Hello,
I'm using Ceph Squid, currently 19.2.1. I'd like to use either the
built-in ingress service or an approach with the RGW service to restrict
/admin access from public endpoints.
My setup:
Firewall (NGINX reverse proxy - TCP 443 stream passthrough only - no SSL)
|
Ingress Service (SSL Certificates applied)
|
RGW Gateways (SSL Certificates applied)
All administrative functions interact with RGW Gateways directly. Only
public flows pass through the Ingress Service.
As I understand /admin API is required for gateway and RGW
service management. I want to manage my SSL certs ideally via ceph spec
files (we have automation for that). The frontend firewall is designed to
act as a simple L3 / L4 ACL.
Is there a way to modify the Ingress service spec file to restrict /admin
access. According to GROK adding the following to the ingress spec YAML
should work, but the custom_configs section throws an error as follows.
I can't seem to find any official documentation around this. Feels like
it should be something to easily configure. How are others securing this?
Thanks.
---
service_type: ingress
service_id: ingress01
placement:
hosts:
- ingress01
spec:
backend_service: rgw.public
virtual_ip: 10.1.1.1/24
frontend_port: 443
monitor_port: 1967
custom_configs:
- |
frontend frontend
acl block_admin path_beg /admin
http-request deny if block_admin
ssl_cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Error EINVAL: Traceback (most recent call last):
File "/usr/share/ceph/mgr/mgr_module.py", line 1862, in _handle_command
return self.handle_command(inbuf, cmd)
File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 184, in
handle_command
return dispatch[cmd['prefix']].call(self, cmd, inbuf)
File "/usr/share/ceph/mgr/mgr_module.py", line 499, in call
return self.func(mgr, **kwargs)
File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 120, in
<lambda>
wrapper_copy = lambda *l_args, **l_kwargs: wrapper(*l_args, **l_kwargs)
# noqa: E731
File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 109, in
wrapper
return func(*args, **kwargs)
File "/usr/share/ceph/mgr/orchestrator/module.py", line 1697, in
apply_misc
return self._apply_misc(specs, dry_run, format, no_overwrite)
File "/usr/share/ceph/mgr/orchestrator/module.py", line 1700, in
_apply_misc
completion = self.apply(specs, no_overwrite)
File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 1737, in inner
completion = self._oremote(method_name, args, kwargs)
File "/usr/share/ceph/mgr/orchestrator/_interface.py", line 1806, in
_oremote
mgr.log.debug("_oremote {} -> {}.{}(*{}, **{})".format(mgr.module_name,
o, meth, args, kwargs))
File "/lib/python3.9/site-packages/ceph/deployment/service_spec.py", line
1109, in __repr__
y = yaml.dump(cast(dict, self), default_flow_style=False)
File "/lib64/python3.9/site-packages/yaml/__init__.py", line 290, in dump
return dump_all([data], stream, Dumper=Dumper, **kwds)
File "/lib64/python3.9/site-packages/yaml/__init__.py", line 278, in
dump_all
dumper.represent(data)
File "/lib64/python3.9/site-packages/yaml/representer.py", line 27, in
represent
node = self.represent_data(data)
File "/lib64/python3.9/site-packages/yaml/representer.py", line 48, in
represent_data
node = self.yaml_representers[data_types[0]](self, data)
File "/lib/python3.9/site-packages/ceph/deployment/service_spec.py", line
1122, in yaml_representer
return dumper.represent_dict(cast(Mapping, data.to_json().items()))
File "/lib/python3.9/site-packages/ceph/deployment/service_spec.py", line
1062, in to_json
ret['custom_configs'] = [c.to_json() for c in self.custom_configs]
File "/lib/python3.9/site-packages/ceph/deployment/service_spec.py", line
1062, in <listcomp>
ret['custom_configs'] = [c.to_json() for c in self.custom_configs]
AttributeError: 'str' object has no attribute 'to_json'
---
_______________________________________________
ceph-users mailing list -- ceph-users@ceph.io
To unsubscribe send an email to ceph-users-le...@ceph.io
