Skip to content

Fix ceph 9 RGW deployment #3436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
evallesp merged 1 commit into from
Nov 13, 2025
Merged

Fix ceph 9 RGW deployment #3436

evallesp merged 1 commit into from
Nov 13, 2025
+29 −5

Conversation

@fmount
Copy link
Contributor

@fmount fmount commented Oct 24, 2025
edited
Loading

rgw_frontend_ssl_certificate has been deprecated in ceph8 and in ceph9 doesn't work properly anymore. There's a new way of setting both cert and key when ssl is used and is fully documented in [1].
This patch preserves the old way of deploying rgw through a new var used to execute the old code. When rgw_ssl_backward_compatibility is set, the old facts are created, resulting in populating the old variables, otherwise the new method based on ssl_cert and ssl_key fields is applied.

[1] https://docs.ceph.com/en/latest/cephadm/services/rgw/

Jira: https://issues.redhat.com/browse/OSPRH-21250

@fmount fmount requested a review from a team as a code owner October 24, 2025 12:34
danpawlik
danpawlik reviewed Oct 24, 2025
View reviewed changes
danpawlik
danpawlik reviewed Oct 24, 2025
View reviewed changes
@fmount
Copy link
Contributor Author

fmount commented Oct 24, 2025
edited
Loading

Early testing looks promising:

======
Totals
======
Ran: 142 tests in 132.5648 sec.
 - Passed: 130
 - Skipped: 12
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0

@fmount fmount force-pushed the ceph9 branch 3 times, most recently from 78a7e21 to 2e51e5f Compare October 26, 2025 13:44
@danpawlik
Copy link
Contributor

danpawlik commented Oct 27, 2025

@fmount should it be DNM (PR has such label)?

@fmount
Copy link
Contributor Author

fmount commented Oct 27, 2025

@fmount should it be DNM (PR has such label)?

If the current / in progress uni03gamma regression testing works as expected, I will remove the do-not-merge label.
In any case feel free to review if you have additional comments.

@fmount
Copy link
Contributor Author

fmount commented Oct 27, 2025

both unigamma (which deploys ceph 7) and unidelta (where we have ceph 8 and we're going to move to 9) are working properly with this patch. By default we keep backward compatibility, so no changes are required for the existing jobs, while for unidelta we're going to have a ci-framework-jobs patch where we explicitly pass cifmw_rgw_ssl_backward_compatibility: false to build the RGW spec with the new fields.

fmount
fmount commented Oct 27, 2025
View reviewed changes
danpawlik
danpawlik previously approved these changes Oct 28, 2025
View reviewed changes
@fmount
Copy link
Contributor Author

fmount commented Oct 29, 2025

rebased.

katarimanojk
katarimanojk reviewed Oct 29, 2025
View reviewed changes
@openshift-ci openshift-ci bot added the lgtm label Oct 29, 2025
katarimanojk
katarimanojk previously approved these changes Oct 29, 2025
View reviewed changes
@fmount fmount dismissed stale reviews from katarimanojk and danpawlik via 45af7cb October 29, 2025 11:58
@katarimanojk
Copy link
Contributor

katarimanojk commented Oct 29, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 29, 2025
@fmount
Copy link
Contributor Author

fmount commented Oct 29, 2025

Note from myself: we need to cherry-pick this patch to FR4 as a prereq for the transition to Ceph 9.

@openshift-ci openshift-ci bot removed the lgtm label Nov 3, 2025
@fmount
Fix ceph 9 RGW deployment
5bcde43 
rgw_frontend_ssl_certificate has been deprecated in ceph8 and in ceph9 doesn't
work properly anymore. There's a new way of setting both cert and key when ssl
is used and is fully documented in [1].
This patch still preserves the old way of deploying rgw through a new var used
to execute the old code. When "rgw_ssl_backward_compatibility" is set,
the old facts are set, resulting in populating the old variables, otherwise
the new method based on ssl_cert and ssl_key is applied.

[1] https://docs.ceph.com/en/latest/cephadm/services/rgw/

Signed-off-by: Francesco Pantano <[email protected]>
@fultonj
Copy link
Contributor

fultonj commented Nov 7, 2025

Ah the charming little differences that keep life interesting....

"deprecated in ceph8 and in ceph9 doesn't work properly anymore. There's a new way of setting both cert and key when ssl is used and is fully documented in [1]."

https://docs.ceph.com/en/latest/cephadm/services/rgw/

fultonj
fultonj approved these changes Nov 7, 2025
View reviewed changes
Copy link
Contributor

@fultonj fultonj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm label Nov 7, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 7, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fultonj

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fmount
Copy link
Contributor Author

fmount commented Nov 13, 2025

/retest

tosky
tosky approved these changes Nov 13, 2025
View reviewed changes
Copy link
Contributor

@tosky tosky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change makes sense and the default behavior is unchanged.

katarimanojk
katarimanojk approved these changes Nov 13, 2025
View reviewed changes
Copy link
Contributor

@katarimanojk katarimanojk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

evallesp
evallesp reviewed Nov 13, 2025
View reviewed changes
@evallesp evallesp enabled auto-merge (rebase) November 13, 2025 15:25
@evallesp evallesp merged commit 3123b52 into openstack-k8s-operators:main Nov 13, 2025
7 checks passed
@fmount
Copy link
Contributor Author

fmount commented Nov 17, 2025

/cherry-pick 18.0-fr4

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Nov 17, 2025

@fmount: cannot checkout 18.0-fr4: error checking out "18.0-fr4": exit status 1 error: pathspec '18.0-fr4' did not match any file(s) known to git

Details

In response to this:

/cherry-pick 18.0-fr4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evallesp evallesp evallesp approved these changes

@fultonj fultonj fultonj approved these changes

@danpawlik danpawlik danpawlik approved these changes

@tosky tosky tosky approved these changes

@katarimanojk katarimanojk katarimanojk approved these changes

Assignees

@fultonj fultonj

@katarimanojk katarimanojk

Labels

lgtm Ready For Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@fmount @danpawlik @katarimanojk @fultonj @openshift-cherrypick-robot @tosky @evallesp