Move Ceph services to linux-system-roles.certificate
When Ceph is deployed by cephadm and tls-everywhere is enabled, all the related certificates and keys should be created by TripleO. For this reason, this change aligns these services to use the role [1] for key and cert generation. [1] https://github.com/linux-system-roles/certificate Change-Id: I8cb69256e57f20dd1050f99fa305c56f22435bc2
This commit is contained in:
Francesco Pantano
parent
76cb99a2a7
commit
1954c3b251
@ -159,31 +159,6 @@ outputs:
|
||||
tripleo_cephadm_grafana_key: '/etc/pki/tls/private/ceph_grafana.key'
|
||||
expression: $.data.default.mergeWith($.data.certmap)
|
||||
- {get_attr: [CephGrafanaAnsibleVars, value, vars]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
ceph_grafana_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ceph_grafana.crt'
|
||||
service_key: '/etc/pki/tls/private/ceph_grafana.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_grafana/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
@ -192,3 +167,37 @@ outputs:
|
||||
network: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_grafana
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
run_after: |
|
||||
# Get grafana systemd unit
|
||||
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
|
||||
# Restart the grafana systemd unit
|
||||
if [ -z "$grafana_unit" ]; then
|
||||
systemctl restart "$grafana_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
ca: ipa
|
||||
|
||||
@ -72,6 +72,7 @@ conditions:
|
||||
- equals:
|
||||
- get_param: EnableInternalTLS
|
||||
- true
|
||||
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
@ -144,31 +145,6 @@ outputs:
|
||||
- tripleo_cephadm_dashboard_grafana_api_no_ssl_verify: true
|
||||
- {get_attr: [CephMgrAnsibleVars, value, vars]}
|
||||
- {}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
ceph_dashboard_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ceph_dashboard.crt'
|
||||
service_key: '/etc/pki/tls/private/ceph_dashboard.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_dashboard/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
@ -177,3 +153,37 @@ outputs:
|
||||
network: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_dashboard
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
run_after: |
|
||||
# Get mgr systemd unit
|
||||
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
|
||||
# Restart the mgr systemd unit
|
||||
if [ -n "$mgr_unit" ]; then
|
||||
systemctl restart "$mgr_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephCertificateKeySize}
|
||||
ca: ipa
|
||||
|
||||
@ -59,6 +59,7 @@ parameters:
|
||||
conditions:
|
||||
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
@ -168,32 +169,6 @@ outputs:
|
||||
- radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem'
|
||||
- {get_attr: [CephRgwAnsibleVars, value, vars]}
|
||||
ceph_rgw_config_overrides: {get_attr: [CephRgwConfigOverrides, value, vars]}
|
||||
config_settings:
|
||||
map_merge:
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
ceph_rgw_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ceph_rgw.crt'
|
||||
service_key: '/etc/pki/tls/private/ceph_rgw.key'
|
||||
service_pem: '/etc/pki/tls/certs/ceph_rgw.pem'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_rgw/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
@ -202,3 +177,42 @@ outputs:
|
||||
network: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
type: node
|
||||
- null
|
||||
deploy_steps_tasks:
|
||||
- name: Certificate generation
|
||||
when:
|
||||
- step|int == 1
|
||||
- enable_internal_tls
|
||||
block:
|
||||
- include_role:
|
||||
name: linux-system-roles.certificate
|
||||
vars:
|
||||
certificate_requests:
|
||||
- name: ceph_rgw
|
||||
dns:
|
||||
str_replace:
|
||||
template: "{{fqdn_$NETWORK}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
|
||||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
run_after: |
|
||||
# Create PEM file
|
||||
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
|
||||
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
|
||||
chmod 0640 $pemfile
|
||||
chown 472:472 $pemfile
|
||||
# Get ceph rgw systemd unit
|
||||
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
|
||||
# Restart the rgw systemd unit
|
||||
if [ -n "$rgw_unit" ]; then
|
||||
systemctl restart "$rgw_unit"
|
||||
fi
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
ca: ipa
|
||||
|
||||
Loading…
Reference in New Issue
Block a user