Enable TLS for Ceph public endpoints¶
Ceph Controller allows configuring a TLS-secured public access to Ceph entities. This section describes how to configure the TLS protocol for a Ceph cluster through a custom ingress rule for Ceph public endpoints.
The ingress rule is automatically configured by Ceph Controller. However, an
external RGW will not be created if Ceph Controller detects OpenStack pools or
a configured customIngress
section. For details, see Configure Ceph Object Gateway TLS
and NGINX Ingress Controller documentation: Annotations.
To enable TLS for Ceph public endpoints:
Select from the following options:
If you do not have a managed cluster yet, open
kaascephcluster.yaml.template
for editing.If you already have a managed cluster, open the
KaasCephCluster
CR of a managed cluster for editing:kubectl edit kaascephcluster -n <managedClusterProjectName>
Substitute
<managedClusterProjectName>
with a corresponding value.
Specify the
cephClusterSpec.ingress
section in theKaaSCephCluster
CR:spec: cephClusterSpec: ingress: publicDomain: public.domain.name cacert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- tlsCert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- tlsKey: | -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- customIngress: className: <ingress-controller-class-name> annotations: key: value # sensible for chosen ingress controller annotations
The
cephClusterSpec.ingress
section contains the following parameters:Parameter
Description
publicDomain
The Domain name to use for public endpoints.
cacert
The Certificate Authority (CA) certificate, used for the ingress rule TLS support.
tlsCert
The TLS certificate, used for the ingress rule TLS support.
tlsKey
The TLS private key, used for the ingress rule TLS support.
customIngress
Specifies the following custom Ingress Controller parameters:
className
- the custom Ingress Controller class name.annotations
- extra annotations for the ingress proxy.
Note
By default, the
openstack-ingress-nginx
class name is specified and Ceph uses the OpenStack component Ingress Controller based on NGINX. For details, see Configure Ceph Object Gateway TLS.Select from the following options:
If you are creating a managed cluster, save the updated
KaaSCephCluster
template to the corresponding file and proceed with the managed cluster creation.If you are configuring
KaaSCephCluster
of an existing managed cluster, run the following command:kubectl edit -n <managedClusterProjectName> kaascephcluster <cephClusterName>
Substitute
<managedClusterProjectName>
and<cephClusterName>
with the corresponding values.