heat_template_version: wallaby description: > Ceph RadosGW service. parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json SwiftPassword: description: The password for the swift service account type: string hidden: true KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint CephEnableDashboard: type: boolean default: false description: Parameter used to trigger the dashboard deployment. EnableInternalTLS: type: boolean default: false CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. CephRgwCertificateKeySize: type: string default: '' description: Override the private key size used when creating the certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']} resources: CephBase: type: ./ceph-base.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} CephRgwAnsibleVars: type: OS::Heat::Value properties: type: json value: vars: radosgw_keystone: true radosgw_keystone_ssl: false radosgw_address_block: list_join: - ',' - get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}] radosgw_frontend_port: {get_param: [EndpointMap, CephRgwInternal, port]} CephRgwConfigOverrides: type: OS::Heat::Value properties: type: json value: vars: global: rgw_keystone_api_version: 3 rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} rgw_keystone_accepted_roles: 'member, Member, admin' rgw_keystone_accepted_admin_roles: ResellerAdmin, swiftoperator rgw_keystone_admin_domain: default rgw_keystone_admin_project: service rgw_keystone_admin_user: swift rgw_keystone_admin_password: {get_param: SwiftPassword} rgw_keystone_implicit_tenants: 'true' rgw_keystone_revocation_interval: '0' rgw_s3_auth_use_keystone: 'true' rgw_swift_versioning_enabled: 'true' rgw_swift_account_in_url: 'true' rgw_trust_forwarded_https: 'true' outputs: role_data: description: Role data for the Ceph RadosGW service. value: service_name: ceph_rgw firewall_rules: '122 ceph rgw': dport: list_concat: - - {get_param: [EndpointMap, CephRgwInternal, port]} - if: - dashboard_enabled - - '9100' - [] keystone_resources: swift: endpoints: public: {get_param: [EndpointMap, CephRgwPublic, uri]} internal: {get_param: [EndpointMap, CephRgwInternal, uri]} admin: {get_param: [EndpointMap, CephRgwAdmin, uri]} users: swift: password: {get_param: SwiftPassword} region: {get_param: KeystoneRegion} service: 'object-store' roles: - ResellerAdmin - swiftoperator upgrade_tasks: {get_attr: [CephBase, role_data, upgrade_tasks]} post_upgrade_tasks: {get_attr: [CephBase, role_data, post_upgrade_tasks]} puppet_config: config_image: '' config_volume: '' step_config: '' docker_config: {} external_deploy_tasks: list_concat: - {get_attr: [CephBase, role_data, external_deploy_tasks]} - - name: ceph_rgw_external_deploy_init when: step|int == 1 tags: - ceph - ceph_fstobs - ceph_systemd block: - name: set ceph-ansible group vars rgws set_fact: ceph_ansible_group_vars_rgws: if: - internal_tls_enabled - map_merge: - {get_attr: [CephRgwAnsibleVars, value, vars]} - radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem' - {get_attr: [CephRgwAnsibleVars, value, vars]} ceph_rgw_config_overrides: {get_attr: [CephRgwConfigOverrides, value, vars]} - name: generate ceph-ansible group vars rgws copy: dest: "{{playbook_dir}}/ceph-ansible/group_vars/rgws.yml" content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}" external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]} external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]} metadata_settings: if: - internal_tls_enabled - - service: ceph_rgw network: {get_param: [ServiceNetMap, CephRgwNetwork]} type: node - null deploy_steps_tasks: - name: Certificate generation when: - step|int == 1 - enable_internal_tls block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: ceph_rgw dns: str_replace: template: "{{fqdn_$NETWORK}}" params: $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} principal: str_replace: template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}" params: $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} run_after: | # Create PEM file pemfile=/etc/pki/tls/certs/ceph_rgw.pem cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile chmod 0640 $pemfile chown 472:472 $pemfile # Get ceph rgw systemd unit rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}') # Restart the rgw systemd unit if [ -n "$rgw_unit" ]; then systemctl restart "$rgw_unit" fi key_size: if: - key_size_override_unset - {get_param: CertificateKeySize} - {get_param: CephRgwCertificateKeySize} ca: ipa