SSL/TLS RGW Configuration on Octopus Ceph Cluster
Ceph v15.2 aka. Octopus was released this year and along with it a new way of installing Ceph - cephadm.
Ceph is slowly moving service configuration to the orchestrator (e.g. Rook, cephadm) interface.
What this means is that you no longer configure services (i.e. RADOS Gateway - RGW) by editing the
file but rather you use the
ceph CLI to store configs into a key-value store.
Configuring SSL/TLS for your RGW Instance
- Have your RGW’s valid SSL/TLS certificate ready on a machine that has access to the
- Run the following commands, replacing the RGW realm, zone and certificate files:
$ ceph config-key set rgw/cert/<rgw_realm>/<rgw_zone>.crt -i <cert_file> # replace with .pem certificate $ ceph config-key set rgw/cert/<rgw_realm>/<rgw_zone>.key -i <key_file> # replace with .pem private key $ ceph config set client.rgw.<rgw_realm>.<rgw_zone> rgw_frontends "beast port=80 ssl_port=443 ssl_certificate=config://rgw/cert/<rgw_realm>/<rgw_zone>.key ssl_private_key=config://rgw/cert/<rgw_realm>/<rgw_zone>.key"
- Restart the RGW, e.g.
ceph orch restart rgw
Other RGW Configuration Settings
ceph config requires three parameters:
- Who -
- Option - the setting you are configuring
- Value - the value of the setting
RGW options can be either found in the documentation and/or
consulting the output of
ceph config ls | grep -i rgw.
ceph config -h for general configuration details (scroll towards the end of the output).
With the cephadm installation, this will most probably be your bootstrapping server (also probably your monitor node). Gaining access to the
cephCLI tool is usually done by running
cephadm shellwhich drops you into a Docker/Podman container with the
cephCLI tool available. The container actually has a host filesystem bind mount
/var/lib/ceph/<CEPH_ID>/home:/root. Copying your RGW SSL/TLS certificate on the bootstrap machine in the aforementioned dir will make the certificate available in the
cephadm shell’s container in the