2351287 – [RFE] Cephadm. Introducing Certmgr[TP]. MVP. Check for Certificate expiration and warn in Ceph status

Bug 2351287 - [RFE] Cephadm. Introducing Certmgr[TP]. MVP. Check for Certificate expiration and warn in Ceph status [NEEDINFO]

Summary: [RFE] Cephadm. Introducing Certmgr[TP]. MVP. Check for Certificate expiration...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	Cephadm
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	8.1
Assignee:	Adam King
QA Contact:	Sayalee
Docs Contact:	Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks:	2351689
TreeView+	depends on / blocked

Reported:	2025-03-11 06:56 UTC by daniel parkes
Modified:	2025-06-09 10:42 UTC (History)
CC List:	5 users (show)
Fixed In Version:	ceph-19.2.1-43
Doc Type:	Technology Preview
Doc Text:	.New Cephadm certificate lifecycle management for improved Ceph cluster security With this enhancement, Cephadm now has certificate lifecycle management in the certmgr subsystem. This feature provides a unified mechanism to provision, rotate, and apply TLS certificates for Ceph services, supporting both user-provided and automatically generated cephadm-signed certificates. As part of this feature, certmgr periodically checks the status of all certificates managed by Cephadm and issues health warnings for any that are nearing expiration, misconfigured, or invalid. This improves Ceph cluster security and simplifies certificate management through automation and proactive alerts.
Clone Of:
Environment:
Last Closed:
Embargoed:
Dependent Products:
Flags:	adking: needinfo? (rkachach)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHCEPH-10814	0	None	None	None	2025-03-11 06:57:05 UTC

Description daniel parkes 2025-03-11 06:56:03 UTC

Tech Preview: Introducing Certmgr. MVP. Check for Certificate expiration and warn in Ceph status

Problem
Currently, Cephadm does not have a mechanism to proactively warn users about expiring certificates for ingress services or RGW. This lack of visibility can lead to unexpected downtime or degraded service if certificates expire without renewal. A similar check is already available in Grafana; we must extend this functionality to Ingress and RGW services.

Goal
Introduce a certificate expiration check within Cephadm that monitors certificates used by ingress services and RGW. If a certificate is approaching its expiration date, Ceph status will display a warning. This feature will ensure that users are proactively informed about certificate expiration through the primary health status interface they use to manage their clusters.

Note You need to log in before you can comment on or make changes to this bug.