Feature #54486
closed
ca certificate files need to be made permanent inside RGW container
Added by Guillaume Abrioux about 2 years ago.
Updated about 2 years ago.
Category:
cephadm (binary)
Description
there's currently no way to add custom ca trusted certificate files permanently in rgw containers.
this is a RFE for bind-mounting /etc/pki/ca-trust/source/anchors in rgw containers.
- Status changed from In Progress to Rejected
cephadm allows setting 'extra container args' in the service spec.
extra_container_args:
- "-v"
- "/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro"
- "--security-opt"
- "label=disable"
`cephadm shell` has the `--mount` option:
# ./cephadm shell -- curl https://bz2041134-1:443
Inferring fsid 022d5460-9df9-11ec-8950-52540027a091
Using recent ceph image quay.ceph.io/ceph-ci/ceph@sha256:cc1c6b7c47109036995ebc53824f278b39378fb48aac3e9d82221b105dfff77a
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
#
# ./cephadm shell --mount /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro -- curl https://bz2041134-1:443
Inferring fsid 022d5460-9df9-11ec-8950-52540027a091
Using recent ceph image quay.ceph.io/ceph-ci/ceph@sha256:cc1c6b7c47109036995ebc53824f278b39378fb48aac3e9d82221b105dfff77a
<?xml version="1.0" encoding="UTF-8"?><ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>anonymous</ID><DisplayName></DisplayName></Owner><Buckets></Buckets></ListAllMyBucketsResult>
#
Also available in: Atom
PDF