Allow tripleo_cephadm to process tls info when provided

When internal_tls is true, step1 runs the linux-system-roles.certificate which is able to produce the ceph_rgw.pem file [1]. When this info is available, we need to make sure that cephadm is able to process it using the spec, and it's included in the deployed rgw(s) instances. If the rgw_frontend_ssl_certificate is empty, then this key can be ignored (this means tls is not enabled). The ceph_spec module is now able to filter and drop empty keys if the value is not provided when the spec dict is built. [1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/cephadm/ceph-rgw.yaml#L169 Change-Id: I22b93cc1057b5894e2c8342c578a3b8080b542ae
2021-04-09 13:48:51 +02:00 · 2021-04-09 13:48:51 +02:00 · 417588a589
parent 168541b0de
commit 417588a589
5 changed files with 28 additions and 4 deletions
--- a/tripleo_ansible/ansible_plugins/module_utils/ceph_spec.py
+++ b/tripleo_ansible/ansible_plugins/module_utils/ceph_spec.py
@ -42,7 +42,8 @@ ALLOWED_SPEC_KEYS = {
        'rgw_frontend_type',
        'rgw_realm',
        'rgw_zone',
-        'rgw_ip_address'
+        'rgw_ip_address',
+        'rgw_frontend_ssl_certificate'
    ],
    'nfs': [
        'namespace',
@ -206,8 +207,8 @@ class CephDaemonSpec(object):

        # append the spec if provided
        if len(self.spec.keys()) > 0:
-            if(self.validate_keys(self.spec.keys(), ALLOWED_SPEC_KEYS)):
-                sp = {'spec': self.spec}
+            if self.validate_keys(self.spec.keys(), ALLOWED_SPEC_KEYS):
+                sp = {'spec': self.filter_spec(self.spec)}
            else:
                raise Exception("Fatal: the spec should be composed by only allowed keywords")

@ -215,6 +216,9 @@ class CephDaemonSpec(object):
        spec_template = {**spec_template, **ntw, **self.extra, **pl, **sp}
        return spec_template

+    def filter_spec(self, spec):
+        return {k: v for k, v in spec.items() if v}
+
    def validate_keys(self, spec, ALLOWED_KEYS):
        '''
        When the spec section is created, if constraints are
--- a/tripleo_ansible/ansible_plugins/modules/ceph_mkspec.py
+++ b/tripleo_ansible/ansible_plugins/modules/ceph_mkspec.py
@ -184,11 +184,21 @@ def render(path, content):
        if path is not None and len(path) > 0:
            with open(path, 'w') as f:
                f.write('---\n')
-                f.write(yaml.dump(content, indent=2))
+                f.write(yaml.safe_dump(content, indent=2))
    else:
        print('Nothing to dump!')


+def repr_str(dumper, data):
+    if '\n' in data:
+        return dumper.represent_scalar(u'tag:yaml.org,2002:str', data, style='|')
+    return dumper.org_represent_str(data)
+
+
+yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str
+yaml.add_representer(str, repr_str, Dumper=yaml.SafeDumper)
+
+
 def run_module():

    module = AnsibleModule(
--- a/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_cephadm/defaults/main.yml
@ -44,5 +44,6 @@ tripleo_cephadm_conf_overrides: {}
 tripleo_cephadm_fsid_list: []
 tripleo_cephadm_fqdn: false
 tripleo_cephadm_crush_rules: []
+tripleo_cephadm_internal_tls_enabled: false
 # todo(fultonj) add is_hci boolean for target memory
 # https://lists.ceph.io/hyperkitty/list/dev@ceph.io/thread/Z77XO23JPXDNHKM7IG6UN4URYKA6L7VH/
--- a/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml
+++ b/tripleo_ansible/roles/tripleo_cephadm/tasks/rgw.yaml
@ -39,11 +39,19 @@
          rgw_frontend_port: "{{ radosgw_frontend_port }}"
          rgw_realm: 'default'
          rgw_zone: 'default'
+          rgw_frontend_ssl_certificate: "{{ rgw_frontend_cert }}"
        render_path: "{{ tripleo_cephadm_spec_home }}"
        networks: "{{ radosgw_address_block }}"
      register: spc
      environment:
        CEPH_CONTAINER_IMAGE: "{{ tripleo_cephadm_container_ns + '/' + tripleo_cephadm_container_image + ':' + tripleo_cephadm_container_tag }}"
        CEPH_CONTAINER_BINARY: "{{ tripleo_cephadm_container_cli }}"
+      vars:
+        rgw_frontend_cert: |-
+          {% set fcert_lookup = '' %}
+          {% if tripleo_cephadm_internal_tls_enabled | bool %}
+          {%   set fcert_lookup = lookup('file', radosgw_frontend_ssl_certificate) %}
+          {% endif %}
+          {{ fcert_lookup }}
  when:
    - tripleo_enabled_services | intersect(['ceph_rgw'])
--- a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml
+++ b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml
@ -122,3 +122,4 @@
      tripleo_enabled_services: {{ enabled_services | default([]) }}
      tripleo_cephadm_fqdn: "{{ ceph_spec_fqdn | bool }}"
      tripleo_cephadm_spec_ansible_host: "{{ tripleo_run_cephadm_spec_path }}"
+      tripleo_cephadm_internal_tls_enabled: "{{ enable_internal_tls }}"