From: Adam King Date: Sat, 3 Jun 2023 19:42:19 +0000 (-0400) Subject: doc/cephadm: document setting up CA signed keys in running cluster X-Git-Tag: v17.2.8~489^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1f5c95dd600dcecfe5185f89aca039e45152215c;p=ceph.git doc/cephadm: document setting up CA signed keys in running cluster Signed-off-by: Adam King (cherry picked from commit 2c837ea9cff44d6199ef68c03307e7ff3104adcf) --- diff --git a/doc/cephadm/host-management.rst b/doc/cephadm/host-management.rst index 779c8090276..59d0f6d1767 100644 --- a/doc/cephadm/host-management.rst +++ b/doc/cephadm/host-management.rst @@ -502,7 +502,23 @@ There are two ways to customize this configuration for your environment: manually distributed to the mgr data directory (``/var/lib/ceph//mgr.`` on the host, visible at ``/var/lib/ceph/mgr/ceph-`` from inside the container). - + +Setting up CA signed keys for the cluster +----------------------------------------- + +Cephadm also supports using CA signed keys for SSH authentication +across cluster nodes. In this setup, instead of needing a private +key and public key, we instead need a private key and certificate +created by signing that private key with a CA key. For more info +on setting up nodes for authentication using a CA signed key, see +:ref:`cephadm-bootstrap-ca-signed-keys`. Once you have your private +key and signed cert, they can be set up for cephadm to use by running: + +.. prompt:: bash # + + ceph config-key set mgr/cephadm/ssh_identity_key -i + ceph config-key set mgr/cephadm/ssh_identity_cert -i + .. _cephadm-fqdn: Fully qualified domain names vs bare host names