Change Ceph RadosGW SSL Credentials frontend settings

Prepare Environment

  • login to the mon node as root user.
  • run ceph -s to check if ceph is accessible at this node.

Get ceph report from the monitor node.

  1. Run command: ceph service dump | jq -r '.services.rgw.daemons[]' to get all RGWs' metadata in the json format.

  2. Get each realm name, zone name and rgw service id from step 1 above.
    We Need the following Information:

    • realm_name-> metadata.realm_name
    • zone_name -> metadata.zone_name
    • service id -> metadata.id
    • frontend_config#0 -> metadata.frontend_config#0

  3. For example:

    • realm_name: asia
    • zone_name: taipeipoc
    • id: asia.taipeipoc.ext-148-rgw-01.piunzy
    • frontend: beast port=7479 ssl_port=7480 ssl_certification=config://rgw/cert/asia/taipei.crt ssl_private_key=config://rgw/cert/asia/taipei.key

Change Ceph RadosGW SSL Certificates frontend settings

Replace the current frontend ssl certificates configuration with the new certificates path config://rgw/cert/rgw.<realm>.<zone>

Example:

  • the current frontend config is: beast port=7479 ssl_port=7480 ssl_certification=config://rgw/cert/asia/taipei.crt ssl_private_key=config://rgw/cert/asia/taipei.key
  • new frontend configuration will be : beast ssl_port=7480 ssl_certificate=config://rgw/cert/rgw.asia.taipei

Update radosgw daemon configuration

Run this command to update the radosgw daemon config: 


ceph config set client.rgw.<service_id> rgw_frontend <new frontend config>


The new frontend config format is 

frontend='beast ssl_port=7480 ssl_certificate=config://rgw/cert/rgw.$realm_name.$zone_name


Replace the $realm_name and $zone_name you get from the RGW metadata


Example:

sv=client.rgw.asia.taipeipoc.ext-148-rgw-01.piunzy
frontend='beast ssl_port=7480 ssl_certificate=config://rgw/cert/rgw.asia.taipei'
ceph config set $sv rgw_frontend $frontend


Configure all the RGWs you have.



Restart the radosgw daemon

#Restart all your rgw one at a time until they are up and running again.


Method 1: use ceph orch command on any ceph node. 


sudo ceph orch daemon restart rgw.<rgw.service_id>


Example:

sudo ceph orch daemon resstart rgw.asia.taipeipoc.ext-148-rgw-01.piunzy



Method 2: log in to the RGW host and use systemctl to restart the service


sudo systemctl restart ceph-<fsid>@rgw.<service_id>

The fsid is the cluster ID.


Example: 

sudo systemctl restart ceph-9fb8d29c-69bf-11ef-bbeb-39e095f5b7b5@rgw.asia.taipeipoc.ext-148-rgw-01.piunzy.service



Check the RGW metadata frontend_config#0 after restart the RGW


ceph service dump | jq -r '.services.rgw.daemons[]'


You will see the frontend_config#0 as


 "frontend_config#0": "beast ssl_port=7480 ssl_certificate=config://rgw/cert/rgw.asia.taipeipoc"