Add TLS support to ceph-rgw backends

By overriding the variable `ceph_rgw_backend_ssl: True` HTTPS will be enabled, disabling HTTP support on the ceph-rgw backend api. The ansible-role-pki is used to generate the required TLS certificates if this functionality is enabled. Change-Id: I276ccd7e49db7e7ffe4f6f6c22ab1a82edc34688
2023-05-29 17:30:11 +02:00 · 2023-05-29 17:30:11 +02:00 · 14f69fbb5d
commit 14f69fbb5d
parent b75a9d0dd0
3 changed files with 78 additions and 0 deletions
--- a/inventory/group_vars/ceph-rgw.yml
+++ b/inventory/group_vars/ceph-rgw.yml
@ -17,3 +17,57 @@ ceph_conf_overrides_rgw:
    # rgw_enable_apis: 'swift, s3'
    # rgw_s3_auth_use_keystone: 'true'

+###
+### Backend TLS
+###
+
+# Ceph configuration options to enable TLS on ceph-rgw
+radosgw_frontend_ssl_certificate: "{{ ceph_rgw_backend_ssl is truthy | ternary(ceph_rgw_ssl_cert, '') }}"
+# Ceph-ansible requires to include private key in `radosgw_frontend_ssl_certificate`
+# which is not possible with ansible-role-pki.
+# That is why `ssl_private_key` is defined in `radosgw_frontend_options`.
+radosgw_frontend_options: "{{ ceph_rgw_backend_ssl is truthy | ternary('ssl_private_key=' + ceph_rgw_ssl_key, '') }}"
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+ceph_rgw_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+# Storage location for SSL certificate authority
+ceph_rgw_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
+
+# Delegated host for operating the certificate authority
+ceph_rgw_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
+
+# ceph_rgw server certificate
+ceph_rgw_pki_keys_path: "{{ ceph_rgw_pki_dir ~ '/certs/private/' }}"
+ceph_rgw_pki_certs_path: "{{ ceph_rgw_pki_dir ~ '/certs/certs/' }}"
+ceph_rgw_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
+ceph_rgw_pki_regen_cert: ''
+ceph_rgw_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+ceph_rgw_pki_certificates:
+  - name: "ceph_rgw_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ ceph_rgw_pki_san }}"
+    signed_by: "{{ ceph_rgw_pki_intermediate_cert_name }}"
+
+# ceph_rgw destination files for SSL certificates
+ceph_rgw_ssl_cert: /etc/ceph/ceph-rgw.pem
+ceph_rgw_ssl_key: /etc/ceph/ceph-rgw.key
+
+# Installation details for SSL certificates
+ceph_rgw_pki_install_certificates:
+  - src: "{{ ceph_rgw_user_ssl_cert | default(ceph_rgw_pki_certs_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ ceph_rgw_ssl_cert }}"
+    owner: "ceph"
+    group: "ceph"
+    mode: "0644"
+  - src: "{{ ceph_rgw_user_ssl_key | default(ceph_rgw_pki_keys_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ ceph_rgw_ssl_key }}"
+    owner: "ceph"
+    group: "ceph"
+    mode: "0600"
+
+# Define user-provided SSL certificates
+#ceph_rgw_user_ssl_cert: <path to cert on ansible deployment host>
+#ceph_rgw_user_ssl_key: <path to cert on ansible deployment host>
--- a/inventory/group_vars/haproxy/haproxy.yml
+++ b/inventory/group_vars/haproxy/haproxy.yml
@ -116,6 +116,10 @@ haproxy_ceph_rgw_service:
    - httpchk HEAD /
  haproxy_backend_httpcheck_options:
    - expect rstatus 200|405
+  # `openstack_service_backend_ssl` is not taken into account if ceph is installed independently.
+  haproxy_backend_ssl: "{{ ceph_rgw_backend_ssl | default((groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(openstack_service_backend_ssl, False)) }}"
+  haproxy_backend_ca: "{{ ceph_rgw_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
+  haproxy_accept_both_protocols: "{{ ceph_rgw_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
  haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}"

 haproxy_default_services:
--- a/playbooks/ceph-rgw-install.yml
+++ b/playbooks/ceph-rgw-install.yml
@ -43,6 +43,26 @@
        - ceph-mon-facts
        - ceph-rgw

+    - name: Create and install SSL certificates
+      include_role:
+        name: pki
+        tasks_from: main_certs.yml
+        apply:
+          tags:
+            - ceph-rgw-config
+            - pki
+      vars:
+        pki_setup_host: "{{ ceph_rgw_pki_setup_host }}"
+        pki_dir: "{{ ceph_rgw_pki_dir }}"
+        pki_create_certificates: "{{ ceph_rgw_user_ssl_cert is not defined and ceph_rgw_user_ssl_key is not defined }}"
+        pki_regen_cert: "{{ ceph_rgw_pki_regen_cert }}"
+        pki_certificates: "{{ ceph_rgw_pki_certificates }}"
+        pki_install_certificates: "{{ ceph_rgw_pki_install_certificates }}"
+      when:
+        - ceph_rgw_backend_ssl
+      tags:
+        - always
+
  roles:
    - role: ceph-defaults
      tags: