Bug 1895577 - Support HA and TLS for RGW endpoints
Summary: Support HA and TLS for RGW endpoints
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Cephadm
Version: 5.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 5.0
Assignee: Juan Miguel Olmo
QA Contact: Tejas
Karen Norteman
URL:
Whiteboard:
Depends On: 1936887 1944651
Blocks: 1820257
TreeView+ depends on / blocked
 
Reported: 2020-11-07 08:47 UTC by Francesco Pantano
Modified: 2021-04-12 08:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-05 09:51:14 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Ceph Project Bug Tracker 50160 0 None None None 2021-04-06 10:04:22 UTC
Github ceph ceph pull 38166 0 None closed mgr/cephadm: HA for RGW endpoints 2021-02-12 20:32:40 UTC

Description Francesco Pantano 2020-11-07 08:47:22 UTC 
Description of problem:

cephadm has a spec that allows to run haproxy and keepalived for RGW services.
Provided that some network information are known and passed to the spec file
as described in [1], we need to support TLS in this use case scenario through the following properties:

haproxy_frontend_ssl_port
haproxy_frontend_ssl_certificate
haproxy_ssl_dh_param
haproxy_ssl_ciphers
haproxy_ssl_options

This work is also tracked via [2] 

[1] https://github.com/ceph/ceph/blob/bc604bdc97ac578ca9c496dfdc2e3c333838b432/doc/mgr/orchestrator.rst#high-availability-service-for-rgw
[2] https://projects.engineering.redhat.com/browse/CEPHADM-11  


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Juan Miguel Olmo 2021-03-04 08:14:25 UTC 
This a 5.0. feature that need to be tested:

https://docs.ceph.com/en/latest/cephadm/rgw/#high-availability-service-for-rgw
Comment 3 Juan Miguel Olmo 2021-04-05 09:51:14 UTC 
This functionality is available with the requirements specified coming form the Open Stack team and also covers the previous Ceph Ansible functionality in this area. 
That was the target of this bug and it is implemented and ready to use:
https://docs.ceph.com/en/latest/cephadm/rgw/#high-availability-service-for-rgw

New possibilities around the use of HAProxy and Keepalived  with RGW and other services will come in new releases, for example:
https://bugzilla.redhat.com/show_bug.cgi?id=1936887
Comment 5 Juan Miguel Olmo 2021-04-06 10:03:54 UTC 
The RGW spec file has an attribute to set the "rgw_frontend_ssl_certificate". 

I have realize that we do not have any place in the documentation to expose the complete list of attributes for RGW service. And i have created https://tracker.ceph.com/issues/50160 to fix this lack of information. For the moment this is the complete list of attributes used for RGW deployments:

                 service_type: str = 'rgw',
                 service_id: Optional[str] = None,
                 placement: Optional[PlacementSpec] = None,
                 rgw_realm: Optional[str] = None,
                 rgw_zone: Optional[str] = None,
                 rgw_frontend_port: Optional[int] = None,
                 rgw_frontend_ssl_certificate: Optional[List[str]] = None,
                 rgw_frontend_type: Optional[str] = None,
                 unmanaged: bool = False,
                 ssl: bool = False,
                 preview_only: bool = False,
                 config: Optional[Dict[str, str]] = None,
                 networks: Optional[List[str]] = None,
                 subcluster: Optional[str] = None,  # legacy, only for from_json on upgrade
Comment 7 Juan Miguel Olmo 2021-04-12 08:47:36 UTC 
Hi Francesco, 

I am afraid that for the moment you need to use the spec file ( and write the big certificate string). Please raise an upstream bug to take into account your request
Note You need to log in before you can comment on or make changes to this bug.