Feature #65470
openBeast lacks ssl_short_trust option to reload ssl certificate without restart
0%
Description
Previously civetweb rgw had an option (ssl_short_trust) to automatically reload certs, for instance when they are short-lived and rotated frequently:
https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md#ssl_short_trust-no
When SSL was added to Beast this option was overlooked: https://tracker.ceph.com/issues/22832
This regression(?) is mentioned in the discussion here:
https://github.com/ceph/ceph/pull/20464#issuecomment-464867120
We are testing SSL with RGW using Rook in Kubernetes, and everything seems to work fine other than the certificate expiry, since it is being renewed by Cert-Manager fairly often. The certificate file on disk is updated, radosgw just needs a way to re-read it.
Restarting the rgw is an option but seems a bit heavy-handed and would require some more integration with Kubernetes to gracefully roll the deployment (and/or managed by Rook Operator)
Updated by Casey Bodley 5 months ago
- Status changed from New to Fix Under Review
- Pull request ID set to 65842
Updated by Upkeep Bot 5 months ago
- Status changed from Fix Under Review to Resolved
- Merge Commit set to a4df7f9e61e3e93fef603649c44b0d6182d5dd8b
- Fixed In set to v20.3.0-3819-ga4df7f9e61
- Upkeep Timestamp set to 2025-10-30T12:56:55+00:00
Updated by Casey Bodley 5 months ago
- Status changed from Resolved to Pending Backport
- Assignee set to Casey Bodley
- Backport set to squid tentacle
Updated by Upkeep Bot 5 months ago
- Copied to Backport #73703: tentacle: Beast lacks ssl_short_trust option to reload ssl certificate without restart added
Updated by Upkeep Bot 5 months ago
- Copied to Backport #73704: squid: Beast lacks ssl_short_trust option to reload ssl certificate without restart added
Updated by Casey Bodley 5 months ago
backports should also include:
https://github.com/ceph/ceph/pull/66107
https://github.com/ceph/ceph/pull/66112