Once you enable Ceph Object Gateway (radosgw) as described in
Mirantis Container Cloud: Enable Ceph RGW Object Storage,
you can configure the Transport Layer Security (TLS) protocol for a Ceph Object
Gateway public endpoint using the following options:
Using MOSK TLS, if it is enabled and exposes its
certificates and domain for Ceph.
In this case, Ceph Object Gateway will automatically create an ingress rule
with MOSK certificates and domain to access the Ceph
Object Gateway public endpoint.
Therefore, you only need to reach the Ceph Object Gateway public and internal
endpoints and set the CA certificates for a trusted TLS connection.
Using custom ingress specified in the KaaSCephCluster CR. In this
case, Ceph Object Gateway public endpoint will use the public domain
specified using the ingress parameters.
Caution
External Ceph Object Gateway service is not supported and will
be deleted during update. If your system already uses endpoints of an
external Ceph Object Gateway service, reconfigure them to the ingress
endpoints.
Caution
When using a custom or OpenStack ingress, ensure to configure
the DNS name for RGW to target an external IP address of that ingress.
If there is no OpenStack or custom ingress available, point the DNS to
an external load balancer of RGW.
Note
Since MOSK 23.3, if the cluster has
tls-proxy enabled, TLS certificates specified in ingress objects,
including those configured in the KaaSCephCluster specification,
are disregarded. Instead, common certificates are applied to all ingresses
from the OpenStackDeployment object. This implies that tlsCert and
other ingress certificates specified in KaaSCephCluster are ignored,
and the common certificate from the OpenStackDeployment object is used.
This section also describes how to specify a custom public endpoint for the
Object Storage service.
To configure Ceph Object Gateway TLS:
Verify whether MOSK TLS is enabled. The
spec.features.ssl.public_endpoints section should be specified in the
OpenStackDeployment CR.
Configure Ceph Object Gateway TLS using a custom ingress:
Warning
The rgw section is deprecated and the ingress
parameters are moved under cephClusterSpec.ingress. If you continue
using rgw.ingress, it will be automatically translated into
cephClusterSpec.ingress during the MOSK cluster
release update.
Open the KaasCephCluster CR for editing.
Specify the ingress parameters:
publicDomain - domain name to use for the external service.
Caution
Since MOSK 23.3, the default
ingress controller does not support publicDomain values
different from the OpenStack ingress public domain. Therefore,
if you intend to use the default OpenStack ingress controller
for your Ceph Object Storage public endpoint, plan to use the
same public domain as your OpenStack endpoints.
cacert - Certificate Authority (CA) certificate, used for the
ingress rule TLS support.
tlsCert - TLS certificate, used for the ingress rule TLS support.
tlsKey - TLS private key, used for the ingress rule TLS support.
customIngressOptional -
includes the following custom Ingress Controller parameters:
className - the custom Ingress Controller class name. If not
specified, the openstack-ingress-nginx class name is used by
default.
nginx.ingress.kubernetes.io/rewrite-target is set to /
nginx.ingress.kubernetes.io/upstream-vhost is set to
<rgwName>.rook-ceph.svc.
The value for <rgwName> is
spec.cephClusterSpec.objectStorage.rgw.name.
Optional annotations:
nginx.ingress.kubernetes.io/proxy-request-buffering:"off"
that disables buffering for ingress to prevent the
413 (Request Entity Too Large) error when uploading large
files using radosgw.
nginx.ingress.kubernetes.io/proxy-body-size:<size> that
increases the default uploading size limit to prevent the
413 (Request Entity Too Large) error when uploading large
files using radosgw. Set the value in MB (m) or KB
(k). For example, 100m.
An ingress rule is by default created with an internal
Ceph Object Gateway service endpoint as a backend. Also,
rgwdnsname is specified in the Ceph configuration and is set
to <rgwName>.rook-ceph.svc by default. You can override this
option using the spec.cephClusterSpec.rookConfig key-value
parameter. In this case, also change the corresponding ingress
annotation.
For clouds with the publicDomain parameter specified, align
the upstream-vhost ingress annotation with the name of the
Ceph Object Storage and the specified public domain.
Ceph Object Storage requires the upstream-vhost and
rgwdnsname parameters to be equal. Therefore, override the
default rgwdnsname to the corresponding ingress annotation
value.
To access internal and public Ceph Object Gateway endpoints:
Select from the following options:
Note
If you are using the HTTP scheme instead of HTTPS, skip
obtaining CA certificates and add the following configuration to
the KaaSCephCluster object on a management cluster:
To access Ceph Object Gateway with an internal endpoint:
Obtain the internal endpoint name for Ceph Object Gateway:
kubectl-nrook-cephgetsvc-lapp=rook-ceph-rgw
The internal endpoint for Ceph Object Gateway has the
https://<internal-svc-name>.rook-ceph.svc:<rgw-secure-port>/
format, where <rgw-secure-port> is
spec.rgw.gateway.securePort specified in the
KaaSCephCluster CR.
Substitute <objectStorageName> with the Ceph Object Storage name and
<customPublicEndpoint> with the public endpoint with a custom public
domain.
If one or both endpoints are omitted in the list, add the missing
endpoints to the hostnames list in the zonegroup.json file and
update Ceph Object Gateway zonegroup configuration:
Once done, Ceph Object Gateway becomes available by the custom public endpoint
with an S3 API client, OpenStack Swift CLI, and OpenStack Horizon Containers
plugin.