Nice find! Totally looks buggy. Also thanks for sharing that command…I love a good one-liner! Josh Beaman From: Kai Stian Olstad <ceph+list@xxxxxxxxxx> Date: Friday, June 16, 2023 at 7:35 AM To: Beaman, Joshua <Joshua_Beaman@xxxxxxxxxxx> Cc: ceph-users@xxxxxxx <ceph-users@xxxxxxx> Subject: Re: [EXTERNAL] How to change RGW certificate in Cephadm? On Thu, Jun 15, 2023 at 03:58:40PM +0000, Beaman, Joshua wrote: >We resolved our HAProxy woes by creating a custom jinja2 template and deploying as: >ceph config-key set mgr/cephadm/services/ingress/haproxy.cfg -i /tmp/haproxy.cfg.j2 Thanks, wish I knew that a few month ago before I threw out ingress. >But we redeploy new certs the same way you described, and then: >ceph orch reconfig ingress.rgw.default.default >ceph orch restart rgw.default.default > >This is all done in the same ansible playbook we use to do initial deployment, but I don’t see anything else in there that looks like it would be needed to update the certs. After testing this I will claim this is a bug. The first time "ceph orch apply -i /etc/ceph/rgw.yml" is run it creates to keys mgr/cephadm/spex.rgw.pech and rgw/cert/rgw.pech But later when the spec file is updated and apply is run again only mgr/cephadm/spex.rgw.pech is updated. When the RGW start the log says it using the certificate in rgw/cert/rgw.pech So, if I read out the certificate from mgr/cephadm/spex.rgw.pech and add that in rgw/cert/rgw.pech and then restart the RGW it picks up the new certificate. The command to do this ceph config-key get mgr/cephadm/spex.rgw.pech | jq -r .spec.spec.rgw_frontend_ssl_certificate | ceph config-key set rgw/cert/rgw.pech - ceph orch restart rgw.pech My claim is that Ceph should update "rgw/cert/rgw.pech" when "mgr/cephadm/spex.rgw.pech" is updated. -- Kai Stian Olstad _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |