Ceph: Setup radosgw with increased swift support.

This PS updates the cephs config to deploy radosgw with greater swift compatibility. Allowing clients to use RGW as though it were a real swift deployment. Change-Id: Id0a27b42b7f9c0c9e4b5a197ef50feb612e6adfc
2018-05-10 23:40:42 -05:00 · 2018-05-10 23:40:42 -05:00 · d342ac40cb
commit d342ac40cb
parent bff3b4378e
23 changed files with 208 additions and 67 deletions
--- a/ceph-client/values.yaml
+++ b/ceph-client/values.yaml
@ -26,10 +26,10 @@ images:
  tags:
    ceph_bootstrap: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
    ceph_cephfs_provisioner: 'quay.io/external_storage/cephfs-provisioner:v0.1.1'
-    ceph_config_helper: 'docker.io/port/ceph-config-helper:v1.10.1'
+    ceph_config_helper: 'docker.io/port/ceph-config-helper:v1.10.2'
    ceph_mds: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
    ceph_mgr: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
-    ceph_rbd_pool: 'docker.io/port/ceph-config-helper:v1.10.1'
+    ceph_rbd_pool: 'docker.io/port/ceph-config-helper:v1.10.2'
    ceph_rbd_provisioner: 'quay.io/external_storage/rbd-provisioner:v0.1.1'
    ceph_rgw: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
    dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.1'
@ -275,8 +275,10 @@ conf:
    config:
      rgw_keystone_api_version: 3
      rgw_keystone_accepted_roles: "admin, _member_"
-      rgw_keystone_implicit_tenants: true
+      rgw_keystone_implicit_tenants: false
+      rgw_keystone_make_new_tenants: true
      rgw_s3_auth_use_keystone: true
+      rgw_swift_account_in_url: true
  ceph:
    global:
      # auth
@ -488,7 +490,7 @@ endpoints:
    host_fqdn_override:
      default: null
    path:
-      default: /swift/v1
+      default: /swift/v1/KEY_$(tenant_id)s
    scheme:
      default: http
    port:
--- a/ceph-mon/values.yaml
+++ b/ceph-mon/values.yaml
@ -20,9 +20,9 @@ images:
  pull_policy: IfNotPresent
  tags:
    ceph_bootstrap: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
-    ceph_config_helper: 'docker.io/port/ceph-config-helper:v1.10.1'
+    ceph_config_helper: 'docker.io/port/ceph-config-helper:v1.10.2'
    ceph_mon: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
-    ceph_mon_check: 'docker.io/port/ceph-config-helper:v1.10.1'
+    ceph_mon_check: 'docker.io/port/ceph-config-helper:v1.10.2'
    dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.0'
    image_repo_sync: docker.io/docker:17.07.0
  local_registry:
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -56,9 +56,9 @@ images:
    cinder_scheduler: docker.io/openstackhelm/cinder:newton
    cinder_volume: docker.io/openstackhelm/cinder:newton
    cinder_volume_usage_audit: docker.io/openstackhelm/cinder:newton
-    cinder_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+    cinder_storage_init: docker.io/port/ceph-config-helper:v1.10.2
    cinder_backup: docker.io/openstackhelm/cinder:newton
-    cinder_backup_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+    cinder_backup_storage_init: docker.io/port/ceph-config-helper:v1.10.2
    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
    image_repo_sync: docker.io/docker:17.07.0
  pull_policy: "IfNotPresent"
--- a/glance/templates/bin/_storage-init.sh.tpl
+++ b/glance/templates/bin/_storage-init.sh.tpl
@ -21,65 +21,74 @@ if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
  SECRET=$(mktemp --suffix .yaml)
  KEYRING=$(mktemp --suffix .keyring)
  function cleanup {
-      rm -f ${SECRET} ${KEYRING}
+      rm -f "${SECRET}" "${KEYRING}"
  }
  trap cleanup EXIT
 fi

 set -ex
-if [ "x$STORAGE_BACKEND" == "xpvc" ] || [ "x$STORAGE_BACKEND" == "xswift" ]; then
+if [ "x$STORAGE_BACKEND" == "xpvc" ]; then
  echo "No action required."
+elif [ "x$STORAGE_BACKEND" == "xswift" ]; then
+  OS_TOKEN="$(openstack token issue -f value -c id)"
+  OS_PROJECT_ID="$(openstack project show service -f value -c id)"
+  OS_SWIFT_ENDPOINT_PREFIX="$(openstack endpoint list --service swift --interface public -f value -c URL | awk -F '$' '{ print $1 }')"
+  OS_SWIFT_SCOPED_ENDPOINT="${OS_SWIFT_ENDPOINT_PREFIX}${OS_PROJECT_ID}"
+  curl -i -X POST "${OS_SWIFT_SCOPED_ENDPOINT}" \
+    -H "X-Auth-Token: ${OS_TOKEN}" \
+    -H "X-Account-Meta-Temp-URL-Key: ${SWIFT_TMPURL_KEY}"
 elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
  ceph -s
  function ensure_pool () {
-    ceph osd pool stats $1 || ceph osd pool create $1 $2
-    local test_luminous=$(ceph tell osd.* version | egrep -c "12.2|luminous")
+    ceph osd pool stats "$1" || ceph osd pool create "$1" "$2"
+    local test_luminous
+    test_luminous=$(ceph tell osd.* version | egrep -c "12.2|luminous")
    if [[ ${test_luminous} -gt 0 ]]; then
-      ceph osd pool application enable $1 $3
+      ceph osd pool application enable "$1" "$3"
    fi
  }
-  ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "glance-image"
+  ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "glance-image"

-  if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
-    KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
-    echo $KEYSTR  > ${KEYRING}
+  if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then
+    KEYSTR=$(echo "${USERINFO}" | sed 's/.*\( key = .*\) caps mon.*/\1/')
+    echo "${KEYSTR}" > "${KEYRING}"
  else
    #NOTE(Portdirect): Determine proper privs to assign keyring
-    ceph auth get-or-create client.${RBD_POOL_USER} \
+    ceph auth get-or-create "client.${RBD_POOL_USER}" \
      mon "allow *" \
      osd "allow *" \
      mgr "allow *" \
-      -o ${KEYRING}
+      -o "${KEYRING}"
  fi

-  ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0)
-  cat > ${SECRET} <<EOF
+  ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' "${KEYRING}" | base64 -w0)
+  cat > "${SECRET}" <<EOF
 apiVersion: v1
 kind: Secret
 metadata:
  name: "${RBD_POOL_SECRET}"
 type: kubernetes.io/rbd
 data:
-  key: $( echo ${ENCODED_KEYRING} )
+  key: "${ENCODED_KEYRING}"
 EOF
-  kubectl apply --namespace ${NAMESPACE} -f ${SECRET}
-elif [ "x$STORAGE_BACKEND" == "xradosgw" ]; then
+  kubectl apply --namespace "${NAMESPACE}" -f "${SECRET}"
+elif [ "x${STORAGE_BACKEND}" == "xradosgw" ]; then
  radosgw-admin user stats --uid="${RADOSGW_USERNAME}" || \
    radosgw-admin user create \
      --uid="${RADOSGW_USERNAME}" \
      --display-name="${RADOSGW_USERNAME} user"

  radosgw-admin subuser create \
-    --uid=${RADOSGW_USERNAME} \
-    --subuser=${RADOSGW_USERNAME}:swift \
+    --uid="${RADOSGW_USERNAME}" \
+    --subuser="${RADOSGW_USERNAME}:swift" \
    --access=full

  radosgw-admin key create \
-    --subuser=${RADOSGW_USERNAME}:swift \
+    --subuser="${RADOSGW_USERNAME}:swift" \
    --key-type=swift \
-    --secret=${RADOSGW_PASSWORD}
+    --secret="${RADOSGW_PASSWORD}"

  radosgw-admin user modify \
-    --uid=${RADOSGW_USERNAME} \
-    --temp-url-key=${RADOSGW_TMPURL_KEY}
+    --uid="${RADOSGW_USERNAME}" \
+    --temp-url-key="${RADOSGW_TMPURL_KEY}"
 fi
--- a/glance/templates/job-storage-init.yaml
+++ b/glance/templates/job-storage-init.yaml
@ -116,6 +116,13 @@ spec:
            - name: RADOSGW_TMPURL_KEY
              value: {{ .Values.endpoints.ceph_object_store.auth.glance.tmpurlkey | quote }}
            {{ end }}
+            {{- if eq .Values.storage "swift" }}
+            - name: SWIFT_TMPURL_KEY
+              value: {{ .Values.endpoints.object_store.auth.glance.tmpurlkey | quote }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.glance }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            {{ end }}
          command:
            - /tmp/storage-init.sh
          volumeMounts:
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -39,7 +39,7 @@ release_group: null
 images:
  tags:
    test: docker.io/kolla/ubuntu-source-rally:4.0.0
-    glance_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+    glance_storage_init: docker.io/port/ceph-config-helper:v1.10.2
    db_init: docker.io/openstackhelm/heat:newton
    glance_db_sync: docker.io/openstackhelm/glance:newton
    db_drop: docker.io/openstackhelm/heat:newton
@ -411,6 +411,8 @@ dependencies:
        - endpoint: internal
          service: image
    storage_init:
+      jobs:
+        - glance-ks-user
      services: null
    tests:
      services:
@ -578,6 +580,23 @@ endpoints:
        default: 5672
      http:
        default: 15672
+  object_store:
+    name: swift
+    namespace: ceph
+    auth:
+      glance:
+        tmpurlkey: supersecret
+    hosts:
+      default: ceph-rgw
+    host_fqdn_override:
+      default: null
+    path:
+      default: /swift/v1/KEY_$(tenant_id)s
+    scheme:
+      default: http
+    port:
+      api:
+        default: 8088
  ceph_object_store:
    name: radosgw
    namespace: ceph
--- a/gnocchi/values.yaml
+++ b/gnocchi/values.yaml
@ -24,7 +24,7 @@ release_group: null
 images:
  tags:
    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
-    gnocchi_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+    gnocchi_storage_init: docker.io/port/ceph-config-helper:v1.10.2
    db_init_indexer: docker.io/postgres:9.5
    # using non-kolla images until kolla supports postgres as
    # an indexer
--- a/ironic/templates/bin/_ironic-api.sh.tpl
+++ b/ironic/templates/bin/_ironic-api.sh.tpl
@ -22,6 +22,7 @@ COMMAND="${@:-start}"
 function start () {
  exec ironic-api \
        --config-file /etc/ironic/ironic.conf \
+        --config-file /tmp/pod-shared/swift.conf \
        --config-file /tmp/pod-shared/cleaning-network.conf
 }

--- a/ironic/templates/bin/_ironic-conductor.sh.tpl
+++ b/ironic/templates/bin/_ironic-conductor.sh.tpl
@ -24,4 +24,5 @@ mkdir -p /var/lib/openstack-helm/ironic/master_images
 exec ironic-conductor \
      --config-file /etc/ironic/ironic.conf \
      --config-file /tmp/pod-shared/conductor-local-ip.conf \
+      --config-file /tmp/pod-shared/swift.conf \
      --config-file /tmp/pod-shared/cleaning-network.conf
--- a/ironic/templates/bin/_retreive-swift-config.sh.tpl
+++ b/ironic/templates/bin/_retreive-swift-config.sh.tpl
@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+OS_SWIFT_ENDPOINT="$(openstack endpoint list \
+    --service swift \
+    --interface public \
+    -f value \
+    -c URL | head -1 )"
+OS_SWIFT_HOST_AND_PATH_PREFIX="$(echo "${OS_SWIFT_ENDPOINT}" | awk -F "/${OS_SWIFT_API_VERSION}" '{ print $1 }')"
+OS_SWIFT_ACCOUNT_PREFIX="$(echo "${OS_SWIFT_ENDPOINT}" | awk -F "/${OS_SWIFT_API_VERSION}/" '{ print $NF }' | awk -F '$' '{ print $1 }')"
+OS_PROJECT_ID="$(openstack project show ${OS_PROJECT_NAME} -f value -c id)"
+OS_SWIFT_ACCOUNT="$(echo "${OS_SWIFT_ACCOUNT_PREFIX}${OS_PROJECT_ID}")"
+
+tee /tmp/pod-shared/swift.conf <<EOF
+[glance]
+swift_endpoint_url: "${OS_SWIFT_HOST_AND_PATH_PREFIX}"
+swift_account: "${OS_SWIFT_ACCOUNT}"
+EOF
--- a/ironic/templates/configmap-bin.yaml
+++ b/ironic/templates/configmap-bin.yaml
@ -34,6 +34,8 @@ data:
 {{ tuple "bin/_manage-cleaning-network.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  retreive-cleaning-network.sh: |
 {{ tuple "bin/_retreive-cleaning-network.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  retreive-swift-config.sh: |
+{{ tuple "bin/_retreive-swift-config.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  db-init.py: |
 {{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
  db-sync.sh: |
--- a/ironic/templates/configmap-etc.yaml
+++ b/ironic/templates/configmap-etc.yaml
@ -68,19 +68,19 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.ironic.glance "auth_url" | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.project_name -}}
-{{- set .Values.conf.ironic.glance "project_name" .Values.endpoints.identity.auth.ironic.project_name | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "project_name" .Values.endpoints.identity.auth.glance.project_name | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.project_domain_name -}}
-{{- set .Values.conf.ironic.glance "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "project_domain_name" .Values.endpoints.identity.auth.glance.project_domain_name | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.user_domain_name -}}
-{{- set .Values.conf.ironic.glance "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "user_domain_name" .Values.endpoints.identity.auth.glance.user_domain_name | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.username -}}
-{{- set .Values.conf.ironic.glance "username" .Values.endpoints.identity.auth.ironic.username | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "username" .Values.endpoints.identity.auth.glance.username | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.password -}}
-{{- set .Values.conf.ironic.glance "password" .Values.endpoints.identity.auth.ironic.password | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "password" .Values.endpoints.identity.auth.glance.password | quote | trunc 0 -}}
 {{- end -}}


@ -173,11 +173,11 @@ limitations under the License.
 {{- end -}}

 {{- if empty .Values.conf.ironic.glance.swift_endpoint_url -}}
-{{- tuple "ceph_object_store" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| trimSuffix .Values.endpoints.ceph_object_store.path.default | set .Values.conf.ironic.glance "swift_endpoint_url" | quote | trunc 0 -}}
+{{- tuple "object_store" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| trimSuffix .Values.endpoints.object_store.path.default | set .Values.conf.ironic.glance "swift_endpoint_url" | quote | trunc 0 -}}
 {{- end -}}

 {{- if empty .Values.conf.ironic.glance.swift_temp_url_key -}}
-{{- set .Values.conf.ironic.glance "swift_temp_url_key" .Values.endpoints.ceph_object_store.auth.glance.tmpurlkey | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "swift_temp_url_key" .Values.endpoints.object_store.auth.glance.tmpurlkey | quote | trunc 0 -}}
 {{- end -}}

 {{- if empty .Values.conf.ironic.api.port -}}
@ -196,4 +196,4 @@ data:
 {{  toJson .Values.conf.policy | indent 4 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.tftp_map_file "key" "tftp-map-file") | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf") | indent 2 }}
-{{- end }}
+{{- end }}
--- a/ironic/templates/deployment-api.yaml
+++ b/ironic/templates/deployment-api.yaml
@ -46,6 +46,25 @@ spec:
      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
      initContainers:
 {{ tuple $envAll "api" $mounts_ironic_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ironic-retrive-swift-config
+          image: {{ .Values.images.tags.ironic_retrive_swift_config }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: OS_SWIFT_API_VERSION
+              value: {{ .Values.conf.ironic.glance.swift_api_version | quote }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.glance }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/retreive-swift-config.sh
+          volumeMounts:
+            - name: ironic-bin
+              mountPath: /tmp/retreive-swift-config.sh
+              subPath: retreive-swift-config.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
        - name: ironic-retrive-cleaning-net
          image: {{ .Values.images.tags.ironic_retrive_cleaning_network }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
--- a/ironic/templates/secret-keystone.yaml
+++ b/ironic/templates/secret-keystone.yaml
@ -16,7 +16,7 @@ limitations under the License.

 {{- if .Values.manifests.secret_keystone }}
 {{- $envAll := . }}
-{{- range $key1, $userClass := tuple "admin" "ironic" }}
+{{- range $key1, $userClass := tuple "admin" "ironic" "glance" }}
 {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
 ---
 apiVersion: v1
--- a/ironic/templates/statefulset-conductor.yaml
+++ b/ironic/templates/statefulset-conductor.yaml
@ -96,6 +96,25 @@ spec:
              readOnly: true
            - name: pod-shared
              mountPath: /tmp/pod-shared
+        - name: ironic-retrive-swift-config
+          image: {{ .Values.images.tags.ironic_retrive_swift_config }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: OS_SWIFT_API_VERSION
+              value: {{ .Values.conf.ironic.glance.swift_api_version | quote }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.glance }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/retreive-swift-config.sh
+          volumeMounts:
+            - name: ironic-bin
+              mountPath: /tmp/retreive-swift-config.sh
+              subPath: retreive-swift-config.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
        - name: ironic-retrive-cleaning-net
          image: {{ .Values.images.tags.ironic_retrive_cleaning_network }}
          imagePullPolicy: {{ .Values.images.pull_policy }}
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@ -34,6 +34,7 @@ images:
  tags:
    ironic_manage_cleaning_network: docker.io/openstackhelm/heat:newton
    ironic_retrive_cleaning_network: docker.io/openstackhelm/heat:newton
+    ironic_retrive_swift_config: docker.io/openstackhelm/heat:newton
    # Bootstrap image requires curl
    bootstrap: docker.io/openstackhelm/heat:newton
    db_init: docker.io/openstackhelm/heat:newton
@ -109,7 +110,10 @@ conf:
    glance:
      auth_type: password
      swift_temp_url_duration: 86400
-      temp_url_endpoint_type: radosgw
+      temp_url_endpoint_type: swift
+      swift_container: glance
+      swift_api_version: v1
+      auth_section: glance
    inspector:
      auth_type: password
    keystone_authtoken:
@ -117,7 +121,6 @@ conf:
      auth_version: v3
    neutron:
      auth_type: password
-      cleaning_network_uuid: null
    pxe:
      pxe_append_params: "nofb nomodeset vga=normal ipa-debug=1"
      images_path: /var/lib/openstack-helm/ironic/images
@ -280,6 +283,7 @@ secrets:
  identity:
    admin: ironic-keystone-admin
    ironic: ironic-keystone-user
+    glance: ironic-glance-keystone-user
  oslo_db:
    admin: ironic-db-admin
    ironic: ironic-db-user
@ -314,6 +318,14 @@ endpoints:
        project_name: admin
        user_domain_name: default
        project_domain_name: default
+      glance:
+        role: admin
+        region_name: RegionOne
+        username: glance
+        password: password
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
      ironic:
        role: admin
        region_name: RegionOne
@ -368,23 +380,6 @@ endpoints:
      api:
        default: 9292
        public: 80
-  ceph_object_store:
-    name: radosgw
-    namespace: ceph
-    auth:
-      glance:
-        tmpurlkey: supersecret
-    hosts:
-      default: ceph-rgw
-    host_fqdn_override:
-      default: null
-    path:
-      default: /auth/v1.0
-    scheme:
-      default: http
-    port:
-      api:
-        default: 8088
  oslo_db:
    auth:
      admin:
@ -451,6 +446,23 @@ endpoints:
      api:
        default: 9696
        public: 80
+  object_store:
+    name: swift
+    namespace: ceph
+    auth:
+      glance:
+        tmpurlkey: supersecret
+    hosts:
+      default: ceph-rgw
+    host_fqdn_override:
+      default: null
+    path:
+      default: /swift/v1/KEY_$(tenant_id)s
+    scheme:
+      default: http
+    port:
+      api:
+        default: 8088

 pod:
  affinity:
--- a/tools/deployment/baremetal/070-keystone.sh
+++ b/tools/deployment/baremetal/070-keystone.sh
--- a/tools/deployment/baremetal/080-ceph-radosgateway.sh
+++ b/tools/deployment/baremetal/080-ceph-radosgateway.sh
@ -0,0 +1 @@
+../developer/ceph/110-ceph-radosgateway.sh
--- a/tools/deployment/developer/ceph/120-glance.sh
+++ b/tools/deployment/developer/ceph/120-glance.sh
@ -22,7 +22,7 @@ make glance
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 #NOTE(portdirect), this could be: radosgw, rbd, swift or pvc
-: ${GLANCE_BACKEND:="radosgw"}
+: ${GLANCE_BACKEND:="swift"}
 helm upgrade --install glance ./glance \
  --namespace=openstack \
  --set storage=${GLANCE_BACKEND} \
--- a/tools/gate/playbooks/ironic-deploy.yaml
+++ b/tools/gate/playbooks/ironic-deploy.yaml
@ -75,7 +75,13 @@
    - name: Deploy Keystone
      shell: |
        set -xe;
-        ./tools/deployment/baremetal/080-keystone.sh
+        ./tools/deployment/baremetal/070-keystone.sh
+      args:
+        chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy Ceph RadosGW Endpoints
+      shell: |
+        set -xe;
+        ./tools/deployment/baremetal/080-ceph-radosgateway.sh
      args:
        chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
    - name: Deploy Glance
--- a/tools/images/ceph-config-helper/Dockerfile
+++ b/tools/images/ceph-config-helper/Dockerfile
@ -1,7 +1,7 @@
 FROM docker.io/ubuntu:xenial
 MAINTAINER pete.birley@att.com

-ARG KUBE_VERSION=v1.10.1
+ARG KUBE_VERSION=v1.10.2
 ARG CEPH_RELEASE=luminous

 ADD https://download.ceph.com/keys/release.asc /etc/apt/ceph-release.asc
@ -19,13 +19,21 @@ RUN set -ex ;\
        ca-certificates \
        ceph \
        curl \
+        gcc \
        python \
+        python-dev \
        jq ;\
    curl -sSL https://bootstrap.pypa.io/get-pip.py | python ;\
    pip --no-cache-dir install --upgrade \
      crush \
-      six ;\
+      six \
+      python-openstackclient \
+      python-swiftclient ;\
    curl -sSL https://dl.k8s.io/${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz | tar -zxv --strip-components=1 ;\
    mv ${TMP_DIR}/client/bin/kubectl /usr/bin/kubectl ;\
    chmod +x /usr/bin/kubectl ;\
-    rm -rf ${TMP_DIR}
+    rm -rf ${TMP_DIR} ;\
+    apt-get purge -y --auto-remove \
+        python-dev \
+        gcc ;\
+    rm -rf /var/lib/apt/lists/*
--- a/tools/images/ceph-config-helper/Makefile
+++ b/tools/images/ceph-config-helper/Makefile
@ -19,7 +19,7 @@ DOCKER_REGISTRY            ?= docker.io
 IMAGE_NAME                 ?= ceph-config-helper
 IMAGE_PREFIX               ?= openstackhelm
 IMAGE_TAG                  ?= latest
-KUBE_VERSION               ?= v1.10.1
+KUBE_VERSION               ?= v1.10.2
 LABEL                      ?= putlabelshere

 IMAGE := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}
--- a/tools/images/ceph-config-helper/README.rst
+++ b/tools/images/ceph-config-helper/README.rst
@ -31,7 +31,7 @@ repo run:

 .. code:: bash

-    export KUBE_VERSION=v1.10.1
+    export KUBE_VERSION=v1.10.2
    sudo docker build \
      --network host \
      --build-arg KUBE_VERSION=${KUBE_VERSION} \