|
| 1 | +.. _deploy-cephadm-mgmt-gateway: |
| 2 | + |
| 3 | +================== |
| 4 | +Management Gateway |
| 5 | +================== |
| 6 | + |
| 7 | +Deploying mgmt-gateway |
| 8 | +====================== |
| 9 | + |
| 10 | +In Ceph releases beginning with Squid, the `mgmt-gateway` service introduces a new design for Ceph applications |
| 11 | +based on a modular, service-based architecture. This service, managed by cephadm and built on top of nginx |
| 12 | +(an open-source, high-performance web server), acts as the new front-end and single entry point to the |
| 13 | +Ceph cluster. The `mgmt-gateway` provides unified access to all Ceph applications, including the Ceph dashboard |
| 14 | +and monitoring stack. Employing nginx enhances security and simplifies access management due to its robust |
| 15 | +community support and high-security standards. The `mgmt-gateway` service acts as a reverse proxy that routes |
| 16 | +requests to the appropriate Ceph application instances. |
| 17 | + |
| 18 | +In order to deploy the mgmt-gateway service, use the following command: |
| 19 | + |
| 20 | +.. prompt:: bash # |
| 21 | + |
| 22 | + ceph orch apply mgmt-gateway [--placement ...] ... |
| 23 | + |
| 24 | +Once applied cephadm will reconfigure specific running daemons (such as monitoring) to run behind the |
| 25 | +new created service. External access to those services will not be possible anymore. Access will be |
| 26 | +consolidated behind the new service endpoint: `https://<node-ip>:<port>`. |
| 27 | + |
| 28 | + |
| 29 | +Benefits of the mgmt-gateway service |
| 30 | +==================================== |
| 31 | +* ``Unified Access``: Consolidated access through nginx improves security and provide a single entry point to services. |
| 32 | +* ``Improved user experience``: User no longer need to know where each application is running (ip/host). |
| 33 | +* ``High Availability for dashboard``: nginx HA mechanisms are used to provide high availability for the Ceph dashboard. |
| 34 | +* ``High Availability for monitoring``: nginx HA mechanisms are used to provide high availability for monitoring. |
| 35 | + |
| 36 | +Security enhancements |
| 37 | +===================== |
| 38 | + |
| 39 | +Once the `mgmt-gateway` service is deployed user cannot access monitoring services without authentication through the |
| 40 | +Ceph dashboard. |
| 41 | + |
| 42 | + |
| 43 | +High availability enhancements |
| 44 | +============================== |
| 45 | +nginx HA mechanisms are used to provide high availability for all the Ceph management applications including the Ceph dashboard |
| 46 | +and monitoring stack. In case of the Ceph dashboard user no longer need to know where the active manager is running. |
| 47 | +`mgmt-gateway` handles manager failover transparently and redirects the user to the active manager. In case of the |
| 48 | +monitoring `mgmt-gateway` takes care of handling HA when several instances of Prometheus, Alertmanager or Grafana are |
| 49 | +available. The reverse proxy will automatically detect healthy instances and use them to process user requests. |
| 50 | + |
| 51 | + |
| 52 | +Accessing services with mgmt-gateway |
| 53 | +==================================== |
| 54 | + |
| 55 | +Once the `mgmt-gateway` service is deployed direct access to the monitoring services will not be allowed anymore. |
| 56 | +Applications including: Prometheus, Grafana and Alertmanager are now accessible through links |
| 57 | +from `Administration > Services`. |
| 58 | + |
| 59 | + |
| 60 | +Service Specification |
| 61 | +===================== |
| 62 | + |
| 63 | +A mgmt-gateway service can be applied using a specification. An example in YAML follows: |
| 64 | + |
| 65 | +.. code-block:: yaml |
| 66 | +
|
| 67 | + service_type: mgmt-gateway |
| 68 | + service_id: gateway |
| 69 | + placement: |
| 70 | + hosts: |
| 71 | + - ceph0 |
| 72 | + spec: |
| 73 | + port: 5000 |
| 74 | + ssl_protocols: |
| 75 | + - TLSv1.2 |
| 76 | + - TLSv1.3 |
| 77 | + - ... |
| 78 | + ssl_ciphers: |
| 79 | + - AES128-SHA |
| 80 | + - AES256-SHA |
| 81 | + - ... |
| 82 | + ssl_certificate: | |
| 83 | + -----BEGIN CERTIFICATE----- |
| 84 | + MIIDtTCCAp2gAwIBAgIYMC4xNzc1NDQxNjEzMzc2MjMyXzxvQ7EcMA0GCSqGSIb3 |
| 85 | + DQEBCwUAMG0xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMRcwFQYDVQQHDA5T |
| 86 | + [...] |
| 87 | + -----END CERTIFICATE----- |
| 88 | + ssl_certificate_key: | |
| 89 | + -----BEGIN PRIVATE KEY----- |
| 90 | + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5jdYbjtNTAKW4 |
| 91 | + /CwQr/7wOiLGzVxChn3mmCIF3DwbL/qvTFTX2d8bDf6LjGwLYloXHscRfxszX/4h |
| 92 | + [...] |
| 93 | + -----END PRIVATE KEY----- |
| 94 | +
|
| 95 | +Fields specific to the ``spec`` section of the mgmt-gateway service are described below. |
| 96 | + |
| 97 | +.. py:currentmodule:: ceph.deployment.service_spec |
| 98 | +
|
| 99 | +.. autoclass:: MgmtGatewaySpec |
| 100 | + :members: |
| 101 | + |
| 102 | +.. warning:: |
| 103 | + |
| 104 | + TLSv1.3 is considered safe at this moment and includes a set of secure ciphers by default. |
| 105 | + When configuring SSL/TLS ciphers for older versions, especially TLSv1.2, it is crucial to |
| 106 | + use only a subset of secure ciphers. Using weak or outdated ciphers can significantly |
| 107 | + compromise the security of your system. |
| 108 | + |
| 109 | + Any alteration of the cipher list for SSL/TLS configurations is the responsibility of the |
| 110 | + system administrator. Avoid modifying these lists without a thorough understanding of the |
| 111 | + implications. Incorrect configurations can lead to vulnerabilities such as weak encryption, |
| 112 | + lack of forward secrecy, and susceptibility to various attacks. Always refer to up-to-date |
| 113 | + security guidelines and best practices when configuring SSL/TLS settings. |
| 114 | + |
| 115 | + |
| 116 | +The specification can then be applied by running the following command: |
| 117 | + |
| 118 | +.. prompt:: bash # |
| 119 | + |
| 120 | + ceph orch apply -i mgmt-gateway.yaml |
| 121 | + |
| 122 | + |
| 123 | +Limitations |
| 124 | +=========== |
| 125 | + |
| 126 | +A non-exhaustive list of important limitations for the mgmt-gateway service follows: |
| 127 | + |
| 128 | +* High-availability configurations and clustering for the mgmt-gateway service itself are currently not supported. |
| 129 | +* Services must bind to the appropriate ports based on the applications being proxied. Ensure that there |
| 130 | + are no port conflicts that might disrupt service availability. |
| 131 | + |
| 132 | + |
| 133 | +Default images |
| 134 | +~~~~~~~~~~~~~~ |
| 135 | + |
| 136 | +The `mgmt-gateway` service internally makes use of nginx reverse proxy. The following container image is used by default: |
| 137 | + |
| 138 | +:: |
| 139 | + |
| 140 | + DEFAULT_NGINX_IMAGE = 'quay.io/ceph/nginx:1.26.1' |
| 141 | + |
| 142 | +Admins can specify the image to be used by changing the `container_image_nginx` cephadm module option. If there were already |
| 143 | +running daemon(s) you must redeploy the daemon(s) in order to have them actually use the new image. |
| 144 | + |
| 145 | +For example: |
| 146 | + |
| 147 | +.. code-block:: bash |
| 148 | +
|
| 149 | + ceph config set mgr mgr/cephadm/container_image_nginx <new-nginx-image> |
| 150 | + ceph orch redeploy mgmt-gateway |
0 commit comments