From 417588a58967c533f6a4af0f97e298cb9df56c3b Mon Sep 17 00:00:00 2001 From: Francesco Pantano Date: Fri, 9 Apr 2021 13:48:51 +0200 Subject: [PATCH] Allow tripleo_cephadm to process tls info when provided When internal_tls is true, step1 runs the linux-system-roles.certificate which is able to produce the ceph_rgw.pem file [1]. When this info is available, we need to make sure that cephadm is able to process it using the spec, and it's included in the deployed rgw(s) instances. If the rgw_frontend_ssl_certificate is empty, then this key can be ignored (this means tls is not enabled). The ceph_spec module is now able to filter and drop empty keys if the value is not provided when the spec dict is built. [1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/cephadm/ceph-rgw.yaml#L169 Change-Id: I22b93cc1057b5894e2c8342c578a3b8080b542ae --- .../ansible_plugins/module_utils/ceph_spec.py | 10 +++++++--- .../ansible_plugins/modules/ceph_mkspec.py | 12 +++++++++++- .../roles/tripleo_cephadm/defaults/main.yml | 1 + tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml | 8 ++++++++ .../roles/tripleo_run_cephadm/tasks/prepare.yml | 1 + 5 files changed, 28 insertions(+), 4 deletions(-) diff --git a/tripleo_ansible/ansible_plugins/module_utils/ceph_spec.py b/tripleo_ansible/ansible_plugins/module_utils/ceph_spec.py index a2f83e003..a976c2edb 100644 --- a/tripleo_ansible/ansible_plugins/module_utils/ceph_spec.py +++ b/tripleo_ansible/ansible_plugins/module_utils/ceph_spec.py @@ -42,7 +42,8 @@ ALLOWED_SPEC_KEYS = { 'rgw_frontend_type', 'rgw_realm', 'rgw_zone', - 'rgw_ip_address' + 'rgw_ip_address', + 'rgw_frontend_ssl_certificate' ], 'nfs': [ 'namespace', @@ -206,8 +207,8 @@ class CephDaemonSpec(object): # append the spec if provided if len(self.spec.keys()) > 0: - if(self.validate_keys(self.spec.keys(), ALLOWED_SPEC_KEYS)): - sp = {'spec': self.spec} + if self.validate_keys(self.spec.keys(), ALLOWED_SPEC_KEYS): + sp = {'spec': self.filter_spec(self.spec)} else: raise Exception("Fatal: the spec should be composed by only allowed keywords") @@ -215,6 +216,9 @@ class CephDaemonSpec(object): spec_template = {**spec_template, **ntw, **self.extra, **pl, **sp} return spec_template + def filter_spec(self, spec): + return {k: v for k, v in spec.items() if v} + def validate_keys(self, spec, ALLOWED_KEYS): ''' When the spec section is created, if constraints are diff --git a/tripleo_ansible/ansible_plugins/modules/ceph_mkspec.py b/tripleo_ansible/ansible_plugins/modules/ceph_mkspec.py index de8e123d4..7f617df55 100644 --- a/tripleo_ansible/ansible_plugins/modules/ceph_mkspec.py +++ b/tripleo_ansible/ansible_plugins/modules/ceph_mkspec.py @@ -184,11 +184,21 @@ def render(path, content): if path is not None and len(path) > 0: with open(path, 'w') as f: f.write('---\n') - f.write(yaml.dump(content, indent=2)) + f.write(yaml.safe_dump(content, indent=2)) else: print('Nothing to dump!') +def repr_str(dumper, data): + if '\n' in data: + return dumper.represent_scalar(u'tag:yaml.org,2002:str', data, style='|') + return dumper.org_represent_str(data) + + +yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str +yaml.add_representer(str, repr_str, Dumper=yaml.SafeDumper) + + def run_module(): module = AnsibleModule( diff --git a/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml b/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml index 8bee03be0..f1a91ee80 100644 --- a/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml +++ b/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml @@ -44,5 +44,6 @@ tripleo_cephadm_conf_overrides: {} tripleo_cephadm_fsid_list: [] tripleo_cephadm_fqdn: false tripleo_cephadm_crush_rules: [] +tripleo_cephadm_internal_tls_enabled: false # todo(fultonj) add is_hci boolean for target memory # https://lists.ceph.io/hyperkitty/list/dev@ceph.io/thread/Z77XO23JPXDNHKM7IG6UN4URYKA6L7VH/ diff --git a/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml b/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml index c0c624649..7f7367ff2 100644 --- a/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml +++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml @@ -39,11 +39,19 @@ rgw_frontend_port: "{{ radosgw_frontend_port }}" rgw_realm: 'default' rgw_zone: 'default' + rgw_frontend_ssl_certificate: "{{ rgw_frontend_cert }}" render_path: "{{ tripleo_cephadm_spec_home }}" networks: "{{ radosgw_address_block }}" register: spc environment: CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}" CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}" + vars: + rgw_frontend_cert: |- + {% set fcert_lookup = '' %} + {% if tripleo_cephadm_internal_tls_enabled | bool %} + {% set fcert_lookup = lookup('file', radosgw_frontend_ssl_certificate) %} + {% endif %} + {{ fcert_lookup }} when: - tripleo_enabled_services | intersect(['ceph_rgw']) diff --git a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml index 463346324..a6fa0e76d 100644 --- a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml +++ b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml @@ -122,3 +122,4 @@ tripleo_enabled_services: {{ enabled_services | default([]) }} tripleo_cephadm_fqdn: "{{ ceph_spec_fqdn | bool }}" tripleo_cephadm_spec_ansible_host: "{{ tripleo_run_cephadm_spec_path }}" + tripleo_cephadm_internal_tls_enabled: "{{ enable_internal_tls }}"