed key rather than having them generate another one. That should work on both RHEL and Ubuntu, and it's simpler that way
There is one small change needed in ubuntu doc for which i will create a separate defect. Moving this defect to verified state for now.