openstack
/
tripleo-heat-templates
Code Issues Proposed changes
Browse Source

Move Ceph services to linux-system-roles.certificate 

When Ceph is deployed by cephadm and tls-everywhere is enabled,
all the related certificates and keys should be created by TripleO.
For this reason, this change aligns these services to use the role [1]
for key and cert generation.

[1] https://github.com/linux-system-roles/certificate

Change-Id: I8cb69256e57f20dd1050f99fa305c56f22435bc2
changes/26/784626/2
Francesco Pantano 1 year ago
parent
76cb99a2a7
commit
1954c3b251
No known key found for this signature in database
GPG Key ID: 458D4D1F41BD75C
3 changed files with 109 additions and 76 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 59
      deployment/cephadm/ceph-grafana.yaml
  2. 60
      deployment/cephadm/ceph-mgr.yaml
  3. 66
      deployment/cephadm/ceph-rgw.yaml

59
deployment/cephadm/ceph-grafana.yaml
Unescape View File

@ -159,31 +159,6 @@ outputs:
tripleo_cephadm_grafana_key: '/etc/pki/tls/private/ceph_grafana.key'
expression: $.data.default.mergeWith($.data.certmap)
- {get_attr: [CephGrafanaAnsibleVars, value, vars]}
config_settings:
map_merge:
- if:
- internal_tls_enabled
-
ceph_grafana_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ceph_grafana.crt'
service_key: '/etc/pki/tls/private/ceph_grafana.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
- {}
metadata_settings:
if:
- internal_tls_enabled
@ -192,3 +167,37 @@ outputs:
network: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
type: node
- null
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_grafana
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
run_after: |
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
ca: ipa

60
deployment/cephadm/ceph-mgr.yaml
Unescape View File

@ -72,6 +72,7 @@ conditions:
- equals:
- get_param: EnableInternalTLS
- true
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
resources:
CephBase:
@ -144,31 +145,6 @@ outputs:
- tripleo_cephadm_dashboard_grafana_api_no_ssl_verify: true
- {get_attr: [CephMgrAnsibleVars, value, vars]}
- {}
config_settings:
map_merge:
- if:
- internal_tls_enabled
-
ceph_dashboard_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ceph_dashboard.crt'
service_key: '/etc/pki/tls/private/ceph_dashboard.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
principal:
str_replace:
template: "ceph_dashboard/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephCertificateKeySize}
- {}
metadata_settings:
if:
- internal_tls_enabled
@ -177,3 +153,37 @@ outputs:
network: {get_param: [ServiceNetMap, CephDashboardNetwork]}
type: node
- null
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_dashboard
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
principal:
str_replace:
template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
run_after: |
# Get mgr systemd unit
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
# Restart the mgr systemd unit
if [ -n "$mgr_unit" ]; then
systemctl restart "$mgr_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephCertificateKeySize}
ca: ipa

66
deployment/cephadm/ceph-rgw.yaml
Unescape View File

@ -59,6 +59,7 @@ parameters:
conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
resources:
CephBase:
@ -168,32 +169,6 @@ outputs:
- radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem'
- {get_attr: [CephRgwAnsibleVars, value, vars]}
ceph_rgw_config_overrides: {get_attr: [CephRgwConfigOverrides, value, vars]}
config_settings:
map_merge:
- if:
- internal_tls_enabled
-
ceph_rgw_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ceph_rgw.crt'
service_key: '/etc/pki/tls/private/ceph_rgw.key'
service_pem: '/etc/pki/tls/certs/ceph_rgw.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
- {}
metadata_settings:
if:
- internal_tls_enabled
@ -202,3 +177,42 @@ outputs:
network: {get_param: [ServiceNetMap, CephRgwNetwork]}
type: node
- null
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_rgw
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
run_after: |
# Create PEM file
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
chmod 0640 $pemfile
chown 472:472 $pemfile
# Get ceph rgw systemd unit
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
# Restart the rgw systemd unit
if [ -n "$rgw_unit" ]; then
systemctl restart "$rgw_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
ca: ipa

Write Preview
Loading…
Cancel
Save