docs: update about ports and ssl cert for virtualhost feature #14135
Conversation
| @@ -159,6 +159,9 @@ The hosting settings allow you to host buckets in the object store on a custom D | |||
|
|
|||
| * `dnsNames`: a list of DNS names to host buckets on. These names need to valid according RFC-1123. Otherwise it will fail. Each endpoint requires wildcard support like [ingress loadbalancer](https://kubernetes.io/docs/concepts/services-networking/ingress/#hostname-wildcards). Do not include the wildcard itself in the list of hostnames (e.g., use "mystore.example.com" instead of "*.mystore.example.com"). Add all the hostnames like openshift routes otherwise access will be denied, but if the hostname does not support wild card then virtual host style won't work those hostname. By default cephobjectstore service endpoint and custom endpoints from cephobjectzone is included. The feature is supported only for Ceph v18 and later versions. | |||
|
|
|||
| !!! Note | |||
| The user need to confirm the port exposed by wildcard supported endpoint should be same that of rgw kubernetes service. Most provides like ingress loadbalancer or openshift routes does the same. If the SSL enabled for `CephObjectStore` then the `dnsNames` should include the endpoints which exposes the secure port and user need to update the SSL certs used by the RGW contains that domain. | |||
There was a problem hiding this comment.
Could you rephrase the paragraph? I don't understand it.
There was a problem hiding this comment.
I want to cover following:
The port-defined domains in dnsNames accessing rgw should be same as cephobjectstore.Spec. By default ingress loadbalancer or openshift routes uses same port as the service which they are exposing
If secureport is defined in cephobjectstoreSpec, then dnsNames contain domains which uses the secure port. And this domain need approved by the SSL certs which RGW is using
There was a problem hiding this comment.
What is a "port-defined domain"? I thought the port was independent from the dns name.
I understand better now what you are saying. Can you update the doc paragraph now instead of just the comment?
Sorry, I meant port defined for domain. For example if create an openshift route for rgw service, I will specify which port the openshift route need to listen to in the service let it be 80. Even though I can access the rgw server via route endpoint direclty without any port http://route will work also the http://route:80 is valid but htttp://route:81(some other values than 80) will fail as the connection refused. Same with ingress loadbalancer.
If TLS port is defined for cephobjectstore then Rook always tries to communicate with RGW using the secure path. Now consider two routes one normal route listens to port 80 and there another routesecure listens to 443 of rgw service. In the DNS names both routes need to include. But Rook always pick secure port then valid DNS name for internal communication will be https://routesecure:443 . With current changes, there is chance that it can be https://route:443 which will fail. Secondly this domain routesecure needs to be verified by the rgw service. Or the user can set insecureSkipVerify in the TLS cert for RGW server
There was a problem hiding this comment.
Perhaps a few separate notes would help clarify things better for users. I also don't think we need a note callout. This information seems critical enough that it should be in the main explanation for the feature. I like bulleted lists when doing technical writing for keeping information concise and readable, like
Important considerations:
- ports configured in the ingress path for an endpoint must match the
portorsecurePortspecified in the CephObjectStore spec - if the CephObjectStore specifies both
portandsecurePortthe endpoint must use thesecurePort - etc. etc.
thotz
force-pushed
the
doc-update-port-virtualhost
branch
from
6f4893f
to
bb9e9e6
Compare
thotz
force-pushed
the
doc-update-port-virtualhost
branch
from
2580f30
to
272d525
Compare
| @@ -158,6 +158,10 @@ The [zone](../../Storage-Configuration/Object-Storage-RGW/ceph-object-multisite. | |||
| The hosting settings allow you to host buckets in the object store on a custom DNS name, enabling virtual-hosted-style access to buckets similar to AWS S3 (https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html). | |||
|
|
|||
| * `dnsNames`: a list of DNS names to host buckets on. These names need to valid according RFC-1123. Otherwise it will fail. Each endpoint requires wildcard support like [ingress loadbalancer](https://kubernetes.io/docs/concepts/services-networking/ingress/#hostname-wildcards). Do not include the wildcard itself in the list of hostnames (e.g., use "mystore.example.com" instead of "*.mystore.example.com"). Add all the hostnames like openshift routes otherwise access will be denied, but if the hostname does not support wild card then virtual host style won't work those hostname. By default cephobjectstore service endpoint and custom endpoints from cephobjectzone is included. The feature is supported only for Ceph v18 and later versions. | |||
| Please consider below points while setting this option: | |||
| * Domains added to `dnsNames` should listen to the same port as the RGW Kubernetes service. | |||
There was a problem hiding this comment.
I'm starting to get confused. What is "the RGW Kubernetes service" in this sentence?
If you are referring to the service that Rook creates automatically for RGWs, then we should instead refer to this from the user-facing view, which is the CephObjectStore spec and instead say that domains should listen on the same port configured in the CephObjectStore gateway spec.
| Please consider below points while setting this option: | ||
| * Domains added to `dnsNames` should listen to the same port as the RGW Kubernetes service. | ||
| * If the RGW Kubernetes service listens to both `secure` and `non-secure` ports, include domains which use a secure port. | ||
| * If TLS is enabled with RGW, either include domains in `dnsNames` to the certificate or set `insecureSkipVerify` to true in the kubernetes secret containing TLS cert. |
There was a problem hiding this comment.
I'm confused about the wording here. Could you attempt to use more clear wording?
| @@ -158,6 +158,10 @@ The [zone](../../Storage-Configuration/Object-Storage-RGW/ceph-object-multisite. | |||
| The hosting settings allow you to host buckets in the object store on a custom DNS name, enabling virtual-hosted-style access to buckets similar to AWS S3 (https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html). | |||
|
|
|||
| * `dnsNames`: a list of DNS names to host buckets on. These names need to valid according RFC-1123. Otherwise it will fail. Each endpoint requires wildcard support like [ingress loadbalancer](https://kubernetes.io/docs/concepts/services-networking/ingress/#hostname-wildcards). Do not include the wildcard itself in the list of hostnames (e.g., use "mystore.example.com" instead of "*.mystore.example.com"). Add all the hostnames like openshift routes otherwise access will be denied, but if the hostname does not support wild card then virtual host style won't work those hostname. By default cephobjectstore service endpoint and custom endpoints from cephobjectzone is included. The feature is supported only for Ceph v18 and later versions. | |||
| Please consider below points while setting this option: | |||
| * Domains added to `dnsNames` should listen to the same port as the RGW Kubernetes service. | |||
| * If the RGW Kubernetes service listens to both `secure` and `non-secure` ports, include domains which use a secure port. | |||
There was a problem hiding this comment.
Again, I am confused about "RGW Kubernetes service."
When users read text that is in a code block like this they will naturally interpret those to be field names related to configuration. That isn't the case here. Please reword to specifically reference port and securePort for user benefit.
Also, I think the phrase "include domains which use a secure port" might not be clear enough instruction for users. I think it would be more clear to state "domains input into dnsNames must only specify secure port." This will help users know that they shouldn't put insecure domain addresses in the list, which is what we are trying to clarify. We could even plainly say, "do not put domains which only listen on the insecure port into the dnsNames list."
thotz
force-pushed
the
doc-update-port-virtualhost
branch
from
272d525
to
75c764e
Compare
The users need to careful about port and ssl certs while consuming virtual host feature for rgw. Fixes: rook#14087 Signed-off-by: Jiffin Tony Thottan <[email protected]>
thotz
force-pushed
the
doc-update-port-virtualhost
branch
from
75c764e
to
0000977
Compare
| Please consider below points while setting this option: | ||
| * Domains added to `dnsNames` should listen to the same port mentioned in `CephObjectStoreSpec`. | ||
| * If the user specified both `port` and `securePort` in the `CephObjectStoreSpec`, then domains input into `dnsNames` must only specify `securePort`. | ||
| * If TLS is enabled with RGW, either TLS certificate include to verify the domains in `dnsNames` or user need to set `insecureSkipVerify` to true in the kubernetes secret. |
There was a problem hiding this comment.
This doesn't read clearly in multiple places, and I'm having trouble figuring out what users need to do.
Is this what is intended?
"If TLS is enabled, the TLS certificate must include the domains in dnsNames, or insecureSkipVerify must be set on the CephObjectStore."
| Please consider below points while setting this option: | ||
| * Domains added to `dnsNames` should listen to the same port mentioned in `CephObjectStoreSpec`. | ||
| * If the user specified both `port` and `securePort` in the `CephObjectStoreSpec`, then domains input into `dnsNames` must only specify `securePort`. | ||
| * If TLS is enabled with RGW, either TLS certificate include to verify the domains in `dnsNames` or user need to set `insecureSkipVerify` to true in the kubernetes secret. |
There was a problem hiding this comment.
I can't tell if this section is intended to be part of the paragraph that begins with the bullet * dnsNames above, or if it is intended to be a separate paragraph.
As it is, the text "Please consider..." immediately follows the dnsNames bullet, which implies it should be the same content, but it also is indented on the left, which implies it should be a separate paragraph.
The 3 bullets are indented, which implies there is intent to have this be part of the dnsNames bullet.
IMO, this section is short enough that this will be easier to read for users if it is a separate paragraph. To format it as such, please add an empty line above "Please consider..." and un-indent the 3 bullets.
The users need to careful about port and ssl certs while consuming virtual host feature for rgw.
Fixes: #14087
Checklist: