ceph: add LE certificates

With a hook to restart RGW services on renewal, if there are any. Live certificates are linked to the same path under /etc/ceph on each host, so that the orch service spec is node-independent. Use with something like this (port 80 must be kept free for standalone certbot renewal): service_type: rgw spec: rgw_frontend_port: 8080 rgw_frontend_extra_args: - ssl_port=443 - ssl_private_key=/etc/ceph/privkey.pem - ssl_certificate=/etc/ceph/fullchain.pem extra_container_args: - "--volume" - "/etc/ceph:/etc/ceph:ro" - "--volume" - "/etc/letsencrypt:/etc/letsencrypt:ro"
2024-11-08 16:32:06 +01:00 · 2024-11-08 16:32:06 +01:00 · 46a9ff6fc0
parent 6e5de53937
commit 46a9ff6fc0
4 changed files with 41 additions and 0 deletions
--- a/roles/ceph/files/restart-ceph-rgw.sh
+++ b/roles/ceph/files/restart-ceph-rgw.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+systemctl restart "ceph-*@rgw.*.$(hostname -s).*.service"
--- a/roles/ceph/tasks/cert.yml
+++ b/roles/ceph/tasks/cert.yml
@ -0,0 +1,34 @@
+- name: Get DNS names
+  set_fact:
+    domains: '{{ interfaces | selectattr("name", "==", "lo")
+             | map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
+             | sort | unique }}'
+
+- name: Install certbot
+  package:
+    name: certbot
+
+- name: Get LE certificate
+  command:
+    cmd: ip vrf exec default certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --standalone -d {{ domains | join(',') }}
+    creates: '/etc/letsencrypt/renewal/{{ domains | first }}.conf'
+
+- name: Create common directory for ceph nodes
+  file:
+    path: /etc/ceph
+    state: directory
+
+- name: Link key and certificate to common location
+  file:
+    dest: '/etc/ceph/{{ item }}'
+    src: '/etc/letsencrypt/live/{{ domains | first }}/{{ item }}'
+    state: link
+  loop:
+    - privkey.pem
+    - fullchain.pem
+
+- name: Install certificate deploy hook
+  copy:
+    dest: /etc/letsencrypt/renewal-hooks/deploy/
+    src: restart-ceph-rgw.sh
+    mode: 0755
--- a/roles/ceph/tasks/main.yml
+++ b/roles/ceph/tasks/main.yml
@ -39,3 +39,5 @@
    mode: 0755

 - include_tasks: firewall.yml
+
+- include_tasks: cert.yml
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@ -54,6 +54,8 @@ table inet filter {
        ip saddr @allowed accept # TODO remove exceptions
        ip6 saddr @allowed/6 accept # TODO remove exceptions

+        meta nfproto ipv6 tcp dport 80 accept comment "for certificate renewal"
+
 {% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set ports = service.ports | compact_numlist %}