openstack/tripleo-heat-templates
Code Issues Proposed changes

Add parameter and CI config to enable Ceph OTW encryption

Browse Source 
Starting with Ceph Nautilus it is possible to enable on-wire
encryption between daemons and clients.

This change adds a setting to optionally configure Ceph with OTW
encryption and a setting in scenario001-standalone to test it.

Change-Id: I5d046b814a211aec9051f5278f98a3e81580057c
This commit is contained in:
Giulio Fidente 2020-09-01 18:57:25 +02:00
parent 01c72fbb99
commit 89e35393db
3 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ci/environments/scenario001-standalone.yaml
View File

@ -185,3 +185,4 @@ parameter_defaults:
osdkey: osdvalue osdkey: osdvalue
foo: bar foo: bar
NfsUrl: 127.0.0.1 NfsUrl: 127.0.0.1
CephMsgrSecureMode: true

28
deployment/ceph-ansible/ceph-base.yaml
View File

@ -97,6 +97,12 @@ parameters:
description: > description: >
The Ceph cluster name must be at least 1 character and contain only The Ceph cluster name must be at least 1 character and contain only
letters and numbers. letters and numbers.
CephMsgrSecureMode:
type: boolean
default: false
description: >
Enable Ceph msgr2 secure mode to enable on-wire encryption between Ceph
daemons and also between Ceph clients and daemons.
CephPoolDefaultPgNum: CephPoolDefaultPgNum:
description: default pg_num to use for the RBD pools description: default pg_num to use for the RBD pools
type: number type: number
@ -332,6 +338,7 @@ parameter_groups:
conditions: conditions:
dashboard_is_enabled: {equals: [{get_param: CephEnableDashboard}, true]} dashboard_is_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
msgr_secure_mode: {equals: [{get_param: CephMsgrSecureMode}, true]}
custom_registry_host: custom_registry_host:
yaql: yaql:
data: {get_param: ContainerCephDaemonImage} data: {get_param: ContainerCephDaemonImage}
@ -395,6 +402,17 @@ resources:
expression: $.data.rightSplit(':', 1)[1] expression: $.data.rightSplit(':', 1)[1]
data: {get_param: ContainerCephDaemonImage} data: {get_param: ContainerCephDaemonImage}
MsgrSecureModeOverrides:
type: OS::Heat::Value
properties:
type: json
value:
vars:
global:
ms_cluster_mode: secure
ms_service_mode: secure
ms_client_mode: secure
DefaultCephConfigOverrides: DefaultCephConfigOverrides:
type: OS::Heat::Value type: OS::Heat::Value
properties: properties:
@ -581,7 +599,15 @@ outputs:
ceph_pools: {get_attr: [CephBasePoolVars, value, vars]} ceph_pools: {get_attr: [CephBasePoolVars, value, vars]}
manila_pools: {get_attr: [CephManilaPoolVars, value, vars]} manila_pools: {get_attr: [CephManilaPoolVars, value, vars]}
ceph_keys: {get_attr: [CephKeyVars, value, vars]} ceph_keys: {get_attr: [CephKeyVars, value, vars]}
ceph_default_overrides: {get_attr: [DefaultCephConfigOverrides, value, vars]} ceph_default_overrides:
if:
- msgr_secure_mode
- yaql:
expression: ($.data.default).mergeWith($.data.secure)
data:
default: {get_attr: [DefaultCephConfigOverrides, value, vars]}
secure: {get_attr: [MsgrSecureModeOverrides, value, vars]}
- {get_attr: [DefaultCephConfigOverrides, value, vars]}
ceph_config_overrides: {get_param: CephConfigOverrides} ceph_config_overrides: {get_param: CephConfigOverrides}
- name: set ceph-ansible facts - name: set ceph-ansible facts
set_fact: set_fact:

7
environments/ceph-ansible/ceph-ansible.yaml
View File

@ -16,3 +16,10 @@ parameter_defaults:
GlanceBackend: rbd GlanceBackend: rbd
## Uncomment below if enabling legacy telemetry ## Uncomment below if enabling legacy telemetry
# GnocchiBackend: rbd # GnocchiBackend: rbd
## Set to enable on-wire encryption
## Using secure mode can cause a performance degradation with the storage cluster.
## The severity of the performance degradation can vary depending on several
## environmental factors.
## Test the performance impact in a non-production environment before implementing.
# CephMsgrSecureMode: true