Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1895577

Summary: Support HA and TLS for RGW endpoints
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Francesco Pantano <fpantano>
Component: CephadmAssignee: Juan Miguel Olmo <jolmomar>
Status: CLOSED WORKSFORME QA Contact: Tejas <tchandra>
Severity: high Docs Contact: Karen Norteman <knortema>
Priority: unspecified    
Version: 5.0CC: gfidente, johfulto, jolmomar, pnataraj, vereddy
Target Milestone: ---   
Target Release: 5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-05 09:51:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1936887, 1944651    
Bug Blocks: 1820257    

Description Francesco Pantano 2020-11-07 08:47:22 UTC 
Description of problem:

cephadm has a spec that allows to run haproxy and keepalived for RGW services.
Provided that some network information are known and passed to the spec file
as described in [1], we need to support TLS in this use case scenario through the following properties:

haproxy_frontend_ssl_port
haproxy_frontend_ssl_certificate
haproxy_ssl_dh_param
haproxy_ssl_ciphers
haproxy_ssl_options

This work is also tracked via [2] 

[1] https://github.com/ceph/ceph/blob/bc604bdc97ac578ca9c496dfdc2e3c333838b432/doc/mgr/orchestrator.rst#high-availability-service-for-rgw
[2] https://projects.engineering.redhat.com/browse/CEPHADM-11  


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Juan Miguel Olmo 2021-03-04 08:14:25 UTC 
This a 5.0. feature that need to be tested:

https://docs.ceph.com/en/latest/cephadm/rgw/#high-availability-service-for-rgw
Comment 3 Juan Miguel Olmo 2021-04-05 09:51:14 UTC 
This functionality is available with the requirements specified coming form the Open Stack team and also covers the previous Ceph Ansible functionality in this area. 
That was the target of this bug and it is implemented and ready to use:
https://docs.ceph.com/en/latest/cephadm/rgw/#high-availability-service-for-rgw

New possibilities around the use of HAProxy and Keepalived  with RGW and other services will come in new releases, for example:
https://bugzilla.redhat.com/show_bug.cgi?id=1936887
Comment 5 Juan Miguel Olmo 2021-04-06 10:03:54 UTC 
The RGW spec file has an attribute to set the "rgw_frontend_ssl_certificate". 

I have realize that we do not have any place in the documentation to expose the complete list of attributes for RGW service. And i have created https://tracker.ceph.com/issues/50160 to fix this lack of information. For the moment this is the complete list of attributes used for RGW deployments:

                 service_type: str = 'rgw',
                 service_id: Optional[str] = None,
                 placement: Optional[PlacementSpec] = None,
                 rgw_realm: Optional[str] = None,
                 rgw_zone: Optional[str] = None,
                 rgw_frontend_port: Optional[int] = None,
                 rgw_frontend_ssl_certificate: Optional[List[str]] = None,
                 rgw_frontend_type: Optional[str] = None,
                 unmanaged: bool = False,
                 ssl: bool = False,
                 preview_only: bool = False,
                 config: Optional[Dict[str, str]] = None,
                 networks: Optional[List[str]] = None,
                 subcluster: Optional[str] = None,  # legacy, only for from_json on upgrade
Comment 7 Juan Miguel Olmo 2021-04-12 08:47:36 UTC 
Hi Francesco, 

I am afraid that for the moment you need to use the spec file ( and write the big certificate string). Please raise an upstream bug to take into account your request