openstack/tripleo-heat-templates
Code Issues Proposed changes

Move Ceph services to linux-system-roles.certificate

Browse Source 
When Ceph is deployed by cephadm and tls-everywhere is enabled,
all the related certificates and keys should be created by TripleO.
For this reason, this change aligns these services to use the role [1]
for key and cert generation.

[1] https://github.com/linux-system-roles/certificate

Change-Id: I8cb69256e57f20dd1050f99fa305c56f22435bc2
This commit is contained in:
Francesco Pantano 2021-04-03 15:09:29 +02:00
parent 76cb99a2a7
commit 1954c3b251
No known key found for this signature in database
GPG Key ID: 0458D4D1F41BD75C
3 changed files with 109 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
deployment/cephadm/ceph-grafana.yaml
View File

@ -159,31 +159,6 @@ outputs:
tripleo_cephadm_grafana_key: '/etc/pki/tls/private/ceph_grafana.key' tripleo_cephadm_grafana_key: '/etc/pki/tls/private/ceph_grafana.key'
expression: $.data.default.mergeWith($.data.certmap) expression: $.data.default.mergeWith($.data.certmap)
- {get_attr: [CephGrafanaAnsibleVars, value, vars]} - {get_attr: [CephGrafanaAnsibleVars, value, vars]}
config_settings:
map_merge:
- if:
- internal_tls_enabled
-
ceph_grafana_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ceph_grafana.crt'
service_key: '/etc/pki/tls/private/ceph_grafana.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
- {}
metadata_settings: metadata_settings:
if: if:
- internal_tls_enabled - internal_tls_enabled
@ -192,3 +167,37 @@ outputs:
network: {get_param: [ServiceNetMap, CephGrafanaNetwork]} network: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
type: node type: node
- null - null
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_grafana
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
principal:
str_replace:
template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
run_after: |
# Get grafana systemd unit
grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
# Restart the grafana systemd unit
if [ -z "$grafana_unit" ]; then
systemctl restart "$grafana_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
ca: ipa

60
deployment/cephadm/ceph-mgr.yaml
View File

@ -72,6 +72,7 @@ conditions:
- equals: - equals:
- get_param: EnableInternalTLS - get_param: EnableInternalTLS
- true - true
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
resources: resources:
CephBase: CephBase:
@ -144,31 +145,6 @@ outputs:
- tripleo_cephadm_dashboard_grafana_api_no_ssl_verify: true - tripleo_cephadm_dashboard_grafana_api_no_ssl_verify: true
- {get_attr: [CephMgrAnsibleVars, value, vars]} - {get_attr: [CephMgrAnsibleVars, value, vars]}
- {} - {}
config_settings:
map_merge:
- if:
- internal_tls_enabled
-
ceph_dashboard_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ceph_dashboard.crt'
service_key: '/etc/pki/tls/private/ceph_dashboard.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
principal:
str_replace:
template: "ceph_dashboard/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephCertificateKeySize}
- {}
metadata_settings: metadata_settings:
if: if:
- internal_tls_enabled - internal_tls_enabled
@ -177,3 +153,37 @@ outputs:
network: {get_param: [ServiceNetMap, CephDashboardNetwork]} network: {get_param: [ServiceNetMap, CephDashboardNetwork]}
type: node type: node
- null - null
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_dashboard
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
principal:
str_replace:
template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
run_after: |
# Get mgr systemd unit
mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
# Restart the mgr systemd unit
if [ -n "$mgr_unit" ]; then
systemctl restart "$mgr_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephCertificateKeySize}
ca: ipa

66
deployment/cephadm/ceph-rgw.yaml
View File

@ -59,6 +59,7 @@ parameters:
conditions: conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
resources: resources:
CephBase: CephBase:
@ -168,32 +169,6 @@ outputs:
- radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem' - radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem'
- {get_attr: [CephRgwAnsibleVars, value, vars]} - {get_attr: [CephRgwAnsibleVars, value, vars]}
ceph_rgw_config_overrides: {get_attr: [CephRgwConfigOverrides, value, vars]} ceph_rgw_config_overrides: {get_attr: [CephRgwConfigOverrides, value, vars]}
config_settings:
map_merge:
- if:
- internal_tls_enabled
-
ceph_rgw_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ceph_rgw.crt'
service_key: '/etc/pki/tls/private/ceph_rgw.key'
service_pem: '/etc/pki/tls/certs/ceph_rgw.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
- {}
metadata_settings: metadata_settings:
if: if:
- internal_tls_enabled - internal_tls_enabled
@ -202,3 +177,42 @@ outputs:
network: {get_param: [ServiceNetMap, CephRgwNetwork]} network: {get_param: [ServiceNetMap, CephRgwNetwork]}
type: node type: node
- null - null
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
- name: ceph_rgw
dns:
str_replace:
template: "{{fqdn_$NETWORK}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
params:
$NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
run_after: |
# Create PEM file
pemfile=/etc/pki/tls/certs/ceph_rgw.pem
cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
chmod 0640 $pemfile
chown 472:472 $pemfile
# Get ceph rgw systemd unit
rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
# Restart the rgw systemd unit
if [ -n "$rgw_unit" ]; then
systemctl restart "$rgw_unit"
fi
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
ca: ipa