Add support for not using admin_token in Ceph/RGW

This patch add the option for using Keyston V3 authention with
the Ceph/RGW service instead of using the admin_token

Change-Id: I42861afcac221478dcb68be13b6dbc2533a7f158

manifests/profile/base/ceph/rgw.pp

@@ -29,6 +29,10 @@
 # [*keystone_admin_token*]
 #   The keystone admin token
 #
+# [*rgw_keystone_version*] The api version for keystone.
+#   Possible values 'v2.0', 'v3'
+#   Optional. Default is 'v2.0'
+#
 # [*keystone_url*]
 #   The internal or admin url for keystone
 #
@@ -44,9 +48,10 @@ class tripleo::profile::base::ceph::rgw (
   $keystone_admin_token,
   $keystone_url,
   $rgw_key,
-  $civetweb_bind_ip   = '127.0.0.1',
-  $civetweb_bind_port = '8080',
-  $step               = hiera('step'),
+  $civetweb_bind_ip            = '127.0.0.1',
+  $civetweb_bind_port          = '8080',
+  $rgw_keystone_version        = 'v2.0',
+  $step                        = hiera('step'),
 ) {
 
   include ::tripleo::profile::base::ceph
@@ -58,7 +63,8 @@ class tripleo::profile::base::ceph::rgw (
     include ::ceph::profile::base
     ceph::rgw { $rgw_name:
       frontend_type => 'civetweb',
-      rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}"
+      rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}",
+      user          => 'ceph',
     }
     ceph::key { "client.${rgw_name}":
       secret  => $rgw_key,
@@ -69,11 +75,24 @@ class tripleo::profile::base::ceph::rgw (
   }
 
   if $step >= 4 {
-    ceph::rgw::keystone { $rgw_name:
-      rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
-      use_pki                     => false,
-      rgw_keystone_admin_token    => $keystone_admin_token,
-      rgw_keystone_url            => $keystone_url,
+    if $rgw_keystone_version == 'v2.0' {
+      ceph::rgw::keystone { $rgw_name:
+        rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
+        use_pki                     => false,
+        rgw_keystone_admin_token    => $keystone_admin_token,
+        rgw_keystone_url            => $keystone_url,
+        user                        => 'ceph',
+      }
+    }
+    else
+    {
+      ceph::rgw::keystone { $rgw_name:
+        rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
+        use_pki                     => false,
+        rgw_keystone_url            => $keystone_url,
+        rgw_keystone_version        => $rgw_keystone_version,
+        user                        => 'ceph',
+      }
     }
   }
 }

releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - Add support for configuring Ceph RGW to use
+    keystone V3 service authentication instead
+    of admin token authentication

spec/classes/tripleo_profile_base_ceph_rgw_spec.rb

@@ -85,6 +85,17 @@ describe 'tripleo::profile::base::ceph::rgw' do
         )
       end
     end
+
+    context 'with step 4 and keystone v3' do
+      let(:params) { default_params.merge({ :step => 4, :rgw_keystone_version => 'v3' }) }
+      it 'should include rgw configuration' do
+        is_expected.to contain_ceph__rgw__keystone('radosgw.gateway').with(
+          :rgw_keystone_accepted_roles => ["admin", "_member_", "Member"],
+          :use_pki                     => false,
+          :rgw_keystone_url            => 'url'
+        )
+      end
+    end
   end
 
   on_supported_os.each do |os, facts|

spec/fixtures/hieradata/default.yaml

@@ -14,6 +14,13 @@ barbican::keystone::authtoken::password: 'password'
 ceilometer::keystone::authtoken::password: 'password'
 # ceph related items
 ceph::profile::params::mon_key: 'password'
+# NOTE(gfidente): we want to use keystone v3 API for RGW so the following are
+# needed to comply with the if condition:
+# https://github.com/openstack/puppet-ceph/blob/master/manifests/rgw/keystone.pp#L111
+ceph::profile::params::rgw_keystone_admin_domain: 'keystone_domain'
+ceph::profile::params::rgw_keystone_admin_project: 'keystone_project'
+ceph::profile::params::rgw_keystone_admin_user: 'keystone_admin_user'
+ceph::profile::params::rgw_keystone_admin_password: 'keystone_admin_password'
 # cinder related items
 cinder::rabbit_password: 'password'
 cinder::keystone::authtoken::password: 'password'