Enable TLS for Ceph public endpoints¶
Ceph Controller allows configuring a TLS-secured public access to Ceph entities. This section describes how to configure the TLS protocol for a Ceph cluster on Container Cloud through a custom ingress rule for Ceph public endpoints.
Note
For deployments with Mirantis OpenStack for Kubernetes (MOSK), the
ingress rule is automatically configured by Ceph Controller. However, an
external RGW will not be created if Ceph Controller detects OpenStack
pools or a configured customIngress
section. For details, see
MOSK Operations Guide: Configure Ceph RGW TLS
and NGINX Ingress Controller: Annotations.
To enable TLS for Ceph public endpoints:
Select from the following options:
If you do not have a Container cloud cluster yet, open
kaascephcluster.yaml.template
for editing.If the Container cloud cluster is already deployed, open the
KaasCephCluster
CR of a managed cluster for editing:kubectl edit kaascephcluster -n <managedClusterProjectName>
Substitute
<managedClusterProjectName>
with a corresponding value.
Specify the
cephClusterSpec.ingress
section in theKaaSCephCluster
CR:spec: cephClusterSpec: ingress: publicDomain: public.domain.name cacert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- tlsCert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- tlsKey: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- customIngress: className: <ingress-controller-class-name> annotations: key: value # sensible for chosen ingress controller annotations
The
cephClusterSpec.ingress
section contains the following parameters:Parameter
Description
publicDomain
The Domain name to use for public endpoints.
cacert
The Certificate Authority (CA) certificate, used for the ingress rule TLS support.
tlsCert
The TLS certificate, used for the ingress rule TLS support.
tlsKey
The TLS private key, used for the ingress rule TLS support.
customIngress
Specifies the following custom Ingress Controller parameters:
className
- the custom Ingress Controller class name.annotations
- extra annotations for the ingress proxy.
Note
For Container Cloud clusters, no default
customIngress
values are specified. Therefore, if you do not specifycustomIngress
, the ingress rule creation will be omitted.For deployments with Mirantis OpenStack for Kubernetes, the
openstack-ingress-nginx
class name is specified and Ceph uses the OpenStack component Ingress Controller based on NGINX. For details, see MOSK Operations Guide: Configure Ceph RGW TLS.
Select from the following options:
If you are creating a managed cluster, save the updated
KaaSCephCluster
template to the corresponding file and proceed with the managed cluster creation.If you are configuring
KaaSCephCluster
of an existing managed cluster, run the following command:kubectl edit -n <managedClusterProjectName> kaascephcluster <cephClusterName>
Substitute
<managedClusterProjectName>
and<cephClusterName>
with the corresponding values.