Bug 1839336 - [ceph][doc] beast frontend ssl and ceph-ansible configuration
Summary: [ceph][doc] beast frontend ssl and ceph-ansible configuration
Keywords:
Status: NEW
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Documentation
Version: 4.0
Hardware: All
OS: All
unspecified
medium
Target Milestone: rc
: Backlog
Assignee: Anjana Suparna Sriram
QA Contact: Madhavi Kasturi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-23 13:17 UTC by Mustafa Aydın
Modified: 2023-07-25 18:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHCEPH-4372 0 None None None 2022-05-24 08:22:51 UTC

Description Mustafa Aydın 2020-05-23 13:17:09 UTC 
Description of problem:

At the following section , we should mention that the certification file should be copied to the RGWs into a folder which is accessible by the container (ex: /etc/ceph/).  We should also show an example how to configure beast rgw ( SSL and w/o SSL) with ceph-ansible.

https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/3/html-single/object_gateway_guide_for_red_hat_enterprise_linux/index#using-the-beast-front-end-rgw

Version-Release number of selected component (if applicable):
4.0
Comment 1 John Brier 2020-06-19 20:51:37 UTC 
Thanks Mustafa.

Can you provide those steps, in particular the config of beast using ceph-ansible (with and without SSL)?
Comment 2 Mustafa Aydın 2020-06-23 08:53:12 UTC 

I think there are many ways to achieve it (through group_vars or host_vars),for instance at one of my case where I used host_vars since only some of the RGWs was supposed  to communicate through SSL;

- Copy the file rgwcertificate.pem (this file should contain  the certificate and the key)  to /etc/pki/ca-trust/extracted/ directory of the RGWs where SSL is required
- Add the host based variables under host_vars directory

[root@mustafa host_vars]# cat klcphdrgt1 
radosgw_address: 4.4.4.4
radosgw_frontend_port: 443
radosgw_frontend_ssl_certificate: "/etc/pki/ca-trust/extracted/rgwcertificate.pem"

This is where these variables are rendered and ceph-ansible;

roles/ceph-config/templates/ceph.conf.j2

...
[client.rgw.{{ _rgw_hostname + '.' + instance['instance_name'] }}]
host = {{ _rgw_hostname }}
keyring = /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ _rgw_hostname + '.' + instance['instance_name'] }}/keyring
log file = /var/log/ceph/{{ cluster }}-rgw-{{ hostvars[host]['ansible_hostname'] + '.' + instance['instance_name'] }}.log
{% set _rgw_binding_socket = instance['radosgw_address'] | default(_radosgw_address) | string + ':' + instance['radosgw_frontend_port'] | default(radosgw_frontend_port) | string %}
{%- macro frontend_line(frontend_type) -%}
{%- if frontend_type == 'civetweb' -%}
{{ radosgw_frontend_type }} port={{ _rgw_binding_socket }}{{ 's ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }}
{%- elif frontend_type == 'beast' -%}
{{ radosgw_frontend_type }} {{ 'ssl_' if radosgw_frontend_ssl_certificate else '' }}endpoint={{ _rgw_binding_socket }}{{ ' ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }}
{%- endif -%}
{%- endmacro -%}
rgw frontends = {{ frontend_line(radosgw_frontend_type) }} {{ radosgw_frontend_options }}
{% if 'num_threads' not in radosgw_frontend_options %}
rgw thread pool size = {{ radosgw_thread_pool_size }}
{% endif %}
...

There are also some other options you can set such as "radosgw_thread_pool_size".

radosgw_frontend_port is an important variable for non-ssl use case (https://bugzilla.redhat.com/show_bug.cgi?id=1828066);

roles/ceph-defaults/defaults/main.yml:radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}"
Note You need to log in before you can comment on or make changes to this bug.