Add guide for enabling RGW with TLS certificate#671
Add guide for enabling RGW with TLS certificate#671anantone wants to merge 2 commits intocanonical:mainfrom
Conversation
This guide details the steps to enable RGW with a TLS certificate for a MicroCeph single node installation, including prerequisites, certificate acquisition using Certbot, and configuration verification.
|
I closed this one by mistake, thanks @sabaini for pointing it out. |
Empty commit to rerun checks
|
I've now signed the CLA. |
| ============= | ||
|
|
||
| - `a MicroCeph single node installation <https://canonical-microceph.readthedocs-hosted.com/latest/tutorial/get-started/>`_. This will have RGW enabled. | ||
| - `a valid TLS certificate`_. We will use Certbot to obtain a TLS certificate from Let's Encrypt. You can also use a self-signed certificate, or request one from an external/commercial CA. |
There was a problem hiding this comment.
Hm, we're listing this under Prerequisites but at the same time say we're going to create one which seems contradictory. Personally I'd lean towards asking for a cert as a prereq. and only providing pointers on how to obtain one (LetsEncrypt or other means).
There was a problem hiding this comment.
Fair point. The problem is that we don't have a good tutorial for how to get certificates, that we could link to. @skoech and myself were actually discussing writing one, but in the meantime decided to provide one possible way here, so that users of this guide can still go forward even if they don't know the whole certificate story.
|
|
||
| MKc2mNJmrOuZ5-6zcxnD3NUCb_0w_mRG8bOPIA8K66w | ||
|
|
||
| Your certificate should be automatically issued and downloaded. |
There was a problem hiding this comment.
This assumes that users have control over the DNS of the domain they want to host it on. I'm a bit worried that creating TLS certs will get out of scope for this tutorial. I'd lean towards asking for certs as a preqrequisite, provide pointers to instructions on how to get one (certbot if they can, self-signed or bought otherwise)
There was a problem hiding this comment.
Again this is just one option. But yes, it may be better to skip it entirely, and just link to a full ressource on the topic.
|
|
||
| sudo microceph enable rgw \ | ||
| --ssl-certificate "$(base64 -w0 ./domain.crt)" \ | ||
| --ssl-private-key "$(base64 -w0 ./domain.key)" |
There was a problem hiding this comment.
Nit: typically certbot will create a 0600 root owned key, which means the base64 which is running with non-sudo privs here won't be able to read it
There was a problem hiding this comment.
I'm not sure how to resolve that. This worked in my testing with a non root, sudo privileged user. Would you have a technical suggestion?
| sudo microceph enable rgw \ | ||
| --ssl-port 7443 \ | ||
| --ssl-certificate "$(base64 -w0 ./domain.crt)" \ | ||
| --ssl-private-key "$(base64 -w0 ./domain.key)" |
There was a problem hiding this comment.
Noted. Same fix to apply when determined.
3 participants
This guide details the steps to enable RGW with a TLS certificate for a MicroCeph single node installation, including prerequisites, certificate acquisition using Certbot, and configuration verification.
Fixes #596