https://tracker.ceph.com/https://tracker.ceph.com/favicon.ico2021-07-29T20:30:15ZCeph Orchestrator - Feature #51947: cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)https://tracker.ceph.com/issues/51947?journal_id=2001902021-07-29T20:30:15ZDimitri Savineau
<ul></ul><p>That's weird because the code doesn't do anything special from the ssl_cert value in the spec</p>
<p><a class="external" href="https://github.com/ceph/ceph/blob/v16.2.4/src/pybind/mgr/cephadm/services/ingress.py#L106-L110">https://github.com/ceph/ceph/blob/v16.2.4/src/pybind/mgr/cephadm/services/ingress.py#L106-L110</a></p>
<p>So everything under ssl_cert should be written at the end in the haproxy.pem file the exact same way.</p>
<p>I've tested that small part of the code and the haproxy.pem file always has the right value.</p>
<p>I don't know if that's a typo when you pasted the ssl_cert value from the spec but keep in mind that you need two extra spaces before the data.</p>
<pre>
ssl_cert: | # optional: SSL certificate and key
-----BEGIN PRIVATE KEY-----
Key stuff
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Server Certificate stuff
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA cert stuff
-----END CERTIFICATE-----
</pre>
<p>Can you share the full ingress spec file ?</p> Orchestrator - Feature #51947: cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)https://tracker.ceph.com/issues/51947?journal_id=2001922021-07-29T21:51:44ZDimitri Savineau
<ul></ul><p>I finished to test with v16.2.5 and I counldn't reproduce the issue.</p>
<pre>
---
service_type: ingress
service_id: object.ingress
placement:
label: rgws
spec:
backend_service: rgw.object
virtual_ip: 192.168.100.100/24
frontend_port: 8090
monitor_port: 1967
virtual_interface_networks:
- 192.168.100.0/24
ssl_cert: |
-----BEGIN RSA PRIVATE KEY-----
Key stuff
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Server Certificate stuff
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA cert stuff
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root CA cert stuff
-----END CERTIFICATE-----
...
</pre>
<p>And the haproxy.pem file generated has the right content.</p>
<pre>
cat /var/lib/ceph/7de08ebe-f0ad-11eb-9391-fa163eea1af0/haproxy.object.ingress.cephaio-1.yoeykn/haproxy/haproxy.pem
-----BEGIN RSA PRIVATE KEY-----
Key stuff
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Server Certificate stuff
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA cert stuff
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root CA cert stuff
-----END CERTIFICATE-----
</pre> Orchestrator - Feature #51947: cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)https://tracker.ceph.com/issues/51947?journal_id=2001992021-07-30T01:51:57ZDimitri Savineau
<ul></ul><p>Ok looks like you didn't redeploy the service after updating the spec file with the intermediate ca certificate right ?</p>
<p>I tried to deploy with certificate and key only.</p>
<p>Then I update the spec by adding the intermediate ca certificate and re-apply it.</p>
<p>Results:<br /> - The spec is correctly updated in the KV store (ceph config-key get mgr/cephadm/spec.ingress.<service_id>)<br /> - The haproxy certificate file on disk isn't updated (still certificate and key)</p>
<p>In fact I'm pretty sure that the normal behaviour because after updating the spec you need to redeploy the ingress services with</p>
<pre>
$ ceph orch redeploy ingress.<service_id>
</pre>
<p>After that the file on disk is updated.</p>
<p>Note that you could also remove the service and redeploy it from scratch.</p> Orchestrator - Feature #51947: cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)https://tracker.ceph.com/issues/51947?journal_id=2009162021-08-10T18:11:40ZJim Bartlett
<ul></ul><p>Ok, you're right, I did not redeploy, just re-applied the updated ingress yaml. I have tested on my newly upgraded 16.2.5 clusters and it is working as expected. Updating my procedures to include the re-deploy. I appreciate the help!</p>
<p>Jim.</p> Orchestrator - Feature #51947: cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)https://tracker.ceph.com/issues/51947?journal_id=2012952021-08-16T12:47:06ZSebastian Wagner
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/201295/diff?detail_id=211865">diff</a>)</li></ul> Orchestrator - Feature #51947: cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)https://tracker.ceph.com/issues/51947?journal_id=2012962021-08-16T12:48:54ZSebastian Wagner
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Subject</strong> changed from <i>Ingress for RGW does not appear to support chain certificates</i> to <i>cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)</i></li><li><strong>Category</strong> changed from <i>cephadm/rgw</i> to <i>cephadm</i></li></ul> Orchestrator - Feature #51947: cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)https://tracker.ceph.com/issues/51947?journal_id=2066322021-11-26T11:29:43ZSebastian Wagner
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-3 priority-lowest closed" href="/issues/50061">Feature #50061</a>: cephadm: automatically redeploy daemons if user changes which container to use</i> added</li></ul> Orchestrator - Feature #51947: cephadm: Redeploy services, on property update (was: Ingress for RGW does not appear to support chain certificates)https://tracker.ceph.com/issues/51947?journal_id=2129382022-03-21T15:02:37ZSebastian Wagner
<ul><li><strong>Duplicated by</strong> <i><a class="issue tracker-1 status-1 priority-4 priority-default" href="/issues/54974">Bug #54974</a>: Applying rgwspec with new certificate does not apply</i> added</li></ul>