Merge "Move Ceph services to linux-system-roles.certificate"

1 year ago · f97b6259fc
3 changed files with 109 additions and 76 deletions
--- a/deployment/cephadm/ceph-grafana.yaml
+++ b/deployment/cephadm/ceph-grafana.yaml
@ -159,31 +159,6 @@ outputs:
                            tripleo_cephadm_grafana_key: '/etc/pki/tls/private/ceph_grafana.key'
                        expression: $.data.default.mergeWith($.data.certmap)
                    - {get_attr: [CephGrafanaAnsibleVars, value, vars]}
-      config_settings:
-        map_merge:
-          - if:
-            - internal_tls_enabled
-            -
-              ceph_grafana_certificate_specs:
-                service_certificate: '/etc/pki/tls/certs/ceph_grafana.crt'
-                service_key: '/etc/pki/tls/private/ceph_grafana.key'
-                hostname:
-                  str_replace:
-                    template: "%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
-                principal:
-                  str_replace:
-                    template: "ceph_grafana/%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
-                postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
-                key_size:
-                  if:
-                    - key_size_override_unset
-                    - {get_param: CertificateKeySize}
-                    - {get_param: GrafanaCertificateKeySize}
-            - {}
      metadata_settings:
        if:
        - internal_tls_enabled
@ -192,3 +167,37 @@ outputs:
            network: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
            type: node
        - null
+      deploy_steps_tasks:
+        - name: Certificate generation
+          when:
+            - step|int == 1
+            - enable_internal_tls
+          block:
+            - include_role:
+                name: linux-system-roles.certificate
+              vars:
+                certificate_requests:
+                  - name: ceph_grafana
+                    dns:
+                      str_replace:
+                        template: "{{fqdn_$NETWORK}}"
+                        params:
+                          $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
+                    principal:
+                      str_replace:
+                        template: "ceph_grafana/{{fqdn_$NETWORK}}@{{idm_realm}}"
+                        params:
+                          $NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
+                    run_after: |
+                      # Get grafana systemd unit
+                      grafana_unit=$(systemctl list-unit-files | awk '/grafana/ {print $1}')
+                      # Restart the grafana systemd unit
+                      if [ -z "$grafana_unit" ]; then
+                          systemctl restart "$grafana_unit"
+                      fi
+                    key_size:
+                      if:
+                        - key_size_override_unset
+                        - {get_param: CertificateKeySize}
+                        - {get_param: GrafanaCertificateKeySize}
+                    ca: ipa
--- a/deployment/cephadm/ceph-mgr.yaml
+++ b/deployment/cephadm/ceph-mgr.yaml
@ -72,6 +72,7 @@ conditions:
      - equals:
          - get_param: EnableInternalTLS
          - true
+  key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}

 resources:
  CephBase:
@ -144,31 +145,6 @@ outputs:
                          - tripleo_cephadm_dashboard_grafana_api_no_ssl_verify: true
                        - {get_attr: [CephMgrAnsibleVars, value, vars]}
                    - {}
-      config_settings:
-        map_merge:
-          - if:
-            - internal_tls_enabled
-            -
-              ceph_dashboard_certificate_specs:
-                service_certificate: '/etc/pki/tls/certs/ceph_dashboard.crt'
-                service_key: '/etc/pki/tls/private/ceph_dashboard.key'
-                hostname:
-                  str_replace:
-                    template: "%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
-                principal:
-                  str_replace:
-                    template: "ceph_dashboard/%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
-                postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
-                key_size:
-                  if:
-                    - key_size_override_unset
-                    - {get_param: CertificateKeySize}
-                    - {get_param: CephCertificateKeySize}
-            - {}
      metadata_settings:
        if:
        - internal_tls_enabled
@ -177,3 +153,37 @@ outputs:
            network: {get_param: [ServiceNetMap, CephDashboardNetwork]}
            type: node
        - null
+      deploy_steps_tasks:
+        - name: Certificate generation
+          when:
+            - step|int == 1
+            - enable_internal_tls
+          block:
+            - include_role:
+                name: linux-system-roles.certificate
+              vars:
+                certificate_requests:
+                  - name: ceph_dashboard
+                    dns:
+                      str_replace:
+                        template: "{{fqdn_$NETWORK}}"
+                        params:
+                          $NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
+                    principal:
+                      str_replace:
+                        template: "ceph_dashboard/{{fqdn_$NETWORK}}@{{idm_realm}}"
+                        params:
+                          $NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
+                    run_after: |
+                      # Get mgr systemd unit
+                      mgr_unit=$(systemctl list-units | awk '/ceph-mgr/ {print $1}')
+                      # Restart the mgr systemd unit
+                      if [ -n "$mgr_unit" ]; then
+                          systemctl restart "$mgr_unit"
+                      fi
+                    key_size:
+                      if:
+                        - key_size_override_unset
+                        - {get_param: CertificateKeySize}
+                        - {get_param: CephCertificateKeySize}
+                    ca: ipa
--- a/deployment/cephadm/ceph-rgw.yaml
+++ b/deployment/cephadm/ceph-rgw.yaml
@ -59,6 +59,7 @@ parameters:
 conditions:
  dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}

 resources:
  CephBase:
@ -168,32 +169,6 @@ outputs:
                      - radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem'
                    - {get_attr: [CephRgwAnsibleVars, value, vars]}
                  ceph_rgw_config_overrides: {get_attr: [CephRgwConfigOverrides, value, vars]}
-      config_settings:
-        map_merge:
-          - if:
-            - internal_tls_enabled
-            -
-              ceph_rgw_certificate_specs:
-                service_certificate: '/etc/pki/tls/certs/ceph_rgw.crt'
-                service_key: '/etc/pki/tls/private/ceph_rgw.key'
-                service_pem: '/etc/pki/tls/certs/ceph_rgw.pem'
-                hostname:
-                  str_replace:
-                    template: "%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
-                principal:
-                  str_replace:
-                    template: "ceph_rgw/%{hiera('fqdn_NETWORK')}"
-                    params:
-                      NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
-                postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
-                key_size:
-                  if:
-                    - key_size_override_unset
-                    - {get_param: CertificateKeySize}
-                    - {get_param: CephRgwCertificateKeySize}
-            - {}
      metadata_settings:
        if:
        - internal_tls_enabled
@ -202,3 +177,42 @@ outputs:
            network: {get_param: [ServiceNetMap, CephRgwNetwork]}
            type: node
        - null
+      deploy_steps_tasks:
+        - name: Certificate generation
+          when:
+            - step|int == 1
+            - enable_internal_tls
+          block:
+            - include_role:
+                name: linux-system-roles.certificate
+              vars:
+                certificate_requests:
+                  - name: ceph_rgw
+                    dns:
+                      str_replace:
+                        template: "{{fqdn_$NETWORK}}"
+                        params:
+                          $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
+                    principal:
+                      str_replace:
+                        template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}"
+                        params:
+                          $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
+                    run_after: |
+                      # Create PEM file
+                      pemfile=/etc/pki/tls/certs/ceph_rgw.pem
+                      cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile
+                      chmod 0640 $pemfile
+                      chown 472:472 $pemfile
+                      # Get ceph rgw systemd unit
+                      rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}')
+                      # Restart the rgw systemd unit
+                      if [ -n "$rgw_unit" ]; then
+                          systemctl restart "$rgw_unit"
+                      fi
+                    key_size:
+                      if:
+                        - key_size_override_unset
+                        - {get_param: CertificateKeySize}
+                        - {get_param: CephRgwCertificateKeySize}
+                    ca: ipa