This is an Ansible role for enabling LetsEncrypt-based TLS for the Ceph RADOS gateway. It accompanies a blog entry describing what we did.

This is an slightly edited version of the role we use at Sanger as part of our ceph-ansible based deployment; the version here has been developed with ceph-ansible version 3.0, but is probably more widely useful.

The hook script (infobloxhook.sh.j2), as its name suggests, expects to use an Infoblox device to update the DNS. If you have a different DNS solution, you’ll need to replace the deploy_challenge and clean_challenge handlers.

This is not intended to be a drop-in solution, but it should at least be a useful framework.

In common with ceph-ansible, this role expects you to have a rgws group defined, containing the hostnames of your rgws. You also need to define radosgw_dns_name which is the base hostname of your S3 service, and the secret radosgw_infoblox_cred which is the Infoblox credential to use; that needs to be able to create the relevant _acme-challenge TXT records. If using Infoblox, define infoblox_hostname as well.

If you want to use the cron_wrapper.sh script, you’ll need to set proxy_hostname; alternatively if you don’t need an HTTP proxy, then just remove the relevant stanza from the script and install it with copy rather than template.

The first member of the rgws group will be the host that talks to LetsEncrypt.

Other than the Infoblox-specific parts of the hook script, and the HTTP proxy issues noted above, you will also want to review the dehydrated_config file (at the very least, to set CONTACT_EMAIL).