rc/servers
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ceph: add LE certificates

Browse source 
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.

Use with something like this (port 80 must be kept free for standalone
certbot renewal):

    service_type: rgw
    spec:
      rgw_frontend_port: 8080
      rgw_frontend_extra_args:
        - ssl_port=443
        - ssl_private_key=/etc/ceph/privkey.pem
        - ssl_certificate=/etc/ceph/fullchain.pem
    extra_container_args:
      - "--volume"
      - "/etc/ceph:/etc/ceph:ro"
      - "--volume"
      - "/etc/letsencrypt:/etc/letsencrypt:ro"
This commit is contained in:
Timotej Lazar 2024-11-08 16:32:06 +01:00
parent 6e5de53937
commit 46a9ff6fc0
4 changed files with 41 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
roles/ceph/templates/nftables.conf.j2
View file

@ -54,6 +54,8 @@ table inet filter {
ip saddr @allowed accept # TODO remove exceptions
ip6 saddr @allowed/6 accept # TODO remove exceptions
meta nfproto ipv6 tcp dport 80 accept comment "for certificate renewal"
{% for service in cluster_services %}
{% set prefixes = service | allowed_prefixes %}
{% set ports = service.ports | compact_numlist %}