|
100 | 100 | * S3 API support for cross-tenant names such as `Bucket='tenant:bucketname'` |
101 | 101 | * STS Lite and `sts:GetSessionToken`. |
102 | 102 |
|
| 103 | +Cephadm |
| 104 | +------- |
| 105 | + |
| 106 | +* A new cephadm-managed ``mgmt-gateway`` service provides a single, TLS-terminated |
| 107 | + entry point for Ceph management endpoints such as the Dashboard and the monitoring |
| 108 | + stack. The gateway is implemented as an nginx-based reverse proxy that fronts Prometheus, |
| 109 | + Grafana, and Alertmanager, so users no longer need to connect to those daemons directly or |
| 110 | + know which hosts they run on. When combined with the new ``oauth2-proxy`` service, which |
| 111 | + integrates with external identity providers using the OpenID Connect (OIDC) / OAuth 2.0 |
| 112 | + protocols, the gateway can enforce centralized authentication and single sign-on (SSO) for |
| 113 | + both the Ceph Dashboard and the rest of the monitoring stack. |
| 114 | +* High availability for the Ceph Dashboard and the Prometheus-based monitoring stack is now |
| 115 | + provided via the cephadm-managed ``mgmt-gateway``. nginx high-availability mechanisms allow |
| 116 | + the mgmt-gateway to detect healthy instances of the Dashboard, Prometheus, Grafana, and Alertmanager, |
| 117 | + route traffic accordingly, and handle manager failover transparently. When deployed with a virtual |
| 118 | + IP and multiple ``mgmt-gateway`` instances, this architecture keeps management access available |
| 119 | + even during daemon or host failures. |
| 120 | +* A new ``certmgr`` cephadm subsystem centralizes certificate lifecycle management for cephadm-managed |
| 121 | + services. certmgr acts as a cluster-internal root CA for cephadm-signed certificates, it can also |
| 122 | + consume user-provided certificates, and tracks how each certificate was provisioned. It standardizes |
| 123 | + HTTPS configuration for services such as RGW and the mgmt-gateway, automates renewal and rotation of |
| 124 | + cephadm-signed certificates, and raises health warnings when certificates are invalid, expiring or misconfigured. |
| 125 | + With certmgr, cephadm-signed certificates are available across all cephadm-managed services, providing |
| 126 | + secure defaults out of the box. |
| 127 | + |
103 | 128 | CephFS |
104 | 129 | ------ |
105 | 130 |
|
|
0 commit comments