-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: update about ports and ssl cert for virtualhost feature #14135
base: master
Are you sure you want to change the base?
Conversation
@@ -159,6 +159,9 @@ The hosting settings allow you to host buckets in the object store on a custom D | |||
|
|||
* `dnsNames`: a list of DNS names to host buckets on. These names need to valid according RFC-1123. Otherwise it will fail. Each endpoint requires wildcard support like [ingress loadbalancer](https://kubernetes.io/docs/concepts/services-networking/ingress/#hostname-wildcards). Do not include the wildcard itself in the list of hostnames (e.g., use "mystore.example.com" instead of "*.mystore.example.com"). Add all the hostnames like openshift routes otherwise access will be denied, but if the hostname does not support wild card then virtual host style won't work those hostname. By default cephobjectstore service endpoint and custom endpoints from cephobjectzone is included. The feature is supported only for Ceph v18 and later versions. | |||
|
|||
!!! Note | |||
The user need to confirm the port exposed by wildcard supported endpoint should be same that of rgw kubernetes service. Most provides like ingress loadbalancer or openshift routes does the same. If the SSL enabled for `CephObjectStore` then the `dnsNames` should include the endpoints which exposes the secure port and user need to update the SSL certs used by the RGW contains that domain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you rephrase the paragraph? I don't understand it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want to cover following:
The port-defined domains in dnsNames
accessing rgw should be same as cephobjectstore.Spec
. By default ingress loadbalancer or openshift routes uses same port as the service which they are exposing
If secureport is defined in cephobjectstoreSpec
, then dnsNames contain domains which uses the secure port. And this domain need approved by the SSL certs which RGW is using
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is a "port-defined domain"? I thought the port was independent from the dns name.
I understand better now what you are saying. Can you update the doc paragraph now instead of just the comment?
Sorry, I meant port defined for domain. For example if create an openshift route
for rgw service
, I will specify which port the openshift route need to listen to in the service let it be 80
. Even though I can access the rgw server via route endpoint direclty
without any port http://route
will work also the http://route:80
is valid but htttp://route:81
(some other values than 80) will fail as the connection refused. Same with ingress loadbalancer.
If TLS port is defined for cephobjectstore then Rook always tries to communicate with RGW using the secure path. Now consider two routes one normal route
listens to port 80
and there another routesecure
listens to 443 of rgw service. In the DNS names both routes need to include. But Rook always pick secure port then valid DNS name for internal communication will be https://routesecure:443
. With current changes, there is chance that it can be https://route:443
which will fail. Secondly this domain routesecure
needs to be verified by the rgw service. Or the user can set insecureSkipVerify
in the TLS cert for RGW server
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps a few separate notes would help clarify things better for users. I also don't think we need a note callout. This information seems critical enough that it should be in the main explanation for the feature. I like bulleted lists when doing technical writing for keeping information concise and readable, like
Important considerations:
- ports configured in the ingress path for an endpoint must match the
port
orsecurePort
specified in the CephObjectStore spec - if the CephObjectStore specifies both
port
andsecurePort
the endpoint must use thesecurePort
- etc. etc.
6f4893f
to
bb9e9e6
Compare
2580f30
to
272d525
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also fix the markdown issues flagged by our doc linter.
75c764e
to
0000977
Compare
Please consider below points while setting this option: | ||
* Domains added to `dnsNames` should listen to the same port mentioned in `CephObjectStoreSpec`. | ||
* If the user specified both `port` and `securePort` in the `CephObjectStoreSpec`, then domains input into `dnsNames` must only specify `securePort`. | ||
* If TLS is enabled with RGW, either TLS certificate include to verify the domains in `dnsNames` or user need to set `insecureSkipVerify` to true in the kubernetes secret. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't read clearly in multiple places, and I'm having trouble figuring out what users need to do.
Is this what is intended?
"If TLS is enabled, the TLS certificate must include the domains in dnsNames
, or insecureSkipVerify
must be set on the CephObjectStore."
Please consider below points while setting this option: | ||
* Domains added to `dnsNames` should listen to the same port mentioned in `CephObjectStoreSpec`. | ||
* If the user specified both `port` and `securePort` in the `CephObjectStoreSpec`, then domains input into `dnsNames` must only specify `securePort`. | ||
* If TLS is enabled with RGW, either TLS certificate include to verify the domains in `dnsNames` or user need to set `insecureSkipVerify` to true in the kubernetes secret. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't tell if this section is intended to be part of the paragraph that begins with the bullet * dnsNames
above, or if it is intended to be a separate paragraph.
As it is, the text "Please consider..." immediately follows the dnsNames
bullet, which implies it should be the same content, but it also is indented on the left, which implies it should be a separate paragraph.
The 3 bullets are indented, which implies there is intent to have this be part of the dnsNames
bullet.
IMO, this section is short enough that this will be easier to read for users if it is a separate paragraph. To format it as such, please add an empty line above "Please consider..." and un-indent the 3 bullets.
The users need to careful about port and ssl certs while consuming virtual host feature for rgw. Fixes: rook#14087 Signed-off-by: Jiffin Tony Thottan <thottanjiffin@gmail.com>
0000977
to
a0f41bb
Compare
The users need to careful about port and ssl certs while consuming virtual host feature for rgw.
Fixes: #14087
Checklist: