From e2733b141cf587656e5957c20a7559aef1daee29 Mon Sep 17 00:00:00 2001
From: Anuradha Gadge <anuradha.gadge@ibm.com>
Date: Tue, 18 Feb 2025 14:39:31 +0530
Subject: [PATCH] doc/mgr: Add root CA cert instructions to rgw.rst

Add documentation for adding fs_id in root_ca_cert upgrade path

Fixes: https://tracker.ceph.com/issues/70014

Signed-off-by: Anuradha Gadge <anuradha.gadge@ibm.com>
(cherry picked from commit 76106dd9890fdbd9440a5f7de85e9d5de6d0a2b4)

doc/mgr: edit grammar and formatting of rgw.rst

Improve the grammar and correct the formatting of the "Upgrading root ca
certificates" procedure that was added to the documentation in https://github.com/ceph/ceph/pull/61867

Fixes: https://tracker.ceph.com/issues/70014

Signed-off-by: Zac Dover <zac.dover@proton.me>
(cherry picked from commit 7d9298e3de74e91db116c79a7087f559464ae52d)
---
 doc/mgr/rgw.rst | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/doc/mgr/rgw.rst b/doc/mgr/rgw.rst
index a3f53280a75f1..9f00c7da03f40 100644
--- a/doc/mgr/rgw.rst
+++ b/doc/mgr/rgw.rst
@@ -139,3 +139,43 @@ Join an existing realm by creating a new secondary zone (using the realm token)
   ceph rgw admin [*]
 
 RGW admin command
+
+Upgrading root ca certificates
+------------------------------
+
+#. Make sure that the RGW service is running.
+#. Make sure that the RGW service is up.
+#. Make sure that the RGW service has been upgraded to the latest release.
+#. From the Primary cluster on the Manager node, run the following command:
+
+   .. prompt:: bash #
+
+      ceph orch cert-store get cert cephadm_root_ca_cert
+
+#. On the node where the RGW service is running, store the certificate on the
+   following path::
+
+      /etc/pki/ca-trust/source/anchors/<cert_name>.crt
+
+#. Verify the certificate by running the following command:
+
+   .. prompt:: bash #
+
+      openssl x509 -in <cert_name>.crt -noout -text
+
+#. Perform the above steps on the MGR node and on the RGW node of all secondary
+   clusters.
+
+#. After the certificates have been validated on all clusters, run the
+   following command on all clusters that generate certificates: 
+
+   .. prompt:: bash #
+
+      update-ca-trust
+
+#. From the primary node, ensure that the ``curl`` command can be run by the
+   user:
+
+   .. prompt:: bash [root@primary-node]# 
+
+      curl https://<host_ip>:443
-- 
2.39.5