openstack/tripleo-heat-templates
Code Issues Proposed changes
643c3d25d9
tripleo-heat-templates/deployment/ceph-ansible/ceph-rgw.yaml
ramishra bd5e2c80fd Don't try creating default admin and member roles 
These are default roles and we don't need to create them for
ceph. Also swift user does not need admin role.

Closes-Bug: 1916756
Resolves: rhbz#1932208

Change-Id: I4d4c01d4ace8c51ae9f47f4dafd76bb3b5ed674f
(cherry picked from commit c1462b7608)
2021-02-25 10:08:20 +00:00

207 lines
7.1 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
Ceph RadosGW service.
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
SwiftPassword:
description: The password for the swift service account
type: string
hidden: true
KeystoneRegion:
type: string
default: 'regionOne'
description: Keystone region for endpoint
CephEnableDashboard:
type: boolean
default: false
description: Parameter used to trigger the dashboard deployment.
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephRgwCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}
resources:
CephBase:
type: ./ceph-base.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
CephRgwAnsibleVars:
type: OS::Heat::Value
properties:
type: json
value:
vars:
radosgw_keystone: true
radosgw_keystone_ssl: false
radosgw_address_block:
list_join:
- ','
- get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, CephRgwNetwork]}]
radosgw_frontend_port: {get_param: [EndpointMap, CephRgwInternal, port]}
CephRgwConfigOverrides:
type: OS::Heat::Value
properties:
type: json
value:
vars:
global:
rgw_keystone_api_version: 3
rgw_keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]}
rgw_keystone_accepted_roles: 'member, Member, admin'
rgw_keystone_accepted_admin_roles: ResellerAdmin, swiftoperator
rgw_keystone_admin_domain: default
rgw_keystone_admin_project: service
rgw_keystone_admin_user: swift
rgw_keystone_admin_password: {get_param: SwiftPassword}
rgw_keystone_implicit_tenants: 'true'
rgw_keystone_revocation_interval: '0'
rgw_s3_auth_use_keystone: 'true'
rgw_swift_versioning_enabled: 'true'
rgw_swift_account_in_url: 'true'
rgw_trust_forwarded_https: 'true'
outputs:
role_data:
description: Role data for the Ceph RadosGW service.
value:
service_name: ceph_rgw
firewall_rules:
'122 ceph rgw':
dport:
list_concat:
- - {get_param: [EndpointMap, CephRgwInternal, port]}
- if:
- dashboard_enabled
- - '9100'
- []
keystone_resources:
swift:
endpoints:
public: {get_param: [EndpointMap, CephRgwPublic, uri]}
internal: {get_param: [EndpointMap, CephRgwInternal, uri]}
admin: {get_param: [EndpointMap, CephRgwAdmin, uri]}
users:
swift:
password: {get_param: SwiftPassword}
region: {get_param: KeystoneRegion}
service: 'object-store'
roles:
- ResellerAdmin
- swiftoperator
upgrade_tasks: {get_attr: [CephBase, role_data, upgrade_tasks]}
post_upgrade_tasks: {get_attr: [CephBase, role_data, post_upgrade_tasks]}
puppet_config:
config_image: ''
config_volume: ''
step_config: ''
docker_config: {}
external_deploy_tasks:
list_concat:
- {get_attr: [CephBase, role_data, external_deploy_tasks]}
- - name: ceph_rgw_external_deploy_init
when: step|int == 1
tags:
- ceph
- ceph_fstobs
- ceph_systemd
block:
- name: set ceph-ansible group vars rgws
set_fact:
ceph_ansible_group_vars_rgws:
if:
- internal_tls_enabled
- map_merge:
- {get_attr: [CephRgwAnsibleVars, value, vars]}
- radosgw_frontend_ssl_certificate: '/etc/pki/tls/certs/ceph_rgw.pem'
- {get_attr: [CephRgwAnsibleVars, value, vars]}
ceph_rgw_config_overrides: {get_attr: [CephRgwConfigOverrides, value, vars]}
- name: generate ceph-ansible group vars rgws
copy:
dest: "{{playbook_dir}}/ceph-ansible/group_vars/rgws.yml"
content: "{{ceph_ansible_group_vars_rgws|to_nice_yaml}}"
external_update_tasks: {get_attr: [CephBase, role_data, external_update_tasks]}
external_upgrade_tasks: {get_attr: [CephBase, role_data, external_upgrade_tasks]}
config_settings:
map_merge:
- if:
- internal_tls_enabled
-
generate_service_certificates: true
ceph_rgw_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ceph_rgw.crt'
service_key: '/etc/pki/tls/private/ceph_rgw.key'
service_pem: '/etc/pki/tls/certs/ceph_rgw.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
principal:
str_replace:
template: "ceph_rgw/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
- {}
metadata_settings:
if:
- internal_tls_enabled
-
- service: ceph_rgw
network: {get_param: [ServiceNetMap, CephRgwNetwork]}
type: node
- null
View Git Blame Copy Permalink