You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We use Cert-Manager, which automatically renews these certs. In our testing it seems to work fine until the certs expire. Restarting an rgw pod fixes it (it begins using the updated cert). The newer Beast rgw does not appear to have any option to reload the certs without a restart (even though the cert is updated inside the pod via the Secret). Previously, civetweb rgw did have an option to handle short-lived ssl certs.
I'm wondering if Rook should be monitoring the certificate and automatically rolling the RGW deployment when changes occur on the Secret. Another idea might be a Liveness Probe that checks the cert validity and then restarts the rgw (with a long random delay?)
Perhaps I'm missing something else and there is another solution already?
The text was updated successfully, but these errors were encountered:
Let's see what the Ceph project plans to do with the issue there. It seems to me that the RGW itself should reload when the file changes without need to do anything special in Rook.
Rook
CephObjectStore
CRD seems to have pretty good support for enabling SSL on the RGW pods by providing asslCertificateRef
to atls
Secret:https://rook.io/docs/rook/v1.13/CRDs/Object-Storage/ceph-object-store-crd/#gateway-settings
We use Cert-Manager, which automatically renews these certs. In our testing it seems to work fine until the certs expire. Restarting an rgw pod fixes it (it begins using the updated cert). The newer Beast rgw does not appear to have any option to reload the certs without a restart (even though the cert is updated inside the pod via the Secret). Previously, civetweb rgw did have an option to handle short-lived ssl certs.
I've filed a ceph issue here: https://tracker.ceph.com/issues/65470
I'm wondering if Rook should be monitoring the certificate and automatically rolling the RGW deployment when changes occur on the Secret. Another idea might be a Liveness Probe that checks the cert validity and then restarts the rgw (with a long random delay?)
Perhaps I'm missing something else and there is another solution already?
The text was updated successfully, but these errors were encountered: