|
| 1 | +.. _orchestrator-cli-cert-management: |
| 2 | + |
| 3 | +======================= |
| 4 | +Certificate Management |
| 5 | +======================= |
| 6 | + |
| 7 | +Introduction |
| 8 | +============ |
| 9 | + |
| 10 | +Cephadm `certmgr` acts as the Root Certificate Authority (CA) for all |
| 11 | +self-signed certificates generated by Cephadm. For services that require |
| 12 | +SSL, admins have the option to either bring their own certificate or allow |
| 13 | +Cephadm to generate a self-signed certificate. This ensures secure communication |
| 14 | +while offering flexibility for deployment preferences. |
| 15 | + |
| 16 | +Certificate Management Behavior |
| 17 | +=============================== |
| 18 | + |
| 19 | +Cephadm `certmgr` automatically detects whether a certificate is self-signed |
| 20 | +(generated by Cephadm) or user-provided. This distinction determines how it |
| 21 | +handles expirations and renewals: |
| 22 | + |
| 23 | +Self-Signed Certificates |
| 24 | +------------------------ |
| 25 | +- `certmgr` can fully automate renewal, ensuring seamless service operation. |
| 26 | +- Automation is controlled by configuration parameters defining certificate |
| 27 | + duration, renewal thresholds, and whether automated rotation is enabled. |
| 28 | + |
| 29 | +User-Provided Certificates |
| 30 | +-------------------------- |
| 31 | +- `certmgr` does not renew these automatically but continuously monitors |
| 32 | + their status. |
| 33 | +- If an issue is detected (e.g., expiration is approaching), it issues |
| 34 | + health warnings/errors `CEPHADM_CERT_ERROR` to alert administrators, |
| 35 | + who must manually replace the certificate. |
| 36 | + |
| 37 | +This proactive approach ensures secure and uninterrupted service operations |
| 38 | +while allowing users to manage certificate policies according to their needs. |
| 39 | + |
| 40 | + |
| 41 | +Configuration |
| 42 | +============= |
| 43 | + |
| 44 | +To manage certificate lifecycles, `certmgr` continuously monitors certificates |
| 45 | +and applies renewal policies based on the certificate type and configured |
| 46 | +parameters. Cephadm provides several configuration options to manage certificate |
| 47 | +lifecycle and renewal: |
| 48 | + |
| 49 | +- **`mgr/cephadm/certificate_automated_rotation_enabled`** (default: `False`): |
| 50 | + Disabled by default, this configuration option controls |
| 51 | + whether Cephadm automatically rotates certificates upon expiration. This helps |
| 52 | + ensure continuity and security without manual intervention. When disabled cephadm will |
| 53 | + still check periodically the certificates but instead of automatically renewing self-signed |
| 54 | + expired ones it will issue a health error/warning when an issue is detected. |
| 55 | + |
| 56 | +- **`mgr/cephadm/certificate_duration_days`** (default: `3 * 365`, min: `90`, max: `10 * |
| 57 | + 365`): Specifies the duration (in days) of self-signed certificates generated |
| 58 | + and signed by the Cephadm root CA. This determines the validity period before |
| 59 | + renewal is required. |
| 60 | + |
| 61 | +- **`certificate_renewal_threshold_days`** (default: `30`, min: `10`, max: |
| 62 | + `90`): Defines the number of days before a certificate's expiration when |
| 63 | + Cephadm should initiate renewal. This ensures timely replacement before |
| 64 | + expiration occurs. This applies to both self-signed and user-provided |
| 65 | + certificates. In the case of user-provided certificates, Cephadm will issue a |
| 66 | + health error or warning alerting administrators about the upcoming renewal |
| 67 | + period proximity. |
| 68 | + |
| 69 | + |
| 70 | +Certificate Health Monitoring |
| 71 | +============================= |
| 72 | + |
| 73 | +Cephadm continuously monitors the status of managed certificates. If any |
| 74 | +certificate is found to be invalid or expired, Cephadm will issue a health error |
| 75 | +with the code `CEPHADM_CERT_ERROR`. Additionally, if a certificate is |
| 76 | +approaching its expiration date, Cephadm will generate a health warning. This |
| 77 | +proactive alerting mechanism helps administrators take timely action to renew or |
| 78 | +replace certificates before service disruptions occur. |
| 79 | + |
| 80 | + |
| 81 | +Known Certificates and Keys |
| 82 | +=========================== |
| 83 | + |
| 84 | +The `CertMgr` class maintains a list of known certificates and keys. These are |
| 85 | +automatically documented below: |
| 86 | + |
| 87 | +.. automodule:: mgr.cephadm.certmgr |
| 88 | + :members: known_certs, known_keys |
| 89 | + :undoc-members: |
| 90 | + :show-inheritance: |
| 91 | + |
| 92 | + |
| 93 | +Certificate Scopes |
| 94 | +================== |
| 95 | + |
| 96 | +Cephadm certmgr supports three different scopes for certificate management: |
| 97 | + |
| 98 | +1. **Global Scope:** |
| 99 | + - Certificates in this scope are shared across all service daemons, regardless of which host they are running on. |
| 100 | + - Example: `mgmt-gateway` certificate is a globally shared certificate used by all service daemons. |
| 101 | + |
| 102 | +2. **Per-Host Scope:** |
| 103 | + - Certificates are assigned per host, meaning each host has its own unique certificate. |
| 104 | + - When configuring a custom certificate, the user must specify the host for which the certificate applies. |
| 105 | + - Example: `grafana` service cerificates are configured at the host level and applies specifically to a single machine. |
| 106 | + |
| 107 | +3. **Per-Service Scope:** |
| 108 | + - Certificates are configured per service name, meaning each instance of a service can have its own certificate. |
| 109 | + - When specifying a custom certificate, the user must define the service to which it belongs. |
| 110 | + - Example: an `rgw` service certificate is assigned specifically and only to an RGW service |
| 111 | + |
| 112 | + |
| 113 | +Reloading Certificate Manager |
| 114 | +============================= |
| 115 | + |
| 116 | +Run the following command to reload the certificate manager configuration from the Monitors: |
| 117 | + |
| 118 | +.. prompt:: bash # |
| 119 | + |
| 120 | + ceph orch certmgr reload |
| 121 | + |
| 122 | +This command ensures that any changes made to certificate configurations are |
| 123 | +applied immediately without requiring a service restart. |
| 124 | + |
| 125 | +Listing Certificates |
| 126 | +==================== |
| 127 | + |
| 128 | +To list all available certificates managed by the orchestrator: |
| 129 | + |
| 130 | +.. prompt:: bash # |
| 131 | + |
| 132 | + ceph orch certmgr cert ls [--show-details] |
| 133 | + |
| 134 | +This command displays an overview of all certificates currently managed by |
| 135 | +cephadm. Using ``--show-details`` provides additional information, including issuing |
| 136 | +authorities and certificate extensions. |
| 137 | + |
| 138 | +Listing Entities |
| 139 | +================ |
| 140 | + |
| 141 | +To list all entities associated with certificates: |
| 142 | + |
| 143 | +.. prompt:: bash # |
| 144 | + |
| 145 | + ceph orch certmgr entity ls |
| 146 | + |
| 147 | +Entities represent services that utilize managed certificates. |
| 148 | + |
| 149 | +Checking Certificate Status |
| 150 | +=========================== |
| 151 | + |
| 152 | +To check the status and validity of a specific certificate: |
| 153 | + |
| 154 | +.. prompt:: bash # |
| 155 | + |
| 156 | + ceph orch certmgr cert check |
| 157 | + |
| 158 | +This command verifies the integrity and expiration status of all managed certificates. |
| 159 | + |
| 160 | +Listing Certificate Keys |
| 161 | +======================== |
| 162 | + |
| 163 | +To list all private keys associated with managed certificates: |
| 164 | + |
| 165 | +.. prompt:: bash # |
| 166 | + |
| 167 | + ceph orch certmgr key ls |
| 168 | + |
| 169 | +This command shows which keys are currently managed by cephadm. |
| 170 | + |
| 171 | +Retrieving a Certificate |
| 172 | +======================== |
| 173 | + |
| 174 | +To retrieve the content of a specific certificate: |
| 175 | + |
| 176 | +.. prompt:: bash # |
| 177 | + |
| 178 | + ceph orch certmgr cert get <certificate_name> [--service_name <value>] [--hostname <value>] [--no-exception-when-missing] |
| 179 | + |
| 180 | +Replace `<certificate-name>` with the actual certificate name from `ceph |
| 181 | +orch certmgr cert ls`. For certificates with host or service scope, include |
| 182 | +the `--hostname` or `--service_name` arguments as needed. |
| 183 | + |
| 184 | +Retrieving a Certificate Key |
| 185 | +============================ |
| 186 | + |
| 187 | +To retrieve the private key associated with a specific certificate: |
| 188 | + |
| 189 | +.. prompt:: bash # |
| 190 | + |
| 191 | + ceph orch certmgr key get <key_name> [--service_name <value>] [--hostname <value>] [--no-exception-when-missing] |
| 192 | + |
| 193 | +Replace `<key-name>` with the actual certificate name from `ceph |
| 194 | +orch certmgr key ls`. For certificates with host or service scope, include |
| 195 | +the `--hostname` or `--service_name` arguments as needed. |
| 196 | + |
| 197 | +Setting a Certificate-Key Pair |
| 198 | +============================== |
| 199 | + |
| 200 | +To associate a certificate with a private key: |
| 201 | + |
| 202 | +.. prompt:: bash # |
| 203 | + |
| 204 | + ceph orch certmgr cert-key set <entity> [--cert <value>] [--key <value>] [--service_name <value>] [--hostname <value>] [--force] |
| 205 | + |
| 206 | +Use this command to upload or replace an existing certificate/key pair for a |
| 207 | +certain service. Replace `<entiy-name>` with the actual certificate name from |
| 208 | +`ceph orch certmgr entity ls`. |
| 209 | + |
| 210 | +Setting a Certificate |
| 211 | +===================== |
| 212 | + |
| 213 | +To update or set a new certificate: |
| 214 | + |
| 215 | +.. prompt:: bash # |
| 216 | + |
| 217 | + ceph orch certmgr cert set <certificate_name> [--cert <value>] [--service_name <value>] [--hostname <value>] [-i <cert-path>] |
| 218 | + |
| 219 | +Use this command to add or replace an existing certificate. |
| 220 | + |
| 221 | +Setting a Private Key |
| 222 | +===================== |
| 223 | + |
| 224 | +To update or set a new private key: |
| 225 | + |
| 226 | +.. prompt:: bash # |
| 227 | + |
| 228 | + ceph orch certmgr key set <key-name> [--key <value>] [--service_name <value>] [--hostname <value>] [-i <key-path>] |
| 229 | + |
| 230 | +This command allows administrators to provide new private keys for services. |
| 231 | + |
| 232 | +Generating Certificates |
| 233 | +======================= |
| 234 | + |
| 235 | +To automatically generate a new certificate and key pair: |
| 236 | + |
| 237 | +.. prompt:: bash # |
| 238 | + |
| 239 | + cehp orch certmgr generate-certificates <module_name> |
| 240 | + |
| 241 | +This command provisions new certificates for specified Manager module. |
0 commit comments