heat_template_version: wallaby description: > Ceph RadosGW service. parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. Use parameter_merge_strategies to merge it with the defaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json SwiftPassword: description: The password for the swift service account type: string hidden: true KeystoneRegion: type: string default: 'regionOne' description: Keystone region for endpoint CephEnableDashboard: type: boolean default: false description: Parameter used to trigger the dashboard deployment. EnableInternalTLS: type: boolean default: false CertificateKeySize: type: string default: '2048' description: Specifies the private key size used when creating the certificate. CephRgwCertificateKeySize: type: string default: '' description: Override the private key size used when creating the certificate for this service conditions: key_size_override_set: not: {equals: [{get_param: CephRgwCertificateKeySize}, '']} resources: CephBase: type: ./ceph-base.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} CephRgwAnsibleVars: type: OS::Heat::Value properties: type: json value: vars: radosgw_keystone: true radosgw_keystone_ssl: false radosgw_address_block: list_join: - ',' - get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}] radosgw_frontend_port: yaql: data: {get_param: [EndpointMap, CephRgwInternal]} expression: int($.data.port) outputs: role_data: description: Role data for the Ceph RadosGW service. value: service_name: ceph_rgw firewall_rules: '122 ceph rgw': dport: list_concat: - - {get_param: [EndpointMap, CephRgwInternal, port]} - if: - {get_param: CephEnableDashboard} - - '9100' keystone_resources: swift: endpoints: public: {get_param: [EndpointMap, CephRgwPublic, uri]} internal: {get_param: [EndpointMap, CephRgwInternal, uri]} admin: {get_param: [EndpointMap, CephRgwAdmin, uri]} users: swift: password: {get_param: SwiftPassword} roles: - admin - member region: {get_param: KeystoneRegion} service: 'object-store' roles: - member - ResellerAdmin - swiftoperator upgrade_tasks: {get_attr: [CephBase, role_data, upgrade_tasks]} post_upgrade_tasks: {get_attr: [CephBase, role_data, post_upgrade_tasks]} puppet_config: {} docker_config: {} external_deploy_tasks: list_concat: - {get_attr: [CephBase, role_data, external_deploy_tasks]} - - name: ceph_rgw_external_deploy_init when: step|int == 1 tags: - ceph block: - name: set ceph-ansible group vars rgws set_fact: cephadm_rgw_vars: if: - {get_param: EnableInternalTLS} - map_merge: - {get_attr: [CephRgwAnsibleVars, value, vars]} - radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem' - {get_attr: [CephRgwAnsibleVars, value, vars]} ceph_rgw_config_overrides: global: rgw_keystone_api_version: 3 rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} rgw_keystone_accepted_roles: 'member, Member, admin' rgw_keystone_accepted_admin_roles: ResellerAdmin, swiftoperator rgw_keystone_admin_domain: default rgw_keystone_admin_project: service rgw_keystone_admin_user: swift rgw_keystone_admin_password: {get_param: SwiftPassword} rgw_keystone_implicit_tenants: 'true' rgw_keystone_revocation_interval: '0' rgw_s3_auth_use_keystone: 'true' rgw_swift_versioning_enabled: 'true' rgw_swift_account_in_url: 'true' rgw_trust_forwarded_https: 'true' metadata_settings: if: - {get_param: EnableInternalTLS} - - service: ceph_rgw network: {get_param: [ServiceNetMap, CephRgwNetwork]} type: node deploy_steps_tasks: - name: Certificate generation when: - step|int == 1 - enable_internal_tls block: - include_role: name: linux-system-roles.certificate vars: certificate_requests: - name: ceph_rgw dns: str_replace: template: "{{fqdn_$NETWORK}}" params: $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} principal: str_replace: template: "ceph_rgw/{{fqdn_$NETWORK}}@{{idm_realm}}" params: $NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} run_after: | # Create PEM file pemfile=/etc/pki/tls/certs/ceph_rgw.pem cat /etc/pki/tls/certs/ceph_rgw.crt /etc/ipa/ca.crt /etc/pki/tls/private/ceph_rgw.key > $pemfile chmod 0640 $pemfile chown 472:472 $pemfile # Get ceph rgw systemd unit rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}') # Restart the rgw systemd unit if [ -n "$rgw_unit" ]; then systemctl restart "$rgw_unit" fi key_size: if: - key_size_override_set - {get_param: CephRgwCertificateKeySize} - {get_param: CertificateKeySize} ca: ipa