红帽全球峰会此内容没有您所选择的语言版本。
Chapter 14. Using TLS certificates for applications accessing RGW
Most of the S3 applications require TLS certificate in the forms such as an option included in the Deployment configuration file, passed as a file in the request, or stored in /etc/pki paths.
TLS certificates for RADOS Object Gateway (RGW) are stored as Kubernetes secret and you need to fetch the details from the secret.
Prerequisites
A running OpenShift Data Foundation cluster.
Procedure
For internal RGW server
Get the TLS certificate and key from the kubernetes secret:
$ oc get secrets/<secret_name> -o jsonpath='{.data..tls\.crt}' | base64 -d $ oc get secrets/<secret_name> -o jsonpath='{.data..tls\.key}' | base64 -d- <secret_name>
-
The default kubernetes secret name is
<objectstore_name>-cos-ceph-rgw-tls-cert. Specify the name of the object store.
For external RGW server
Get the the TLS certificate from the kubernetes secret:
$ oc get secrets/<secret_name> -o jsonpath='{.data.cert}' | base64 -d- <secret_name>
-
The default kubernetes secret name is
ceph-rgw-tls-certand it is an opaque type of secret. The key value for storing the TLS certificates iscert.
Accessing External RGW server using Object Bucket Claims
The S3 credentials such as AccessKey or Secret Key is stored in the secret generated by the Object Bucket Claim (OBC) creation and you can fetch the same by using the following commands:
# oc get secret <object bucket claim name> -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 --decode
# oc get secret <object bucket claim name> -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 --decode
Similarly, you can fetch the endpoint details from the configmap of OBC:
# oc get cm <object bucket claim name> -o jsonpath='{.data.BUCKET_HOST}'
# oc get cm <object bucket claim name> -o jsonpath='{.data.BUCKET_PORT}'
# oc get cm <object bucket claim name> -o jsonpath='{.data.BUCKET_NAME}'Accessing External RGW server using the Ceph Object Store User CR
You can fetch the S3 Credentials and endpoint details from the secret generated as part of the Ceph Object Store User CR:
# oc get secret rook-ceph-object-user-<object-store-cr-name>-<object-user-cr-name> -o jsonpath='{.data.AccessKey}' | base64 --decode
# oc get secret rook-ceph-object-user-<object-store-cr-name>-<object-user-cr-name> -o jsonpath='{.data.SecretKey}' | base64 --decode
# oc get secret rook-ceph-object-user-<object-store-cr-name>-<object-user-cr-name> -o jsonpath='{.data.Endpoint}' | base64 --decode
For both the access mechanisms, you can either request for new certificates from the administrator or reuse the certificates from the Kubernetes secret, ceph-rgw-tls-cert.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}