Browse Source

Allow tripleo_cephadm to process tls info when provided

When internal_tls is true, step1 runs the linux-system-roles.certificate
which is able to produce the ceph_rgw.pem file [1].
When this info is available, we need to make sure that cephadm is able
to process it using the spec, and it's included in the deployed rgw(s)
instances.
If the rgw_frontend_ssl_certificate is empty, then this key can be
ignored (this means tls is not enabled). The ceph_spec module is now
able to filter and drop empty keys if the value is not provided when
the spec dict is built.

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/cephadm/ceph-rgw.yaml#L169

Change-Id: I22b93cc1057b5894e2c8342c578a3b8080b542ae
changes/29/785629/5
Francesco Pantano 7 months ago
parent
commit
417588a589
  1. 10
      tripleo_ansible/ansible_plugins/module_utils/ceph_spec.py
  2. 12
      tripleo_ansible/ansible_plugins/modules/ceph_mkspec.py
  3. 1
      tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml
  4. 8
      tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml
  5. 1
      tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml

10
tripleo_ansible/ansible_plugins/module_utils/ceph_spec.py

@ -42,7 +42,8 @@ ALLOWED_SPEC_KEYS = {
'rgw_frontend_type',
'rgw_realm',
'rgw_zone',
'rgw_ip_address'
'rgw_ip_address',
'rgw_frontend_ssl_certificate'
],
'nfs': [
'namespace',
@ -206,8 +207,8 @@ class CephDaemonSpec(object):
# append the spec if provided
if len(self.spec.keys()) > 0:
if(self.validate_keys(self.spec.keys(), ALLOWED_SPEC_KEYS)):
sp = {'spec': self.spec}
if self.validate_keys(self.spec.keys(), ALLOWED_SPEC_KEYS):
sp = {'spec': self.filter_spec(self.spec)}
else:
raise Exception("Fatal: the spec should be composed by only allowed keywords")
@ -215,6 +216,9 @@ class CephDaemonSpec(object):
spec_template = {**spec_template, **ntw, **self.extra, **pl, **sp}
return spec_template
def filter_spec(self, spec):
return {k: v for k, v in spec.items() if v}
def validate_keys(self, spec, ALLOWED_KEYS):
'''
When the spec section is created, if constraints are

12
tripleo_ansible/ansible_plugins/modules/ceph_mkspec.py

@ -184,11 +184,21 @@ def render(path, content):
if path is not None and len(path) > 0:
with open(path, 'w') as f:
f.write('---\n')
f.write(yaml.dump(content, indent=2))
f.write(yaml.safe_dump(content, indent=2))
else:
print('Nothing to dump!')
def repr_str(dumper, data):
if '\n' in data:
return dumper.represent_scalar(u'tag:yaml.org,2002:str', data, style='|')
return dumper.org_represent_str(data)
yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str
yaml.add_representer(str, repr_str, Dumper=yaml.SafeDumper)
def run_module():
module = AnsibleModule(

1
tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml

@ -44,5 +44,6 @@ tripleo_cephadm_conf_overrides: {}
tripleo_cephadm_fsid_list: []
tripleo_cephadm_fqdn: false
tripleo_cephadm_crush_rules: []
tripleo_cephadm_internal_tls_enabled: false
# todo(fultonj) add is_hci boolean for target memory
# https://lists.ceph.io/hyperkitty/list/dev@ceph.io/thread/Z77XO23JPXDNHKM7IG6UN4URYKA6L7VH/

8
tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml

@ -39,11 +39,19 @@
rgw_frontend_port: "{{ radosgw_frontend_port }}"
rgw_realm: 'default'
rgw_zone: 'default'
rgw_frontend_ssl_certificate: "{{ rgw_frontend_cert }}"
render_path: "{{ tripleo_cephadm_spec_home }}"
networks: "{{ radosgw_address_block }}"
register: spc
environment:
CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}"
CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}"
vars:
rgw_frontend_cert: |-
{% set fcert_lookup = '' %}
{% if tripleo_cephadm_internal_tls_enabled | bool %}
{% set fcert_lookup = lookup('file', radosgw_frontend_ssl_certificate) %}
{% endif %}
{{ fcert_lookup }}
when:
- tripleo_enabled_services | intersect(['ceph_rgw'])

1
tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml

@ -122,3 +122,4 @@
tripleo_enabled_services: {{ enabled_services | default([]) }}
tripleo_cephadm_fqdn: "{{ ceph_spec_fqdn | bool }}"
tripleo_cephadm_spec_ansible_host: "{{ tripleo_run_cephadm_spec_path }}"
tripleo_cephadm_internal_tls_enabled: "{{ enable_internal_tls }}"

Loading…
Cancel
Save