From: Adam King Date: Sat, 3 Jun 2023 19:42:19 +0000 (-0400) Subject: doc/cephadm: document setting up CA signed keys in running cluster X-Git-Tag: v19.0.0~675^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=2c837ea9cff44d6199ef68c03307e7ff3104adcf;p=ceph-ci.git doc/cephadm: document setting up CA signed keys in running cluster Signed-off-by: Adam King --- diff --git a/doc/cephadm/host-management.rst b/doc/cephadm/host-management.rst index 3f12ec1ce6b..6a2aa3b52a1 100644 --- a/doc/cephadm/host-management.rst +++ b/doc/cephadm/host-management.rst @@ -505,7 +505,23 @@ There are two ways to customize this configuration for your environment: manually distributed to the mgr data directory (``/var/lib/ceph//mgr.`` on the host, visible at ``/var/lib/ceph/mgr/ceph-`` from inside the container). - + +Setting up CA signed keys for the cluster +----------------------------------------- + +Cephadm also supports using CA signed keys for SSH authentication +across cluster nodes. In this setup, instead of needing a private +key and public key, we instead need a private key and certificate +created by signing that private key with a CA key. For more info +on setting up nodes for authentication using a CA signed key, see +:ref:`cephadm-bootstrap-ca-signed-keys`. Once you have your private +key and signed cert, they can be set up for cephadm to use by running: + +.. prompt:: bash # + + ceph config-key set mgr/cephadm/ssh_identity_key -i + ceph config-key set mgr/cephadm/ssh_identity_cert -i + .. _cephadm-fqdn: Fully qualified domain names vs bare host names