With companies like letsencrypt offering SSL certificates for free, it's strongly recommended to deploy your RGWs with certs configured. This may be done anytime pre- or post-deployment. The process as a whole requires minimal configuration changes after you've generated certs for your domain. Here's an example of how I generate wildcard certificates for cephtips.com:

# git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
# ./letsencrypt-auto certonly --manual --preferred-challenges dns \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos -d *.cephtips.com -d cephtips.com \
  --email randym@cephtips.com
# cat /etc/letsencrypt/live/cephtips.com/{privkey,fullchain}.pem \
  > /usr/share/ceph-ansible/cephtips.pem

Next we'll need to copy your certificate into a common location that your containerized RGWs can access such as the following 2 locations:

  • /etc/pki/ca-trust/extracted/
  • /etc/ceph/

Since both of these directories are bind mounted into the container, either location will work. I chose to use the pki location since /etc/ceph does not yet exist:

# cd /usr/share/ceph-ansible
# ansible -m copy -a 'src=/usr/share/ceph-ansible/cephtips.pem dest=/etc/pki/ca-trust/extracted/ mode=0400' -b rgws

The final step before running the site.yml is to configure your group_vars/all.yml with the non-default updates:

radosgw_frontend_port: 443
radosgw_frontend_ssl_certificate: "/etc/pki/ca-trust/extracted/cephtips.pem"