Hi Boris, I see, to answer your questions:
> - When the certificate is renewed, I'll need to update the definition. > That's normal, we are also planning to add support for ACME in the future so certificate rotation can be automated. > - If the definition points to a filepath, I need to keep the files in sync > over all possible rgw hosts. > Cephadm internally also updates the same key. Without the fix that Daniel linked previously you had to manually run: > ceph orch apply -i <your-rgw-spec-yaml> > ceph orch reconfig daemon recongi <your-rgw-daemon> or > ceph orch reconfig <your-rgw-service-name> This command will refresh the certificate (including the monstore key) and restart the daemon. With the fix the extra manual step of "reconfig" is not needed anymore. Anytime you apply a spec with a new SSL/key the reconfig step will be performed automatically. certmgr is expected to land on Tentacle release, and it comes with several features for certificates monitoring and mgmt. Best, Redo. > > My idea was to have a service that updates the config key with the correct > certificate. I don't even need to define it in the service definition, > because the config key is deterministic. > > The linked cermgr is something that will come to tentacle? I've stumbled > uppon it in the /latest documentation, but it looks like it is not yet in > squid. > > Am Di., 8. Juli 2025 um 15:49 Uhr schrieb Redouane Kachach < > rkach...@redhat.com>: > >> Hi, >> >> The changes in the PR should be already in Tentacle so the fix will come >> with the release. >> >> In addition I'd recommend in general puting any service related config in >> the service-spec. Setting the key-store by hand directly is not a good idea >> as cephadm >> will not be aware of those changes and can potentially override them. We >> are working in a more user-friendly support to manage certificates in >> cephadm: >> >> https://github.com/ceph/ceph/pull/62106 >> >> But that would take some time to land into an official release. >> >> Best, >> Redo. >> >> >> On Tue, Jul 8, 2025 at 3:13 PM Daniel Parkes <dpar...@redhat.com> wrote: >> >>> Hi, >>> >>> I would expect it to be backported into Tentacle. Maybe Adam or Redo can >>> confirm? >>> >>> Thanks, >>> >>> Regards. >>> >>> On Mon, Jul 7, 2025 at 2:10 PM Boris <b...@kervyn.de> wrote: >>> >>>> Hi Daniel, >>>> >>>> do you know when this will be released? >>>> >>>> I can not find the change in the changelogs for reef or squid, and I >>>> updated the certificate/key with >>>> ceph config-key set rgw/cert/rgw.s3-poc-boris -i >>>> /etc/letsencrypt/data/s3-poc-boris_ecc/s3-poc-boris.pem (the pem contains >>>> cert and key combined) >>>> >>>> I did not provide and keys in the ceph orch yaml, but put the >>>> certificate at the location which seems to be deterministic to the service >>>> name. >>>> >>>> Am Sa., 5. Juli 2025 um 16:11 Uhr schrieb Daniel Parkes < >>>> dpar...@redhat.com>: >>>> >>>>> Hi Boris, >>>>> >>>>> When using cephadm as the orchestrator, this request has been >>>>> addressed in the following PR: https://github.com/ceph/ceph/pull/61694 >>>>> >>>>> https://tracker.ceph.com/issues/69863 >>>>> >>>>> Regards. >>>>> >>>>> On Fri, Jul 4, 2025 at 1:32 PM Boris <b...@kervyn.de> wrote: >>>>> >>>>>> Hi, >>>>>> is there a way to reload the ceritificate in rgw without downtime? Or >>>>>> if I >>>>>> have multiple rgw daemons to do it one by one and wait for the last >>>>>> one to >>>>>> be active again? >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend >>>>>> im >>>>>> groüen Saal. >>>>>> _______________________________________________ >>>>>> ceph-users mailing list -- ceph-users@ceph.io >>>>>> To unsubscribe send an email to ceph-users-le...@ceph.io >>>>>> >>>>> >>>> >>>> -- >>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend >>>> im groüen Saal. >>>> >>> > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > _______________________________________________ ceph-users mailing list -- ceph-users@ceph.io To unsubscribe send an email to ceph-users-le...@ceph.io
