openstack/openstack-ansible
Code Issues Proposed changes
8d46ed8842
openstack-ansible/inventory/group_vars/ceph-rgw.yml
Dmitriy Rabotyagov 4203aa26c6 Modify RGW client format 
With changes to config_template module that restored usage of {% raw %} tags [1]
renderring of mapping keys, if they're defined as variables, was broken.

Ansible, by design [2], does not render mapping keys. Moreover, it was not
working as intended anyway, since renderring happened in post-copy stage
so same records were not merged together, which resulted in #1812245

As such behaviour is expected by Ansible design, instead of adding some
workaround in config_template module, I suggest working around issue
by defining troublesome mapping with Jinja, that will allow it to render properly.

[1] https://review.opendev.org/c/openstack/ansible-config_template/+/881887
[2] https://github.com/ansible/ansible/issues/17324#issuecomment-685102595

Closes-Bug: #2048036
Related-Bug: #1812245
Change-Id: I8a32736239c6326d817c620451799c13d5d8938c
2024-01-04 14:41:59 +00:00

76 lines
3.2 KiB
YAML
Raw Blame History

---
ceph_conf_overrides_rgw: |-
{{
{
'client.rgw.' ~ hostvars[inventory_hostname]['ansible_facts']['hostname'] ~ '.rgw0': {
'rgw_keystone_url': keystone_service_adminuri,
'rgw_keystone_api_version': 3,
'rgw_keystone_admin_user': radosgw_admin_user,
'rgw_keystone_admin_password': radosgw_admin_password,
'rgw_keystone_admin_project': radosgw_admin_tenant,
'rgw_keystone_admin_domain': 'default',
'rgw_keystone_accepted_roles': 'member, admin, swiftoperator',
'rgw_keystone_implicit_tenants': 'true',
'rgw_swift_account_in_url': 'true',
'rgw_swift_versioning_enabled': 'true',
'rgw_enable_apis': 'swift, s3',
'rgw_s3_auth_use_keystone': 'true'
}
}
}}
###
### Backend TLS
###
# Ceph configuration options to enable TLS on ceph-rgw
radosgw_frontend_ssl_certificate: "{{ ceph_rgw_backend_ssl is truthy | ternary(ceph_rgw_ssl_cert, '') }}"
# Ceph-ansible requires to include private key in `radosgw_frontend_ssl_certificate`
# which is not possible with ansible-role-pki.
# That is why `ssl_private_key` is defined in `radosgw_frontend_options`.
radosgw_frontend_options: "{{ ceph_rgw_backend_ssl is truthy | ternary('ssl_private_key=' + ceph_rgw_ssl_key, '') }}"
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
ceph_rgw_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
# Storage location for SSL certificate authority
ceph_rgw_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
# Delegated host for operating the certificate authority
ceph_rgw_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# ceph_rgw server certificate
ceph_rgw_pki_keys_path: "{{ ceph_rgw_pki_dir ~ '/certs/private/' }}"
ceph_rgw_pki_certs_path: "{{ ceph_rgw_pki_dir ~ '/certs/certs/' }}"
ceph_rgw_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
ceph_rgw_pki_regen_cert: ''
ceph_rgw_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
ceph_rgw_pki_certificates:
- name: "ceph_rgw_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ ceph_rgw_pki_san }}"
signed_by: "{{ ceph_rgw_pki_intermediate_cert_name }}"
# ceph_rgw destination files for SSL certificates
ceph_rgw_ssl_cert: /etc/ceph/ceph-rgw.pem
ceph_rgw_ssl_key: /etc/ceph/ceph-rgw.key
# Installation details for SSL certificates
ceph_rgw_pki_install_certificates:
- src: "{{ ceph_rgw_user_ssl_cert | default(ceph_rgw_pki_certs_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ ceph_rgw_ssl_cert }}"
owner: "ceph"
group: "ceph"
mode: "0644"
- src: "{{ ceph_rgw_user_ssl_key | default(ceph_rgw_pki_keys_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ ceph_rgw_ssl_key }}"
owner: "ceph"
group: "ceph"
mode: "0600"
# Define user-provided SSL certificates
#ceph_rgw_user_ssl_cert: <path to cert on ansible deployment host>
#ceph_rgw_user_ssl_key: <path to cert on ansible deployment host>
View Git Blame Copy Permalink