From 1954c3b2514349296621e47a43dda0991f4722c7 Mon Sep 17 00:00:00 2001 From: Francesco Pantano Date: Sat, 3 Apr 2021 15:09:29 +0200 Subject: [PATCH] Move Ceph services to linux-system-roles.certificate When Ceph is deployed by cephadm and tls-everywhere is enabled, all the related certificates and keys should be created by TripleO. For this reason, this change aligns these services to use the role [1] for key and cert generation. [1] https://github.com/linux-system-roles/certificate Change-Id: I8cb69256e57f20dd1050f99fa305c56f22435bc2 --- deployment/cephadm/ceph-grafana.yaml | 59 ++++++++++++++----------- deployment/cephadm/ceph-mgr.yaml | 60 ++++++++++++++----------- deployment/cephadm/ceph-rgw.yaml | 66 +++++++++++++++++----------- 3 files changed, 109 insertions(+), 76 deletions(-) diff --git a/deployment/cephadm/ceph-grafana.yaml b/deployment/cephadm/ceph-grafana.yaml index 166d9df3e7..79a3915a32 100644 --- a/deployment/cephadm/ceph-grafana.yaml +++ b/deployment/cephadm/ceph-grafana.yaml @@ -159,31 +159,6 @@ outputs: tripleo_cephadm_grafana_key: '/etc/pki/tls/private/ceph_grafana.key' expression: $.data.default.mergeWith($.data.certmap) - {get_attr: [CephGrafanaAnsibleVars, value, vars]} - config_settings: - map_merge: - - if: - - internal_tls_enabled - - - ceph_grafana_certificate_specs: - service_certificate: '/etc/pki/tls/certs/ceph_grafana.crt' - service_key: '/etc/pki/tls/private/ceph_grafana.key' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} - principal: - str_replace: - template: "ceph_grafana/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} - postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh" - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: GrafanaCertificateKeySize} - - {} metadata_settings: if: - internal_tls_enabled @@ -192,3 +167,37 @@ outputs: network: {get_param: [ServiceNetMap, CephGrafanaNetwork]} type: node - null + deploy_steps_tasks: + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ceph_grafana + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} + principal: + str_replace: + template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} + run_after: | + # Get grafana systemd unit + grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}') + # Restart the grafana systemd unit + if [ -z "$grafana_unit" ]; then + systemctl restart "$grafana_unit" + fi + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: GrafanaCertificateKeySize} + ca: ipa diff --git a/deployment/cephadm/ceph-mgr.yaml b/deployment/cephadm/ceph-mgr.yaml index 6c5bdecabf..ba2febd6ea 100644 --- a/deployment/cephadm/ceph-mgr.yaml +++ b/deployment/cephadm/ceph-mgr.yaml @@ -72,6 +72,7 @@ conditions: - equals: - get_param: EnableInternalTLS - true + key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']} resources: CephBase: @@ -144,31 +145,6 @@ outputs: - tripleo_cephadm_dashboard_grafana_api_no_ssl_verify: true - {get_attr: [CephMgrAnsibleVars, value, vars]} - {} - config_settings: - map_merge: - - if: - - internal_tls_enabled - - - ceph_dashboard_certificate_specs: - service_certificate: '/etc/pki/tls/certs/ceph_dashboard.crt' - service_key: '/etc/pki/tls/private/ceph_dashboard.key' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} - principal: - str_replace: - template: "ceph_dashboard/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} - postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh" - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: CephCertificateKeySize} - - {} metadata_settings: if: - internal_tls_enabled @@ -177,3 +153,37 @@ outputs: network: {get_param: [ServiceNetMap, CephDashboardNetwork]} type: node - null + deploy_steps_tasks: + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ceph_dashboard + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} + principal: + str_replace: + template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} + run_after: | + # Get mgr systemd unit + mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}') + # Restart the mgr systemd unit + if [ -n "$mgr_unit" ]; then + systemctl restart "$mgr_unit" + fi + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephCertificateKeySize} + ca: ipa diff --git a/deployment/cephadm/ceph-rgw.yaml b/deployment/cephadm/ceph-rgw.yaml index 08fd86af34..185c95d6fa 100644 --- a/deployment/cephadm/ceph-rgw.yaml +++ b/deployment/cephadm/ceph-rgw.yaml @@ -59,6 +59,7 @@ parameters: conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']} resources: CephBase: @@ -168,32 +169,6 @@ outputs: - radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem' - {get_attr: [CephRgwAnsibleVars, value, vars]} ceph_rgw_config_overrides: {get_attr: [CephRgwConfigOverrides, value, vars]} - config_settings: - map_merge: - - if: - - internal_tls_enabled - - - ceph_rgw_certificate_specs: - service_certificate: '/etc/pki/tls/certs/ceph_rgw.crt' - service_key: '/etc/pki/tls/private/ceph_rgw.key' - service_pem: '/etc/pki/tls/certs/ceph_rgw.pem' - hostname: - str_replace: - template: "%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} - principal: - str_replace: - template: "ceph_rgw/%{hiera('fqdn_NETWORK')}" - params: - NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} - postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh" - key_size: - if: - - key_size_override_unset - - {get_param: CertificateKeySize} - - {get_param: CephRgwCertificateKeySize} - - {} metadata_settings: if: - internal_tls_enabled @@ -202,3 +177,42 @@ outputs: network: {get_param: [ServiceNetMap, CephRgwNetwork]} type: node - null + deploy_steps_tasks: + - name: Certificate generation + when: + - step|int == 1 + - enable_internal_tls + block: + - include_role: + name: linux-system-roles.certificate + vars: + certificate_requests: + - name: ceph_rgw + dns: + str_replace: + template: "{{fqdn_$NETWORK}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} + principal: + str_replace: + template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}" + params: + $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} + run_after: | + # Create PEM file + pemfile=/etc/pki/tls/certs/ceph_rgw.pem + cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile + chmod 0640 $pemfile + chown 472:472 $pemfile + # Get ceph rgw systemd unit + rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}') + # Restart the rgw systemd unit + if [ -n "$rgw_unit" ]; then + systemctl restart "$rgw_unit" + fi + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephRgwCertificateKeySize} + ca: ipa