Enable TLS for Ceph public endpoints

Ceph Controller allows configuring a TLS-secured public access to Ceph entities. This section describes how to configure the TLS protocol for a Ceph cluster through a custom ingress rule for Ceph public endpoints.

The ingress rule is automatically configured by Ceph Controller. However, an external RGW will not be created if Ceph Controller detects OpenStack pools or a configured customIngress section. For details, see Configure Ceph Object Gateway TLS and NGINX Ingress Controller documentation: Annotations.

To enable TLS for Ceph public endpoints:

  1. Select from the following options:

    • If you do not have a managed cluster yet, open kaascephcluster.yaml.template for editing.

    • If you already have a managed cluster, open the KaasCephCluster CR of a managed cluster for editing:

      kubectl edit kaascephcluster -n <managedClusterProjectName>
      

      Substitute <managedClusterProjectName> with a corresponding value.

  2. Specify the cephClusterSpec.ingress section in the KaaSCephCluster CR:

    spec:
      cephClusterSpec:
        ingress:
          publicDomain: public.domain.name
          cacert: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
          tlsCert: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
          tlsKey: |
            -----BEGIN RSA PRIVATE KEY-----
            ...
            -----END RSA PRIVATE KEY-----
          customIngress:
            className: <ingress-controller-class-name>
            annotations:
              key: value # sensible for chosen ingress controller annotations
    

    The cephClusterSpec.ingress section contains the following parameters:

    Parameter

    Description

    publicDomain

    The Domain name to use for public endpoints.

    cacert

    The Certificate Authority (CA) certificate, used for the ingress rule TLS support.

    tlsCert

    The TLS certificate, used for the ingress rule TLS support.

    tlsKey

    The TLS private key, used for the ingress rule TLS support.

    customIngress

    Specifies the following custom Ingress Controller parameters:

    • className - the custom Ingress Controller class name.

    • annotations - extra annotations for the ingress proxy.

    Note

    By default, the openstack-ingress-nginx class name is specified and Ceph uses the OpenStack component Ingress Controller based on NGINX. For details, see Configure Ceph Object Gateway TLS.

  3. Select from the following options:

    • If you are creating a managed cluster, save the updated KaaSCephCluster template to the corresponding file and proceed with the managed cluster creation.

    • If you are configuring KaaSCephCluster of an existing managed cluster, run the following command:

      kubectl edit -n <managedClusterProjectName> kaascephcluster <cephClusterName>
      

      Substitute <managedClusterProjectName> and <cephClusterName> with the corresponding values.