On Thu, Jun 15, 2023 at 03:58:40PM +0000, Beaman, Joshua wrote:
We resolved our HAProxy woes by creating a custom jinja2 template and deploying as: ceph config-key set mgr/cephadm/services/ingress/haproxy.cfg -i /tmp/haproxy.cfg.j2
Thanks, wish I knew that a few month ago before I threw out ingress.
But we redeploy new certs the same way you described, and then: ceph orch reconfig ingress.rgw.default.default ceph orch restart rgw.default.default This is all done in the same ansible playbook we use to do initial deployment, but I don’t see anything else in there that looks like it would be needed to update the certs.
After testing this I will claim this is a bug. The first time "ceph orch apply -i /etc/ceph/rgw.yml" is run it creates to keys mgr/cephadm/spex.rgw.pech and rgw/cert/rgw.pech But later when the spec file is updated and apply is run again only mgr/cephadm/spex.rgw.pech is updated. When the RGW start the log says it using the certificate in rgw/cert/rgw.pech So, if I read out the certificate from mgr/cephadm/spex.rgw.pech and add that in rgw/cert/rgw.pech and then restart the RGW it picks up the new certificate. The command to do this ceph config-key get mgr/cephadm/spex.rgw.pech | jq -r .spec.spec.rgw_frontend_ssl_certificate | ceph config-key set rgw/cert/rgw.pech - ceph orch restart rgw.pech My claim is that Ceph should update "rgw/cert/rgw.pech" when "mgr/cephadm/spex.rgw.pech" is updated. -- Kai Stian Olstad _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
