With companies like letsencrypt offering SSL certificates for free, it's strongly recommended to deploy your RGWs with certs configured. This may be done anytime pre- or post-deployment. The process as a whole requires minimal configuration changes after you've generated certs for your domain. Here's an example of how I generate wildcard certificates for cephtips.com:
# git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt
# ./letsencrypt-auto certonly --manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos -d *.cephtips.com -d cephtips.com \
--email randy@cephtips.com
# cat /etc/letsencrypt/live/cephtips.com/{privkey,fullchain}.pem \
> /usr/share/ceph-ansible/cephtips.pemNext we'll need to copy your certificate into a common location that your containerized RGWs can access such as the following 2 locations:
- /etc/pki/ca-trust/extracted/
- /etc/ceph/
Since both of these directories are bind mounted into the container, either location will work. I chose to use the pki location since /etc/ceph does not yet exist:
# cd /usr/share/ceph-ansible
# ansible -m copy -a 'src=/usr/share/ceph-ansible/cephtips.pem dest=/etc/pki/ca-trust/extracted/ mode=0400' -b rgwsThe final step before running the site.yml is to configure your group_vars/all.yml with the non-default updates:
radosgw_frontend_port: 443
radosgw_frontend_ssl_certificate: "/etc/pki/ca-trust/extracted/cephtips.pem"
Comments