Configuring RGW multi-site with HTTPS using cephadm

Prerequisites

• A running and healthy IBM Storage Ceph.
• RGW services are deployed on both primary and secondary sites by using cephadm with HTTPS enabled.
• Access to both primary and secondary cluster nodes.

Procedure

1. Retrieve the cephadm root CA certificate and store it on the primary site.

   ceph orch certmgr cert get cephadm_root_ca_cert > cephadm-root-ca.crt

   Example output:

   -----BEGIN CERTIFICATE-----
   MIIC...
   -----END CERTIFICATE-----

2. From the primary site, copy the root CA certificate to the trusted CA directory on the secondary site.

   scp cephadm-root-ca.crt root@node-sec:/etc/pki/ca-trust/source/anchors/

   On the secondary site, verify that the certificate is present:

   ls -l /etc/pki/ca-trust/source/anchors/cephadm-root-ca.crt

3. Update the trusted certificate store.

   update-ca-trust

4. Verify connectivity from the secondary site to the primary RGW endpoint.

   Run an RGW admin command:

   radosgw-admin realm pull --rgw-realm RGW_REALM --url https://PRIMARY_RGW_ENDPOINT:PORT --access-key ACCESS_KEY --secret SECRET_KEY --default

   Example output:

   {
     "name": "RGW_REALM",
     "epoch": 2
   }

   From the secondary site, verify HTTPS access to the primary RGW endpoint:

   curl https://PRIMARY_RGW_ENDPOINT

   Example response:

   <ListAllMyBucketsResult>...</ListAllMyBucketsResult>

5. Repeat these steps on the primary site by copying the secondary site's cephadm_root_ca_cert to /etc/pki/ca-trust/source/anchors/ and running update-ca-trust extract to complete the reverse CA exchange.

   After completing these steps, both sites trust each other's cephadm root CA certificates, enabling secure multi-site replication and operations over HTTPS.