Merge "Add parameter and CI config to enable Ceph OTW encryption" into stable/train
This commit is contained in:
commit
3b09649ecd
|
@ -190,3 +190,4 @@ parameter_defaults:
|
||||||
osdkey: osdvalue
|
osdkey: osdvalue
|
||||||
foo: bar
|
foo: bar
|
||||||
NfsUrl: 127.0.0.1
|
NfsUrl: 127.0.0.1
|
||||||
|
CephMsgrSecureMode: true
|
||||||
|
|
|
@ -97,6 +97,12 @@ parameters:
|
||||||
description: >
|
description: >
|
||||||
The Ceph cluster name must be at least 1 character and contain only
|
The Ceph cluster name must be at least 1 character and contain only
|
||||||
letters and numbers.
|
letters and numbers.
|
||||||
|
CephMsgrSecureMode:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
description: >
|
||||||
|
Enable Ceph msgr2 secure mode to enable on-wire encryption between Ceph
|
||||||
|
daemons and also between Ceph clients and daemons.
|
||||||
CephPoolDefaultPgNum:
|
CephPoolDefaultPgNum:
|
||||||
description: default pg_num to use for the RBD pools
|
description: default pg_num to use for the RBD pools
|
||||||
type: number
|
type: number
|
||||||
|
@ -348,6 +354,7 @@ conditions:
|
||||||
deprecated_data_pool_pgnum: {not: {equals: [{get_param: ManilaCephFSDataPoolPGNum}, 128]}}
|
deprecated_data_pool_pgnum: {not: {equals: [{get_param: ManilaCephFSDataPoolPGNum}, 128]}}
|
||||||
deprecated_metadata_pool_pgnum: {not: {equals: [{get_param: ManilaCephFSMetadataPoolPGNum}, 128]}}
|
deprecated_metadata_pool_pgnum: {not: {equals: [{get_param: ManilaCephFSMetadataPoolPGNum}, 128]}}
|
||||||
dashboard_is_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
dashboard_is_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
||||||
|
msgr_secure_mode: {equals: [{get_param: CephMsgrSecureMode}, true]}
|
||||||
custom_registry_host:
|
custom_registry_host:
|
||||||
yaql:
|
yaql:
|
||||||
data: {get_param: ContainerCephDaemonImage}
|
data: {get_param: ContainerCephDaemonImage}
|
||||||
|
@ -430,6 +437,17 @@ resources:
|
||||||
expression: $.data.rightSplit(':', 1)[1]
|
expression: $.data.rightSplit(':', 1)[1]
|
||||||
data: {get_param: ContainerCephDaemonImage}
|
data: {get_param: ContainerCephDaemonImage}
|
||||||
|
|
||||||
|
MsgrSecureModeOverrides:
|
||||||
|
type: OS::Heat::Value
|
||||||
|
properties:
|
||||||
|
type: json
|
||||||
|
value:
|
||||||
|
vars:
|
||||||
|
global:
|
||||||
|
ms_cluster_mode: secure
|
||||||
|
ms_service_mode: secure
|
||||||
|
ms_client_mode: secure
|
||||||
|
|
||||||
DefaultCephConfigOverrides:
|
DefaultCephConfigOverrides:
|
||||||
type: OS::Heat::Value
|
type: OS::Heat::Value
|
||||||
properties:
|
properties:
|
||||||
|
@ -632,7 +650,15 @@ outputs:
|
||||||
ceph_pools: {get_attr: [CephBasePoolVars, value, vars]}
|
ceph_pools: {get_attr: [CephBasePoolVars, value, vars]}
|
||||||
manila_pools: {get_attr: [CephManilaPoolVars, value, vars]}
|
manila_pools: {get_attr: [CephManilaPoolVars, value, vars]}
|
||||||
ceph_keys: {get_attr: [CephKeyVars, value, vars]}
|
ceph_keys: {get_attr: [CephKeyVars, value, vars]}
|
||||||
ceph_default_overrides: {get_attr: [DefaultCephConfigOverrides, value, vars]}
|
ceph_default_overrides:
|
||||||
|
if:
|
||||||
|
- msgr_secure_mode
|
||||||
|
- yaql:
|
||||||
|
expression: ($.data.default).mergeWith($.data.secure)
|
||||||
|
data:
|
||||||
|
default: {get_attr: [DefaultCephConfigOverrides, value, vars]}
|
||||||
|
secure: {get_attr: [MsgrSecureModeOverrides, value, vars]}
|
||||||
|
- {get_attr: [DefaultCephConfigOverrides, value, vars]}
|
||||||
ceph_config_overrides: {get_param: CephConfigOverrides}
|
ceph_config_overrides: {get_param: CephConfigOverrides}
|
||||||
- name: set ceph-ansible facts
|
- name: set ceph-ansible facts
|
||||||
set_fact:
|
set_fact:
|
||||||
|
|
|
@ -16,3 +16,10 @@ parameter_defaults:
|
||||||
GlanceBackend: rbd
|
GlanceBackend: rbd
|
||||||
## Uncomment below if enabling legacy telemetry
|
## Uncomment below if enabling legacy telemetry
|
||||||
# GnocchiBackend: rbd
|
# GnocchiBackend: rbd
|
||||||
|
|
||||||
|
## Set to enable on-wire encryption
|
||||||
|
## Using secure mode can cause a performance degradation with the storage cluster.
|
||||||
|
## The severity of the performance degradation can vary depending on several
|
||||||
|
## environmental factors.
|
||||||
|
## Test the performance impact in a non-production environment before implementing.
|
||||||
|
# CephMsgrSecureMode: true
|
||||||
|
|
Loading…
Reference in New Issue