Enable TLS for Ceph public endpoints

Ceph controller allows configuring a TLS-secured public access to Ceph entities. This section describes how to configure the TLS protocol for a Ceph cluster on Container Cloud through a custom ingress rule for Ceph public endpoints.

Note

For deployments with Mirantis OpenStack for Kubernetes (MOS), the ingress rule is automatically configured by Ceph controller. However, an external RGW will not be created if the Ceph controller detects OpenStack pools or a configured customIngress section. For details, see MOS Operations Guide: Configure Ceph RGW TLS and NGINX Ingress Controller: Annotations.

To enable TLS for Ceph public endpoints:

  1. Select from the following options:

    • If you do not have a Container cloud cluster yet, open kaascephcluster.yaml.template for editing.

    • If the Container cloud cluster is already deployed, open the KaasCephCluster CR of a managed cluster for editing:

      kubectl edit kaascephcluster -n <managedClusterProjectName>
      

      Substitute <managedClusterProjectName> with a corresponding value.

  2. Specify the cephClusterSpec.ingress section in the KaaSCephCluster CR:

    spec:
      cephClusterSpec:
        ingress:
          publicDomain: public.domain.name
          cacert: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
          tlsCert: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
          tlsKey: |
            -----BEGIN RSA PRIVATE KEY-----
            ...
            -----END RSA PRIVATE KEY-----
          customIngress:
            className: <ingress-controller-class-name>
            annotations:
              key: value # sensible for chosen ingress controller annotations
    

    The cephClusterSpec.ingress section contains the following parameters:

    Parameter

    Description

    publicDomain

    The Domain name to use for public endpoints.

    cacert

    The Certificate Authority (CA) certificate, used for the ingress rule TLS support.

    tlsCert

    The TLS certificate, used for the ingress rule TLS support.

    tlsKey

    The TLS private key, used for the ingress rule TLS support.

    customIngress

    Specifies the following custom Ingress Controller parameters:

    • className - the custom Ingress Controller class name.

    • annotations - extra annotations for the ingress proxy.

    Note

    • For Container Cloud clusters, no default customIngress values are specified. Therefore, if you do not specify customIngress, the ingress rule creation will be omitted.

    • For deployments with Mirantis OpenStack for Kubernetes, the openstack-ingress-nginx class name is specified and Ceph uses the OpenStack component Ingress Controller based on NGINX. For details, see MOS Operations Guide: Configure Ceph RGW TLS.

  3. Select from the following options:

    • If you are creating a managed cluster, save the updated KaaSCephCluster template to the corresponding file and proceed with the managed cluster creation.

    • If you are configuring KaaSCephCluster of an existing managed cluster, run the following command:

      kubectl apply -n <managedClusterProjectName>
      

      Substitute <managedClusterProjectName> with the corresponding value.