Add SSL configuration for RGW

.github/workflows/tests.yml

@@ -167,6 +167,15 @@ jobs:
     - name: Exercise RGW
       run: ~/actionutils.sh testrgw
 
+    - name: Disable RGW
+      run: ~/actionutils.sh disable_rgw
+
+    - name: Enable RGW with SSL enabled
+      run: ~/actionutils.sh enable_rgw_ssl
+
+    - name: Exercise RGW with SSL enabled
+      run: ~/actionutils.sh testrgw_ssl
+
     - name: Test Cluster Config
       run: |
         set -eux

.gitignore

@@ -1,4 +1,5 @@
 *.snap
 _build
 *.swp
+.idea
 .vscode

docs/reference/commands/enable.rst

@@ -99,13 +99,16 @@ Usage:
 
 .. code-block:: none
 
-   microceph enable rgw [--port <port>] [--target <server>] [--wait <bool>] [flags]
+   microceph enable rgw [--port <port>] [--ssl-port <port>] [--ssl-certificate <certificate material>] [--ssl-private-key <private key material>] [--target <server>] [--wait <bool>] [flags]
 
 
 Flags:
 
 .. code-block:: none
 
-   --port int        Service port (default: 80) (default 80)
-   --target string   Server hostname (default: this server)
-   --wait            Wait for rgw service to be up. (default true)
+   --port int                Service non-SSL port (default: 80) (default 80)
+   --ssl-port int            Service SSL port (default: 443) (default 443)
+   --ssl-certificate string  base64 encoded SSL certificate
+   --ssl-private-key string  base64 encoded SSL private key
+   --target string           Server hostname (default: this server)
+   --wait                    Wait for rgw service to be up. (default true)

microceph/ceph/configwriter.go

@@ -87,7 +87,7 @@ auth allow insecure global id reclaim = false
 
 [client.radosgw.gateway]
 rgw init timeout = 1200
-rgw frontends = beast port={{.rgwPort}}
+rgw frontends = beast{{if or (ne .rgwPort 0) (not .sslCertificatePath) (not .sslPrivateKeyPath)}} port={{.rgwPort}}{{end}}{{if and .sslCertificatePath .sslPrivateKeyPath}} ssl_port={{.sslPort}} ssl_certificate={{.sslCertificatePath}} ssl_private_key={{.sslPrivateKeyPath}}{{end}}
 `)),
 		configFile: "radosgw.conf",
 		configDir:  configDir,

microceph/ceph/configwriter_test.go

@@ -45,11 +45,12 @@ func (s *configWriterSuite) TestWriteCephConfig() {
 }
 
 // Test ceph config writing
-func (s *configWriterSuite) TestWriteRadosGWConfig() {
+func (s *configWriterSuite) TestWriteRadosGWNonSSLConfig() {
 	config := newRadosGWConfig(s.Tmp)
 	err := config.WriteConfig(
 		map[string]any{
 			"monitors": "foohost",
+			"rgwPort":  80,
 		},
 		0644,
 	)
@@ -61,6 +62,100 @@ func (s *configWriterSuite) TestWriteRadosGWConfig() {
 	data, err := os.ReadFile(config.GetPath())
 	assert.Equal(s.T(), nil, err)
 	assert.Contains(s.T(), string(data), "foohost")
+	assert.Contains(s.T(), string(data), "rgw frontends = beast port=80\n")
+}
+
+// Test ceph config writing
+func (s *configWriterSuite) TestWriteRadosGWCompleteConfig() {
+	config := newRadosGWConfig(s.Tmp)
+	err := config.WriteConfig(
+		map[string]any{
+			"monitors":           "foohost",
+			"rgwPort":            80,
+			"sslPort":            443,
+			"sslCertificatePath": "/tmp/server.crt",
+			"sslPrivateKeyPath":  "/tmp/server.key",
+		},
+		0644,
+	)
+	assert.Equal(s.T(), nil, err)
+	// Check that the file exists
+	_, err = os.Stat(config.GetPath())
+	assert.Equal(s.T(), nil, err)
+	// Check contents of the file
+	data, err := os.ReadFile(config.GetPath())
+	assert.Equal(s.T(), nil, err)
+	assert.Contains(s.T(), string(data), "foohost")
+	assert.Contains(s.T(), string(data), "rgw frontends = beast port=80 ssl_port=443 ssl_certificate=/tmp/server.crt ssl_private_key=/tmp/server.key")
+}
+
+func (s *configWriterSuite) TestWriteRadosGWSSLOnlyConfig() {
+	config := newRadosGWConfig(s.Tmp)
+	err := config.WriteConfig(
+		map[string]any{
+			"monitors":           "foohost",
+			"rgwPort":            0,
+			"sslPort":            443,
+			"sslCertificatePath": "/tmp/server.crt",
+			"sslPrivateKeyPath":  "/tmp/server.key",
+		},
+		0644,
+	)
+	assert.Equal(s.T(), nil, err)
+	// Check that the file exists
+	_, err = os.Stat(config.GetPath())
+	assert.Equal(s.T(), nil, err)
+	// Check contents of the file
+	data, err := os.ReadFile(config.GetPath())
+	assert.Equal(s.T(), nil, err)
+	assert.Contains(s.T(), string(data), "foohost")
+	assert.Contains(s.T(), string(data), "rgw frontends = beast ssl_port=443 ssl_certificate=/tmp/server.crt ssl_private_key=/tmp/server.key")
+}
+
+func (s *configWriterSuite) TestWriteRadosGWWithMissingSSLCertificateConfig() {
+	config := newRadosGWConfig(s.Tmp)
+	err := config.WriteConfig(
+		map[string]any{
+			"monitors":           "foohost",
+			"rgwPort":            80,
+			"sslPort":            443,
+			"sslCertificatePath": "",
+			"sslPrivateKeyPath":  "/tmp/server.key",
+		},
+		0644,
+	)
+	assert.Equal(s.T(), nil, err)
+	// Check that the file exists
+	_, err = os.Stat(config.GetPath())
+	assert.Equal(s.T(), nil, err)
+	// Check contents of the file
+	data, err := os.ReadFile(config.GetPath())
+	assert.Equal(s.T(), nil, err)
+	assert.Contains(s.T(), string(data), "foohost")
+	assert.Contains(s.T(), string(data), "rgw frontends = beast port=80\n")
+}
+
+func (s *configWriterSuite) TestWriteRadosGWWithMissingSSLPrivateKeyConfig() {
+	config := newRadosGWConfig(s.Tmp)
+	err := config.WriteConfig(
+		map[string]any{
+			"monitors":           "foohost",
+			"rgwPort":            80,
+			"sslPort":            443,
+			"sslCertificatePath": "/tmp/server.crt",
+			"sslPrivateKeyPath":  "",
+		},
+		0644,
+	)
+	assert.Equal(s.T(), nil, err)
+	// Check that the file exists
+	_, err = os.Stat(config.GetPath())
+	assert.Equal(s.T(), nil, err)
+	// Check contents of the file
+	data, err := os.ReadFile(config.GetPath())
+	assert.Equal(s.T(), nil, err)
+	assert.Contains(s.T(), string(data), "foohost")
+	assert.Contains(s.T(), string(data), "rgw frontends = beast port=80\n")
 }
 
 // Test ceph keyring writing

microceph/ceph/rgw.go

@@ -3,25 +3,52 @@ package ceph
 import (
 	"context"
 	"database/sql"
+	"encoding/base64"
 	"fmt"
+	"github.com/canonical/microceph/microceph/constants"
+	"github.com/canonical/microceph/microceph/interfaces"
 	"os"
 	"path/filepath"
 	"strings"
 
-	"github.com/canonical/microceph/microceph/constants"
-	"github.com/canonical/microceph/microceph/interfaces"
-
 	"github.com/canonical/microceph/microceph/database"
 )
 
 // EnableRGW enables the RGW service on the cluster and adds initial configuration given a service port number.
-func EnableRGW(s interfaces.StateInterface, port int, monitors []string) error {
+func EnableRGW(s interfaces.StateInterface, port int, sslPort int, sslCertificate string, sslPrivateKey string, monitors []string) error {
 	pathConsts := constants.GetPathConst()
 
+	sslCertificatePath := ""
+	sslPrivateKeyPath := ""
+	if sslCertificate != "" && sslPrivateKey != "" {
+		sslCertificatePath = filepath.Join(pathConsts.SSLFilesPath, "server.crt")
+		decodedSSLCertificate, err := base64.StdEncoding.DecodeString(sslCertificate)
+		if err != nil {
+			return err
+		}
+		err = os.WriteFile(sslCertificatePath, decodedSSLCertificate, 0600)
+		if err != nil {
+			return err
+		}
+		sslPrivateKeyPath = filepath.Join(pathConsts.SSLFilesPath, "server.key")
+		decodedSSLPrivateKey, err := base64.StdEncoding.DecodeString(sslPrivateKey)
+		if err != nil {
+			return err
+		}
+		err = os.WriteFile(sslPrivateKeyPath, decodedSSLPrivateKey, 0600)
+		if err != nil {
+			return err
+		}
+	} else if sslCertificate == "" || sslPrivateKey == "" {
+		port = 80
+	}
 	configs := map[string]any{
-		"runDir":   pathConsts.RunPath,
-		"monitors": strings.Join(monitors, ","),
-		"rgwPort":  port,
+		"runDir":             pathConsts.RunPath,
+		"monitors":           strings.Join(monitors, ","),
+		"rgwPort":            port,
+		"sslPort":            sslPort,
+		"sslCertificatePath": sslCertificatePath,
+		"sslPrivateKeyPath":  sslPrivateKeyPath,
 	}
 
 	// Create RGW configuration.
@@ -73,6 +100,16 @@ func DisableRGW(s interfaces.StateInterface) error {
 		return fmt.Errorf("failed to remove RGW keyring: %w", err)
 	}
 
+	// Remove the SSL files.
+	err = os.Remove(filepath.Join(pathConsts.SSLFilesPath, "server.crt"))
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove RGW SSL Certificate file: %w", err)
+	}
+	err = os.Remove(filepath.Join(pathConsts.SSLFilesPath, "server.key"))
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove RGW SSL Private Key file: %w", err)
+	}
+
 	// Remove the configuration.
 	err = os.Remove(filepath.Join(pathConsts.ConfPath, "radosgw.conf"))
 	if err != nil {

microceph/ceph/rgw_test.go

@@ -19,6 +19,9 @@ type rgwSuite struct {
 	TestStateInterface *mocks.StateInterface
 }
 
+const validSSLCertificate = `LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURuakNDQW9hZ0F3SUJBZ0lVR0czNU9mWkcrRFdFQytrc2FHalJyTmlXZncwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1hERUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQWdNQmtSbGJtbGhiREVVTUJJR0ExVUVCd3dMVTNCeQphVzVuWm1sbGJHUXhEREFLQmdOVkJBb01BMFJwY3pFWU1CWUdBMVVFQXd3UGQzZDNMbVY0WVcxd2JHVXVZMjl0Ck1CNFhEVEkwTURneE5qRTROREUxT0ZvWERUSTFNRGd4TmpFNE5ERTFPRm93WERFTE1Ba0dBMVVFQmhNQ1ZWTXgKRHpBTkJnTlZCQWdNQmtSbGJtbGhiREVVTUJJR0ExVUVCd3dMVTNCeWFXNW5abWxsYkdReEREQUtCZ05WQkFvTQpBMFJwY3pFWU1CWUdBMVVFQXd3UGQzZDNMbVY0WVcxd2JHVXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBdFl5ZGRhb0l4T3hQWmtVMEN1dXE0aEd3Q2JlZXBUM3lBQ0JOS1J6MjB5alQKZ2xSWTFTSTlXSjl4K2t1a3dMTGNiVEIrSkNka2NWTEZuNThtVDRmUW5IMHdmWCtIby9BTUNHNkxITnZnOXovVAorTlV4dTgydGZsVko3RFRUdmVuYzlqVU9qNFZqUExaV2tiemNIOC91Sm1DNkd1ZzAvcksvN2wraG9xNUd6VXhzCmJQeGlOV0QvNW5kaklKa1VidEtpTllnQlRwcnRzZFlCWHoyeTFxS1AxcGZLQ3VIUWVldTNLTWErS0dUU2NUSjYKU251Y0pxZmIvTWdUMWozV3Zpcm1QaUQ3bEwzY3ZmaEtmTEgvYTdsaFhIeDRic21TekZ2UkRYTCt1YmNhak5seQpGUm5WdG9hUHhmMUY4RStFbXh4cXNESlc2bHZKVHJMeW84TjVNbWtoOFFJREFRQUJvMWd3VmpBVUJnTlZIUkVFCkRUQUxnZ2xzYjJOaGJHaHZjM1F3SFFZRFZSME9CQllFRkhIMFoxdWVmSHB1Wll1QTRzRFBlWTd4U2R6b01COEcKQTFVZEl3UVlNQmFBRlBRc1Q0SkU3dUl1ay96T2VvVlZpQVZYeDBoUk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQgpBUUNucHVFM2hzVHAwckZCU1hWRnV6VzExZjE2bXlML3pyZkJDWnRxQyt6UFZINGlyUUlrRFg2TDdPekY2K00vCml6OFJtQlZXSVpzWTlzczM5SmRlcEsvOVhuMEo5RUdDS2hhdmpldS8yUnpvalFaeXRQWU5DdldtMlhTQ0VHY2wKSDhDcGNQVC9JdnlCNU8yRVl0RUJNcnRrUVNKNjVFWlQyZHRiVFYySUdJN3ZDdjJIUnY0Y2twRXBFTWlLWnNPYgpBcWovbGNLeWFZODVwakFBWWVtVlprZ2dRZTJUM0tzSDFYRVJrNnhFRHF2TUdHbjEvOTNHY1J1enVTVTZaYXVPCmVzVDVISUl2UGZReWlwZG4rOWlKVjluc3hyNGVCa1JPVWFvV2s1NVVENE5tcEtiaHJ3MzZ3RzN4RzJ2RlIxeWUKSVFPNmhKMk5yckFnc2JwemxINzhVcjM4Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=`
+const validSSLPrivateKey = `LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzFqSjExcWdqRTdFOW0KUlRRSzY2cmlFYkFKdDU2bFBmSUFJRTBwSFBiVEtOT0NWRmpWSWoxWW4zSDZTNlRBc3R4dE1INGtKMlJ4VXNXZgpueVpQaDlDY2ZUQjlmNGVqOEF3SWJvc2MyK0QzUDlQNDFURzd6YTErVlVuc05OTzk2ZHoyTlE2UGhXTTh0bGFSCnZOd2Z6KzRtWUxvYTZEVCtzci91WDZHaXJrYk5UR3hzL0dJMVlQL21kMk1nbVJSdTBxSTFpQUZPbXUyeDFnRmYKUGJMV29vL1dsOG9LNGRCNTY3Y294cjRvWk5KeE1ucEtlNXdtcDl2OHlCUFdQZGErS3VZK0lQdVV2ZHk5K0VwOApzZjlydVdGY2ZIaHV5WkxNVzlFTmN2NjV0eHFNMlhJVkdkVzJoby9GL1VYd1Q0U2JIR3F3TWxicVc4bE9zdktqCncza3lhU0h4QWdNQkFBRUNnZ0VBQXVWdTM2RXFTYVh4Y0ZLN1RVOU1KeFljSmxPSkV0N0ZuUTNtM1RpS2tYek4KdnY4RWVjWDFqNVBmbUJ3YjBUMHBPZzZ6ZkhVcWE0cGovN05rdzVFSm1XMS8yQWl3UzhPNUZXdGFDY2hTTXUrUQpQS0IrRGg1dVhaMFR0RkoxYkVxdVRUazBkY0t0ZmhyMGo1ZWhOVnEyVkdObnBLVStyeTkvMDFnd05tMnNVSHNZClBmZWszNjNXRU5BOXlqbDNuOXFicXp4aXphaVowekJEM1ZDWkhXRVBrd215Yk1oRnZQY1V4M24rU2tRUnRhYk0KSzdyZTc2bkwwdU9GdTV3L1FUUU5KVVcvdGJ5R0lZVFJHUExibTFJeWs4RUpmc2lWa09yR0tVWE1HelU1UlZ5QQpROGQvWlI1b3Q0L0R3R29OM2NmQytBODlXT1g2dk5kU3B6Y1VsZmtLS1FLQmdRRGtPbDlIRnRiRklZd0VZbmpDCklQMDdmcVArNnhtVnZpQlRjOEFqQnMraGc1NmhadFltQ29aOTQ4RHJZT0MxSEtWVi9WZWVCU2FHZGo4WUNtdnkKZUNkTExvYms3Skc0bHRiUmxMUlpHUGEyR1JSTkZUZ2xhRXQ2Q1F3QXFuQ1hUMkxoVHI1NGswVlZFT00wclFNWgpUN1NMSVdzZXA5N3N2TW15ZGwyWlNBbDNuUUtCZ1FETHBDSTV4UjF6eU9Kb1RQQStaRTIrYVlCMjdqM0VPeSs2CmdyTXovc3M2c2lndVJ4TEMvRHZJWUNLbXc0S213N2N0dUw3eW5UbDRuaFJIVFhwRDV5M0NLTG5OVTBXRVA5L1MKVmsrS25FUWFFdVdaTm9pbU1xUTNMSkcvL0pYYUpPa2c3WmV0eWt2cnYyUHdLY0lncHpKUGdJWjZOeVRzaDV5NwowbUFyVWF4bFpRS0JnUURON2hXV1VYZE12RzVZYm5uRHdIeCtPRkRGYldEU2lwRWtlNmI4YytMWk82Zmd2cWV2Ci80TkhDRUJFb2s5ZlhBK2JQVkxYbEpJa2RZR01zYXFoUitVOG95aTRXdlZKZDJFeURsbUVvMC9KRTJ3TCtYK0YKMFV0NU83eUd4VU4rWS9VMmt4U3VPMFF0ODJUdlhNVVZDNlErZmRMb0FGVFhpNmo2ekc2OEpoSFV5UUtCZ0VDMApyb3RjcnJjVHBaMHVsVWU5NTFZUmY5aEtheVhuQ0l0aTdENGhQOEl1eWNXcW43T0ZJaG5STWpGNi9oQ3ZMNDAvCm5xekllSEp6Q0U1L3Q5SExxeVorZWt0Ym9rTWJhS3NVOGNGQlZnSlM3dEY0R29OMG8rbEVLQ3V3dm96S0hhbHcKMVRsTGhrUXFWRDhEaGNPS1hOb1dKS1RBME9LM1ZIMzVvc1VnOW41aEFvR0FYYm45dHNOVFp1SmpLWXFxMWszVQovM2trR0NadEJnZmEvaCtpRWdPN1RoZFp5ekdzcjRuVGkzQTFyU09iVkZ0amoza3BOTEZCMW91aTVMcEJjMWFWCkQ0VjhuMHhDdktJbTl2N2hCVm9iTWZVZmVoVE1TSFBZOFZvcWJneXY4ZWZueS9MNVh6d2R3b0NXSGpEZFZXS3EKMVlDLzBIRkhlRFJzWm9aT3RtdTVnTTQ9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=`
+
 func TestRGW(t *testing.T) {
 	suite.Run(t, new(rgwSuite))
 }
@@ -67,16 +70,101 @@ func (s *rgwSuite) TestEnableRGW() {
 
 	processExec = r
 
-	err := EnableRGW(s.TestStateInterface, 80, []string{"10.1.1.1", "10.2.2.2"})
+	err := EnableRGW(s.TestStateInterface, 80, 443, "", "", []string{"10.1.1.1", "10.2.2.2"})
 
 	assert.NoError(s.T(), err)
 
 	// check that the radosgw.conf file contains expected values
 	conf := s.ReadCephConfig("radosgw.conf")
-	assert.Contains(s.T(), conf, "rgw frontends = beast port=80")
+	assert.Contains(s.T(), conf, "rgw frontends = beast port=80\n")
 	assert.Contains(s.T(), conf, "mon host = 10.1.1.1,10.2.2.2")
 }
 
+// Test enabling RGW
+func (s *rgwSuite) TestEnableRGWWithInvalidSSLCertificate() {
+	r := mocks.NewRunner(s.T())
+
+	processExec = r
+
+	err := EnableRGW(s.TestStateInterface, 80, 443, "invalid-certificate", validSSLPrivateKey, []string{"10.1.1.1", "10.2.2.2"})
+
+	// we expect an illegal base64 data error
+	assert.EqualError(s.T(), err, "illegal base64 data at input byte 7")
+
+	// check that the radosgw.conf file contains expected values
+	conf := s.ReadCephConfig("radosgw.conf")
+	assert.Equal(s.T(), conf, "")
+}
+
+// Test enabling RGW
+func (s *rgwSuite) TestEnableRGWWithInvalidSSLPrivateKey() {
+	r := mocks.NewRunner(s.T())
+
+	processExec = r
+
+	err := EnableRGW(s.TestStateInterface, 80, 443, validSSLCertificate, "invalid-private-key", []string{"10.1.1.1", "10.2.2.2"})
+
+	// we expect an illegal base64 data error
+	assert.EqualError(s.T(), err, "illegal base64 data at input byte 7")
+
+	// check that the radosgw.conf file contains expected values
+	conf := s.ReadCephConfig("radosgw.conf")
+	assert.Equal(s.T(), conf, "")
+}
+
+// Test enabling RGW
+func (s *rgwSuite) TestEnableRGWWithMissingSSLCertificate() {
+	r := mocks.NewRunner(s.T())
+
+	addRGWEnableExpectations(r)
+
+	processExec = r
+
+	err := EnableRGW(s.TestStateInterface, 0, 443, "", validSSLPrivateKey, []string{"10.1.1.1", "10.2.2.2"})
+
+	assert.NoError(s.T(), err)
+
+	// check that the radosgw.conf file contains expected values
+	conf := s.ReadCephConfig("radosgw.conf")
+	assert.Contains(s.T(), conf, "rgw frontends = beast port=80\n")
+}
+
+// Test enabling RGW
+func (s *rgwSuite) TestEnableRGWWithMissingSSLPrivateKey() {
+	r := mocks.NewRunner(s.T())
+
+	addRGWEnableExpectations(r)
+
+	processExec = r
+
+	err := EnableRGW(s.TestStateInterface, 0, 443, validSSLCertificate, "", []string{"10.1.1.1", "10.2.2.2"})
+
+	assert.NoError(s.T(), err)
+
+	// check that the radosgw.conf file contains expected values
+	conf := s.ReadCephConfig("radosgw.conf")
+	assert.Contains(s.T(), conf, "rgw frontends = beast port=80\n")
+}
+
+// Test enabling RGW
+func (s *rgwSuite) TestEnableRGWWithSSL() {
+	r := mocks.NewRunner(s.T())
+
+	addRGWEnableExpectations(r)
+
+	processExec = r
+
+	err := EnableRGW(s.TestStateInterface, 80, 443, validSSLCertificate, validSSLPrivateKey, []string{"10.1.1.1", "10.2.2.2"})
+
+	assert.NoError(s.T(), err)
+
+	// check that the radosgw.conf file contains expected values
+	conf := s.ReadCephConfig("radosgw.conf")
+	sslCertificatePath := filepath.Join(s.Tmp, "SNAP_COMMON", "server.crt")
+	sslPrivateKeyPath := filepath.Join(s.Tmp, "SNAP_COMMON", "server.key")
+	assert.Contains(s.T(), conf, "rgw frontends = beast port=80 ssl_port=443 ssl_certificate="+sslCertificatePath+" ssl_private_key="+sslPrivateKeyPath+"\n")
+}
+
 func (s *rgwSuite) TestDisableRGW() {
 	r := mocks.NewRunner(s.T())
 

microceph/ceph/services_placement_rgw.go

@@ -8,7 +8,10 @@ import (
 )
 
 type RgwServicePlacement struct {
-	Port int
+	Port           int
+	SSLPort        int
+	SSLCertificate string
+	SSLPrivateKey  string
 }
 
 func (rgw *RgwServicePlacement) PopulateParams(s interfaces.StateInterface, payload string) error {
@@ -32,7 +35,7 @@ func (rgw *RgwServicePlacement) ServiceInit(s interfaces.StateInterface) error {
 		return fmt.Errorf("failed to get config db: %w", err)
 	}
 
-	return EnableRGW(s, rgw.Port, getMonitorAddresses(config))
+	return EnableRGW(s, rgw.Port, rgw.SSLPort, rgw.SSLCertificate, rgw.SSLPrivateKey, getMonitorAddresses(config))
 }
 
 func (rgw *RgwServicePlacement) PostPlacementCheck(s interfaces.StateInterface) error {