Enable TLS for Ceph RGW

This PS is to optionally enable tls for ceph-rgw.

Change-Id: I4797ef41612143f8065ac8fec20ddeae2c0218a3
This commit is contained in:
Ritchie, Frank (fr801x) 2021-02-26 10:12:15 -05:00 committed by Frank Ritchie
parent 20cf2db961
commit e954253a1a
12 changed files with 135 additions and 18 deletions

View File

@ -15,6 +15,6 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Ceph RadosGW description: OpenStack-Helm Ceph RadosGW
name: ceph-rgw name: ceph-rgw
version: 0.1.4 version: 0.1.5
home: https://github.com/ceph/ceph home: https://github.com/ceph/ceph
... ...

View File

@ -83,7 +83,11 @@ function rgw_s3_bucket_validation ()
echo "function: rgw_s3_bucket_validation" echo "function: rgw_s3_bucket_validation"
bucket=s3://rgw-test-bucket bucket=s3://rgw-test-bucket
{{- if .Values.manifests.certificates }}
params="--host=$RGW_HOST --host-bucket=$RGW_HOST --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY --no-check-certificate"
{{- else }}
params="--host=$RGW_HOST --host-bucket=$RGW_HOST --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY --no-ssl" params="--host=$RGW_HOST --host-bucket=$RGW_HOST --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY --no-ssl"
{{- end }}
bucket_stat="$(s3cmd ls $params | grep ${bucket} || true)" bucket_stat="$(s3cmd ls $params | grep ${bucket} || true)"
if [[ -n "${bucket_stat}" ]]; then if [[ -n "${bucket_stat}" ]]; then

View File

@ -28,8 +28,12 @@ cat >> /etc/ceph/ceph.conf <<EOF
{{ $key }} = {{ $value | quote }} {{ $key }} = {{ $value | quote }}
{{ end -}} {{ end -}}
{{- end -}} {{- end -}}
{{ if .Values.conf.rgw_ks.enabled }} {{- if .Values.conf.rgw_ks.enabled }}
{{- if .Values.manifests.certificates }}
rgw_frontends = "beast ssl_port=${RGW_FRONTEND_PORT} ssl_certificate=/etc/tls/tls.crt ssl_private_key=/etc/tls/tls.key"
{{- else }}
rgw_frontends = "civetweb port=${RGW_FRONTEND_PORT}" rgw_frontends = "civetweb port=${RGW_FRONTEND_PORT}"
{{- end }}
rgw_keystone_url = "${KEYSTONE_URL}" rgw_keystone_url = "${KEYSTONE_URL}"
rgw_keystone_admin_user = "${OS_USERNAME}" rgw_keystone_admin_user = "${OS_USERNAME}"
rgw_keystone_admin_password = "${OS_PASSWORD}" rgw_keystone_admin_password = "${OS_PASSWORD}"
@ -43,8 +47,12 @@ rgw_keystone_admin_domain = "${OS_USER_DOMAIN_NAME}"
{{ end -}} {{ end -}}
{{- end -}} {{- end -}}
{{ end }} {{ end }}
{{ if .Values.conf.rgw_s3.enabled }} {{- if .Values.conf.rgw_s3.enabled }}
{{- if .Values.manifests.certificates }}
rgw_frontends = "beast ssl_port=${RGW_FRONTEND_PORT} ssl_certificate=/etc/tls/tls.crt ssl_private_key=/etc/tls/tls.key"
{{- else }}
rgw_frontends = "beast port=${RGW_FRONTEND_PORT}" rgw_frontends = "beast port=${RGW_FRONTEND_PORT}"
{{- end }}
{{ range $key, $value := .Values.conf.rgw_s3.config -}} {{ range $key, $value := .Values.conf.rgw_s3.config -}}
{{- if kindIs "slice" $value -}} {{- if kindIs "slice" $value -}}
{{ $key }} = {{ include "helm-toolkit.joinListWithComma" $value | quote }} {{ $key }} = {{ include "helm-toolkit.joinListWithComma" $value | quote }}

View File

@ -0,0 +1,20 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{ $object_store_name := "object_store" }}
{{- if .Values.conf.rgw_s3.enabled }}
{{ $object_store_name = "ceph_object_store" }}
{{- end }}
{{- if .Values.manifests.certificates }}
{{ dict "envAll" . "service" $object_store_name "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}

View File

@ -15,6 +15,13 @@ limitations under the License.
{{- if and .Values.manifests.deployment_rgw ( and .Values.deployment.ceph .Values.conf.features.rgw ) }} {{- if and .Values.manifests.deployment_rgw ( and .Values.deployment.ceph .Values.conf.features.rgw ) }}
{{- $envAll := . }} {{- $envAll := . }}
{{ $object_store_name := "object_store" }}
{{ $tls_secret := .Values.secrets.tls.object_store.api.internal | quote }}
{{- if .Values.conf.rgw_s3.enabled }}
{{ $object_store_name = "ceph_object_store" }}
{{ $tls_secret = .Values.secrets.tls.ceph_object_store.api.internal | quote }}
{{- end }}
{{- $serviceAccountName := "ceph-rgw" }} {{- $serviceAccountName := "ceph-rgw" }}
{{- $_ := set $envAll.Values "__depParams" ( list ) }} {{- $_ := set $envAll.Values "__depParams" ( list ) }}
@ -105,7 +112,7 @@ spec:
value: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path.default | quote }} value: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | trimSuffix .Values.endpoints.identity.path.default | quote }}
{{ end }} {{ end }}
- name: RGW_FRONTEND_PORT - name: RGW_FRONTEND_PORT
value: "{{ tuple "object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" value: "{{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
command: command:
- /tmp/rgw-init.sh - /tmp/rgw-init.sh
volumeMounts: volumeMounts:
@ -123,8 +130,8 @@ spec:
mountPath: /etc/ceph/ceph.conf.template mountPath: /etc/ceph/ceph.conf.template
subPath: ceph.conf subPath: ceph.conf
readOnly: true readOnly: true
{{ if .Values.conf.rgw_ks.enabled }} {{- if .Values.conf.rgw_ks.enabled }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.keystone | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }} {{- end }}
containers: containers:
- name: ceph-rgw - name: ceph-rgw
@ -135,21 +142,23 @@ spec:
- name: CLUSTER - name: CLUSTER
value: "ceph" value: "ceph"
- name: RGW_FRONTEND_PORT - name: RGW_FRONTEND_PORT
value: "{{ tuple "object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}" value: "{{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
command: command:
- /tmp/rgw-start.sh - /tmp/rgw-start.sh
ports: ports:
- containerPort: {{ tuple "object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - containerPort: {{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
livenessProbe: livenessProbe:
httpGet: httpGet:
path: / path: /
port: {{ tuple "object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
scheme: {{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
initialDelaySeconds: 120 initialDelaySeconds: 120
timeoutSeconds: 5 timeoutSeconds: 5
readinessProbe: readinessProbe:
httpGet: httpGet:
path: / path: /
port: {{ tuple "object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
scheme: {{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }}
timeoutSeconds: 5 timeoutSeconds: 5
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
@ -173,6 +182,7 @@ spec:
- name: pod-var-lib-ceph - name: pod-var-lib-ceph
mountPath: /var/lib/ceph mountPath: /var/lib/ceph
readOnly: false readOnly: false
{{- dict "enabled" .Values.manifests.certificates "name" $tls_secret "path" "/etc/tls" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
emptyDir: {} emptyDir: {}
@ -194,7 +204,8 @@ spec:
- name: ceph-bootstrap-rgw-keyring - name: ceph-bootstrap-rgw-keyring
secret: secret:
secretName: {{ .Values.secrets.keyrings.rgw }} secretName: {{ .Values.secrets.keyrings.rgw }}
{{ if .Values.conf.rgw_ks.enabled }} {{- dict "enabled" .Values.manifests.certificates "name" $tls_secret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- if .Values.conf.rgw_ks.enabled }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.object_store.api.keystone | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}

View File

@ -14,5 +14,13 @@ limitations under the License.
{{- if and .Values.manifests.ingress_rgw ( and .Values.deployment.ceph (and .Values.network.api.ingress.public .Values.conf.features.rgw) ) }} {{- if and .Values.manifests.ingress_rgw ( and .Values.deployment.ceph (and .Values.network.api.ingress.public .Values.conf.features.rgw) ) }}
{{- $ingressOpts := dict "envAll" . "backendServiceType" "object_store" "backendPort" "ceph-rgw" -}} {{- $ingressOpts := dict "envAll" . "backendServiceType" "object_store" "backendPort" "ceph-rgw" -}}
{{- if .Values.manifests.certificates }}
{{- if .Values.conf.rgw_ks.enabled }}
{{- $ingressOpts = dict "envAll" . "backendServiceType" "object_store" "backendPort" "ceph-rgw" "certIssuer" .Values.endpoints.object_store.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{- if .Values.conf.rgw_s3.enabled }}
{{- $ingressOpts = dict "envAll" . "backendServiceType" "ceph_object_store" "backendPort" "ceph-rgw" "certIssuer" .Values.endpoints.ceph_object_store.host_fqdn_override.default.tls.issuerRef.name -}}
{{- end }}
{{- end }}
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
{{- end }} {{- end }}

View File

@ -12,7 +12,12 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/}} */}}
{{ $object_store_name := "object_store" }}
{{- if .Values.conf.rgw_s3.enabled }}
{{ $object_store_name = "ceph_object_store" }}
{{- end }}
{{- if and .Values.manifests.service_ingress_rgw ( and .Values.deployment.ceph (and .Values.network.api.ingress.public .Values.conf.features.rgw ) ) }} {{- if and .Values.manifests.service_ingress_rgw ( and .Values.deployment.ceph (and .Values.network.api.ingress.public .Values.conf.features.rgw ) ) }}
{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "object_store" -}} {{- $serviceIngressOpts := dict "envAll" . "backendServiceType" $object_store_name -}}
{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} {{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
{{- end }} {{- end }}

View File

@ -14,6 +14,10 @@ limitations under the License.
{{- if and .Values.manifests.service_rgw ( and .Values.deployment.ceph .Values.conf.features.rgw ) }} {{- if and .Values.manifests.service_rgw ( and .Values.deployment.ceph .Values.conf.features.rgw ) }}
{{- $envAll := . }} {{- $envAll := . }}
{{ $object_store_name := "object_store" }}
{{- if .Values.conf.rgw_s3.enabled }}
{{ $object_store_name = "ceph_object_store" }}
{{- end }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@ -22,9 +26,9 @@ metadata:
spec: spec:
ports: ports:
- name: ceph-rgw - name: ceph-rgw
port: {{ tuple "object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
protocol: TCP protocol: TCP
targetPort: {{ tuple "object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} targetPort: {{ tuple $object_store_name "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{ if .Values.network.api.node_port.enabled }} {{ if .Values.network.api.node_port.enabled }}
nodePort: {{ .Values.network.api.node_port.port }} nodePort: {{ .Values.network.api.node_port.port }}
{{ end }} {{ end }}

View File

@ -262,7 +262,12 @@ secrets:
object_store: object_store:
api: api:
public: ceph-tls-public public: ceph-tls-public
internal: keystone-tls-api internal: ceph-rgw-ks-tls-api
keystone: keystone-tls-api
ceph_object_store:
api:
public: ceph-rgw-s3-tls-public
internal: ceph-rgw-s3-tls-api
network: network:
api: api:

View File

@ -0,0 +1,22 @@
---
endpoints:
object_store:
host_fqdn_override:
default:
tls:
secretName: ceph-rgw-ks-tls-api
issuerRef:
name: ca-clusterissuer
kind: ClusterIssuer
ceph_object_store:
host_fqdn_override:
default:
tls:
secretName: ceph-rgw-s3-tls-api
issuerRef:
name: ca-clusterissuer
kind: ClusterIssuer
manifests:
certificates: true
...

29
release.asc Normal file
View File

@ -0,0 +1,29 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQINBFX4hgkBEADLqn6O+UFp+ZuwccNldwvh5PzEwKUPlXKPLjQfXlQRig1flpCH
E0HJ5wgGlCtYd3Ol9f9+qU24kDNzfbs5bud58BeE7zFaZ4s0JMOMuVm7p8JhsvkU
C/Lo/7NFh25e4kgJpjvnwua7c2YrA44ggRb1QT19ueOZLK5wCQ1mR+0GdrcHRCLr
7Sdw1d7aLxMT+5nvqfzsmbDullsWOD6RnMdcqhOxZZvpay8OeuK+yb8FVQ4sOIzB
FiNi5cNOFFHg+8dZQoDrK3BpwNxYdGHsYIwU9u6DWWqXybBnB9jd2pve9PlzQUbO
eHEa4Z+jPqxY829f4ldaql7ig8e6BaInTfs2wPnHJ+606g2UH86QUmrVAjVzlLCm
nqoGymoAPGA4ObHu9X3kO8viMBId9FzooVqR8a9En7ZE0Dm9O7puzXR7A1f5sHoz
JdYHnr32I+B8iOixhDUtxIY4GA8biGATNaPd8XR2Ca1hPuZRVuIiGG9HDqUEtXhV
fY5qjTjaThIVKtYgEkWMT+Wet3DPPiWT3ftNOE907e6EWEBCHgsEuuZnAbku1GgD
LBH4/a/yo9bNvGZKRaTUM/1TXhM5XgVKjd07B4cChgKypAVHvef3HKfCG2U/DkyA
LjteHt/V807MtSlQyYaXUTGtDCrQPSlMK5TjmqUnDwy6Qdq8dtWN3DtBWQARAQAB
tCpDZXBoLmNvbSAocmVsZWFzZSBrZXkpIDxzZWN1cml0eUBjZXBoLmNvbT6JAjgE
EwECACIFAlX4hgkCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOhKwsBG
DzmUXdIQAI8YPcZMBWdv489q8CzxlfRIRZ3Gv/G/8CH+EOExcmkVZ89mVHngCdAP
DOYCl8twWXC1lwJuLDBtkUOHXNuR5+Jcl5zFOUyldq1Hv8u03vjnGT7lLJkJoqpG
l9QD8nBqRvBU7EM+CU7kP8+09b+088pULil+8x46PwgXkvOQwfVKSOr740Q4J4nm
/nUOyTNtToYntmt2fAVWDTIuyPpAqA6jcqSOC7Xoz9cYxkVWnYMLBUySXmSS0uxl
3p+wK0lMG0my/gb+alke5PAQjcE5dtXYzCn+8Lj0uSfCk8Gy0ZOK2oiUjaCGYN6D
u72qDRFBnR3jaoFqi03bGBIMnglGuAPyBZiI7LJgzuT9xumjKTJW3kN4YJxMNYu1
FzmIyFZpyvZ7930vB2UpCOiIaRdZiX4Z6ZN2frD3a/vBxBNqiNh/BO+Dex+PDfI4
TqwF8zlcjt4XZ2teQ8nNMR/D8oiYTUW8hwR4laEmDy7ASxe0p5aijmUApWq5UTsF
+s/QbwugccU0iR5orksM5u9MZH4J/mFGKzOltfGXNLYI6D5Mtwrnyi0BsF5eY0u6
vkdivtdqrq2DXY+ftuqLOQ7b+t1RctbcMHGPptlxFuN9ufP5TiTWSpfqDwmHCLsT
k2vFiMwcHdLpQ1IH8ORVRgPPsiBnBOJ/kIiXG2SxPUTjjEGOVgeA
=/Tod
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -5,4 +5,5 @@ ceph-rgw:
- 0.1.2 Uplift from Nautilus to Octopus release - 0.1.2 Uplift from Nautilus to Octopus release
- 0.1.3 update rbac api version - 0.1.3 update rbac api version
- 0.1.4 Rgw placement target support - 0.1.4 Rgw placement target support
- 0.1.5 Add tls support
... ...