Add ceph dashboard frontend endpoint and tls-e integration

This change exposes to the end-user the new ceph dashboard
frontend which is fully integrated with grafana service.
This review also adds all the info/classes to integrate the
service with tls-everywhere framework, providing the cert
request and generation that will be passed to ceph dashboard
via ceph-ansible.

Depends-On: I7728b6a6bbf8447ec3290a13cb7f5807b30cc01f
Change-Id: Id6d2e4b00355cd84baccc2b493f3205c2b32a44b
(cherry picked from commit eec31fd149)
This commit is contained in:
Francesco Pantano 2020-01-16 11:42:20 +01:00
parent 65d6cb12fa
commit 012039bd4b
No known key found for this signature in database
GPG Key ID: 799868C47301D458
5 changed files with 138 additions and 0 deletions

View File

@ -0,0 +1,10 @@
#!/bin/bash
# Get mgr systemd unit
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
# Restart the mgr systemd unit
if [ -n "$mgr_unit" ]; then
systemctl restart "$mgr_unit"
fi

View File

@ -0,0 +1,81 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ceph_grafana
#
# Request a certificate for RabbitMQ and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
# Defaults to undef.
#
# [*principal*]
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
class tripleo::certmonger::ceph_dashboard (
$hostname,
$service_certificate,
$service_key,
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
) {
ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
source => 'puppet:///modules/tripleo/certmonger-dashboard-refresh.sh',
mode => '0700',
seltype => 'bin_t',
notify => Service['certmonger']
})
certmonger_certificate { 'ceph_dashboard' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ceph_dashboard'],
owner => 472,
group => 472,
}
file { $service_key :
require => Certmonger_certificate['ceph_dashboard'],
owner => 472,
group => 472,
}
}

View File

@ -347,6 +347,10 @@
# (optional) Enable or not Ceph Grafana dashboard binding
# Defaults to hiera('ceph_grafana_enabled', false)
#
# [*ceph_dashboard*]
# (optional) Enable or not Ceph Dashboard binding
# Defaults to hiera('ceph_mgr_enabled', false)
#
# [*opendaylight*]
# (optional) Enable or not OpenDaylight binding
# Defaults to hiera('opendaylight_api_enabled', false)
@ -388,6 +392,10 @@
# (optional) Specify the network ceph_grafana is running on.
# Defaults to hiera('ceph_grafana_network', undef)
#
# [*ceph_dashboard_network*]
# (optional) Specify the network ceph_dashboard is running on.
# Defaults to hiera('ceph_mgr', undef)
#
# [*cinder_network*]
# (optional) Specify the network cinder is running on.
# Defaults to hiera('cinder_api_network', undef)
@ -594,6 +602,8 @@
# 'ceph_rgw_ssl_port' (Defaults to 13808)
# 'ceph_grafana_port' (Defaults to 3100)
# 'ceph_grafana_ssl_port' (Defaults to 3100)
# 'ceph_dashboard_port' (Defaults to 8444)
# 'ceph_dashboard_ssl_port' (Defaults to 8444)
# 'zaqar_ws_port' (Defaults to 9000)
# 'zaqar_ws_ssl_port' (Defaults to 9000)
# * Note that for zaqar's websockets we don't support having a different
@ -650,6 +660,7 @@ class tripleo::haproxy (
$panko = hiera('panko_api_enabled', false),
$barbican = hiera('barbican_api_enabled', false),
$ceph_grafana = hiera('ceph_grafana_enabled', false),
$ceph_dashboard = hiera('ceph_mgr_enabled', false),
$gnocchi = hiera('gnocchi_api_enabled', false),
$mistral = hiera('mistral_api_enabled', false),
$swift_proxy_server = hiera('swift_proxy_enabled', false),
@ -692,6 +703,7 @@ class tripleo::haproxy (
$gnocchi_network = hiera('gnocchi_api_network', undef),
$heat_api_network = hiera('heat_api_network', undef),
$ceph_grafana_network = hiera('ceph_grafana_network', undef),
$ceph_dashboard_network = hiera('ceph_dashboard_network', undef),
$heat_cfn_network = hiera('heat_api_cfn_network', undef),
$horizon_network = hiera('horizon_network', undef),
$ironic_inspector_network = hiera('ironic_inspector_network', undef),
@ -796,6 +808,8 @@ class tripleo::haproxy (
zaqar_ws_ssl_port => 9000,
ceph_grafana_port => 3100,
ceph_grafana_ssl_port => 3100,
ceph_dashboard_port => 8444,
ceph_dashboard_ssl_port => 8444,
}
$ports = merge($default_service_ports, $service_ports)
@ -1051,6 +1065,24 @@ class tripleo::haproxy (
}
}
if $ceph_dashboard {
::tripleo::haproxy::endpoint { 'ceph_dashboard':
internal_ip => hiera('ceph_dashboard_vip', $controller_virtual_ip),
service_port => $ports[ceph_dashboard_port],
ip_addresses => hiera('ceph_grafana_node_ips', $controller_hosts_real),
server_names => hiera('ceph_grafana_node_names', $controller_hosts_names_real),
mode => 'http',
public_ssl_port => $ports[ceph_dashboard_ssl_port],
listen_options => merge($default_listen_options, {
'option' => [ 'httpchk HEAD /' ],
'balance' => 'source',
'http-check' => 'expect rstatus 2[0-9][0-9]',
}),
service_network => $ceph_dashboard_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
$nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
if $nova_osapi {
::tripleo::haproxy::endpoint { 'nova_osapi':

View File

@ -107,6 +107,11 @@
# it will create.
# Defaults to hiera('ceph_grafana_certificate_specs', {}).
#
# [*ceph_dashboard_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ceph_dashboard_certificate_specs', {}).
#
# [*etcd_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
@ -190,6 +195,7 @@ class tripleo::profile::base::certmonger_user (
$neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
$novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
$ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}),
$ceph_dashboard_certificate_specs = hiera('ceph_dashboard_certificate_specs', {}),
$ovn_dbs_certificate_specs = hiera('ovn_dbs_certificate_specs', {}),
$ovn_controller_certificate_specs = hiera('ovn_controller_certificate_specs', {}),
$ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}),
@ -284,6 +290,9 @@ class tripleo::profile::base::certmonger_user (
unless empty($ceph_grafana_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ceph_grafana', $ceph_grafana_certificate_specs)
}
unless empty($ceph_dashboard_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ceph_dashboard', $ceph_dashboard_certificate_specs)
}
unless empty($ovn_dbs_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs)
}

View File

@ -0,0 +1,6 @@
---
features:
- |
Adds ceph_dashboard endpoint and ceph_dashboard_port to properly
expose the ceph-dashboard frontend service