Hi Readers,
This is a step by step guide on how a Juju operator can integrate ceph-radosgw application with vault to gain TLS capabilties. Although, the Vault charm can be also used with Third-party CA certificate, for the sake of simplicity, we will be using self-signed CA certificate.
Pre-Requisites:
A ready charmed ceph environement comprising of Ceph-Mon, Ceph-OSD and Ceph-RadosGW applications.
Unit Workload Agent Machine Public address Ports Message
ceph-mon/0 active idle 0 10.5.3.114 Unit is ready and clustered
ceph-mon/1 active idle 1 10.5.2.221 Unit is ready and clustered
ceph-mon/2* active idle 2 10.5.2.243 Unit is ready and clustered
ceph-osd/0 active idle 3 10.5.3.124 Unit is ready (1 OSD)
ceph-osd/1* active idle 4 10.5.2.120 Unit is ready (1 OSD)
ceph-osd/2 active idle 5 10.5.1.194 Unit is ready (1 OSD)
ceph-radosgw/0* active idle 6 10.5.3.173 80/tcp Unit is ready
Procedure:
Step 1. Deploy Vault
$ juju deploy vault
Located charm "vault" in charm-hub, revision 209
Deploying "vault" from charm-hub charm "vault", revision 209 in channel 1.8/stable on jammy
...
Unit Workload Agent Machine Public address Ports Message
ceph-mon/0 active idle 0 10.5.3.114 Unit is ready and clustered
ceph-mon/1 active idle 1 10.5.2.221 Unit is ready and clustered
ceph-mon/2* active idle 2 10.5.2.243 Unit is ready and clustered
ceph-osd/0 active idle 3 10.5.3.124 Unit is ready (1 OSD)
ceph-osd/1* active idle 4 10.5.2.120 Unit is ready (1 OSD)
ceph-osd/2 active idle 5 10.5.1.194 Unit is ready (1 OSD)
ceph-radosgw/0* active idle 6 10.5.3.173 80/tcp Unit is ready
vault/0* blocked idle 9 10.5.0.11 8200/tcp Vault needs to be initialized
Take a note of the Vault unit public address (10.5.0.11), it will needed in the next step.
Step 2. Initialise Vault
Install vault Client:
$ sudo snap install vault
Identify the vault unit:
$ export VAULT_ADDR="http://10.5.0.11:8200"
Initialise Vault:
$ vault operator init -key-shares=5 -key-threshold=3
Unseal Key 1: CIpDB3JEI8W/HnJMcyzuZ3CYb+Y8NFmaveDOk9c9Pu34
Unseal Key 2: z0rEUUuxLwLvg9Yc0Nj3ELB/5XbMeYebxYF8lmCr/D9R
Unseal Key 3: jLJqHh5ibVEZr92yi8nb9+Bm8uJtYxUZxrAqGRZy8bIM
Unseal Key 4: CVL/6Hmh/nlC/Pcdi1/b1oWNrkDec+LOafnkG/fs0/pA
Unseal Key 5: PV2JDeySsKcO/xdLw2qohCEtq1vU071NBhttOv5YOS33
Initial Root Token: s.BgMadE9XuVpnF2oJAitR5OON
Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.
Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
Take note of the Initial Root Token (s.BgMadE9XuVpnF2oJAitR5OON), it will be needed later.
Step 3. Unseal Vault (using unseal keys from previous step’s output):
$ vault operator unseal CIpDB3JEI8W/HnJMcyzuZ3CYb+Y8NFmaveDOk9c9Pu34
$ vault operator unseal z0rEUUuxLwLvg9Yc0Nj3ELB/5XbMeYebxYF8lmCr/D9R
$ vault operator unseal jLJqHh5ibVEZr92yi8nb9+Bm8uJtYxUZxrAqGRZy8bIM
Step 4. Create token to authorize Vault charm (using Initial Root Token):
$ export VAULT_TOKEN=s.BgMadE9XuVpnF2oJAitR5OON
$ vault token create -ttl=10m
Key Value
--- -----
token s.XM8eDYsy9ZSxoyinDFPq18J8
token_accessor 6x9T5ajMPRLX5CgN3SvLwr8X
token_duration 10m
token_renewable true
token_policies ["root"]
identity_policies []
policies ["root"]
Step 5. Authorize Vault charm:
juju run vault/leader authorize-charm token=s.XM8eDYsy9ZSxoyinDFPq18J8 --wait=2m
...
Unit Workload Agent Machine Public address Ports Message
ceph-mon/0 active idle 0 10.5.3.114 Unit is ready and clustered
ceph-mon/1 active idle 1 10.5.2.221 Unit is ready and clustered
ceph-mon/2* active idle 2 10.5.2.243 Unit is ready and clustered
ceph-osd/0 active idle 3 10.5.3.124 Unit is ready (1 OSD)
ceph-osd/1* active idle 4 10.5.2.120 Unit is ready (1 OSD)
ceph-osd/2 active idle 5 10.5.1.194 Unit is ready (1 OSD)
ceph-radosgw/0* active idle 6 10.5.3.173 80/tcp Unit is ready
vault/0* active idle 9 10.5.0.11 8200/tcp Unit is ready (active: true, mlock: enabled)
Step 6. Generate Root CA:
$ juju run vault/leader generate-root-ca --wait=2m
unit-vault-0:
UnitId: vault/0
id: "6"
results:
Stdout: |
none
active
active
active
none
output: |-
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUTZZQMGTnjFihmT9vRcvKXBeC4kUwDQYJKoZIhvcNAQEL
BQAwPTE7MDkGA1UEAxMyVmF1bHQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkg
KGNoYXJtLXBraS1sb2NhbCkwHhcNMjQwMjA1MTA1MDQ5WhcNMzQwMjAyMDk1MTE5
WjA9MTswOQYDVQQDEzJWYXVsdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAo
Y2hhcm0tcGtpLWxvY2FsKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AK2rAjwvZeKFdhAZQnpRiUiUEW/Lbs2C1DajF4h8DlHJsAqBNB/putLK86VwCkxx
XBuNiN1wXRCZaEEBMgtoaIbQYKdxSvagkGhl+9w/fkgMb2rV1uGdwVtvW9Y8n7dX
TT5ThSkugsp81dCcxrY7w/ZzdvlCuJ/ZPTMEp9SBTCQ1cRgGNusgNnwKC3wQtU95
e1xMI/g1pylkU4ahJvvWKgYH0KaeWXVQblrx4uVSq1D93dL4Tf+7FnojKCDirXWd
b3TyrgPloV2AMM6R2EYDnBve0wZ/1Sbjyr1D+tCWmNj5ivseTtvWQ4gUkr5a5vd0
aid5Ikb4Wf+oYmMJhjI+77MCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFCjzkiTIlg4NTsxDSIYtnSCIh5fyMB8GA1Ud
IwQYMBaAFCjzkiTIlg4NTsxDSIYtnSCIh5fyMA0GCSqGSIb3DQEBCwUAA4IBAQBH
ggO5fzqBNXURbSAn/fRKXLO4wX6ULWhbZyvmrPblzGBUPWvD8IPNnQwc61YpTqdj
73zZ8JliSobonyufuX4GkDx3LLC3LfODvczWkQyKNRcANT9WbG/iS+OFdR6NUrGV
stxnUlH2uqIYV0oG3iOlQbAd8XUf2hUpdQM/vyUB1pMi4qivYIZK7auPMTgeZ7MW
I4EQ/M8eoZG63X0jSV3Q8jocg09/sxaMslSLzokJtgrWay6TilbqxX+Z8T6znacr
7QDUXtRRe5FO7YZyB1WN92Pp4IEUekxPmgOXbMiruFbpgyFxAj47gJeO0+UiH/wo
uShCFN593LP3j/82Hjj2
-----END CERTIFICATE-----
status: completed
timing:
completed: 2024-02-05 10:51:24 +0000 UTC
enqueued: 2024-02-05 10:51:18 +0000 UTC
started: 2024-02-05 10:51:18 +0000 UTC
Step 7. Relate RGW charm to Vault charm:
$ juju integrate ceph-radosgw:certificates vault:certificates
That should be it!