From d342ac40cb6e0628c4ee1b4950130a05246908c5 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Thu, 10 May 2018 23:40:42 -0500
Subject: [PATCH] Ceph: Setup radosgw with increased swift support.

This PS updates the cephs config to deploy radosgw with greater
swift compatibility. Allowing clients to use RGW as though it
were a real swift deployment.

Change-Id: Id0a27b42b7f9c0c9e4b5a197ef50feb612e6adfc
---
 ceph-client/values.yaml                       | 10 ++--
 ceph-mon/values.yaml                          |  4 +-
 cinder/values.yaml                            |  4 +-
 glance/templates/bin/_storage-init.sh.tpl     | 53 +++++++++++--------
 glance/templates/job-storage-init.yaml        |  7 +++
 glance/values.yaml                            | 21 +++++++-
 gnocchi/values.yaml                           |  2 +-
 ironic/templates/bin/_ironic-api.sh.tpl       |  1 +
 ironic/templates/bin/_ironic-conductor.sh.tpl |  1 +
 .../bin/_retreive-swift-config.sh.tpl         | 35 ++++++++++++
 ironic/templates/configmap-bin.yaml           |  2 +
 ironic/templates/configmap-etc.yaml           | 16 +++---
 ironic/templates/deployment-api.yaml          | 19 +++++++
 ironic/templates/secret-keystone.yaml         |  2 +-
 ironic/templates/statefulset-conductor.yaml   | 19 +++++++
 ironic/values.yaml                            | 50 ++++++++++-------
 .../{080-keystone.sh => 070-keystone.sh}      |  0
 .../baremetal/080-ceph-radosgateway.sh        |  1 +
 tools/deployment/developer/ceph/120-glance.sh |  2 +-
 tools/gate/playbooks/ironic-deploy.yaml       |  8 ++-
 tools/images/ceph-config-helper/Dockerfile    | 14 +++--
 tools/images/ceph-config-helper/Makefile      |  2 +-
 tools/images/ceph-config-helper/README.rst    |  2 +-
 23 files changed, 208 insertions(+), 67 deletions(-)
 create mode 100644 ironic/templates/bin/_retreive-swift-config.sh.tpl
 rename tools/deployment/baremetal/{080-keystone.sh => 070-keystone.sh} (100%)
 create mode 120000 tools/deployment/baremetal/080-ceph-radosgateway.sh

diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml
index 3877feb7ae..88804a57c2 100644
--- a/ceph-client/values.yaml
+++ b/ceph-client/values.yaml
@@ -26,10 +26,10 @@ images:
   tags:
     ceph_bootstrap: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
     ceph_cephfs_provisioner: 'quay.io/external_storage/cephfs-provisioner:v0.1.1'
-    ceph_config_helper: 'docker.io/port/ceph-config-helper:v1.10.1'
+    ceph_config_helper: 'docker.io/port/ceph-config-helper:v1.10.2'
     ceph_mds: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
     ceph_mgr: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
-    ceph_rbd_pool: 'docker.io/port/ceph-config-helper:v1.10.1'
+    ceph_rbd_pool: 'docker.io/port/ceph-config-helper:v1.10.2'
     ceph_rbd_provisioner: 'quay.io/external_storage/rbd-provisioner:v0.1.1'
     ceph_rgw: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
     dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.1'
@@ -275,8 +275,10 @@ conf:
     config:
       rgw_keystone_api_version: 3
       rgw_keystone_accepted_roles: "admin, _member_"
-      rgw_keystone_implicit_tenants: true
+      rgw_keystone_implicit_tenants: false
+      rgw_keystone_make_new_tenants: true
       rgw_s3_auth_use_keystone: true
+      rgw_swift_account_in_url: true
   ceph:
     global:
       # auth
@@ -488,7 +490,7 @@ endpoints:
     host_fqdn_override:
       default: null
     path:
-      default: /swift/v1
+      default: /swift/v1/KEY_$(tenant_id)s
     scheme:
       default: http
     port:
diff --git a/ceph-mon/values.yaml b/ceph-mon/values.yaml
index ba0a5a442d..8c7719e9ad 100644
--- a/ceph-mon/values.yaml
+++ b/ceph-mon/values.yaml
@@ -20,9 +20,9 @@ images:
   pull_policy: IfNotPresent
   tags:
     ceph_bootstrap: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
-    ceph_config_helper: 'docker.io/port/ceph-config-helper:v1.10.1'
+    ceph_config_helper: 'docker.io/port/ceph-config-helper:v1.10.2'
     ceph_mon: 'docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04'
-    ceph_mon_check: 'docker.io/port/ceph-config-helper:v1.10.1'
+    ceph_mon_check: 'docker.io/port/ceph-config-helper:v1.10.2'
     dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.0'
     image_repo_sync: docker.io/docker:17.07.0
   local_registry:
diff --git a/cinder/values.yaml b/cinder/values.yaml
index 415f8f1310..6826e7be0a 100644
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@@ -56,9 +56,9 @@ images:
     cinder_scheduler: docker.io/openstackhelm/cinder:newton
     cinder_volume: docker.io/openstackhelm/cinder:newton
     cinder_volume_usage_audit: docker.io/openstackhelm/cinder:newton
-    cinder_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+    cinder_storage_init: docker.io/port/ceph-config-helper:v1.10.2
     cinder_backup: docker.io/openstackhelm/cinder:newton
-    cinder_backup_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+    cinder_backup_storage_init: docker.io/port/ceph-config-helper:v1.10.2
     dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
     image_repo_sync: docker.io/docker:17.07.0
   pull_policy: "IfNotPresent"
diff --git a/glance/templates/bin/_storage-init.sh.tpl b/glance/templates/bin/_storage-init.sh.tpl
index a4a0609040..1ca016e14c 100644
--- a/glance/templates/bin/_storage-init.sh.tpl
+++ b/glance/templates/bin/_storage-init.sh.tpl
@@ -21,65 +21,74 @@ if [ "x$STORAGE_BACKEND" == "xrbd" ]; then
   SECRET=$(mktemp --suffix .yaml)
   KEYRING=$(mktemp --suffix .keyring)
   function cleanup {
-      rm -f ${SECRET} ${KEYRING}
+      rm -f "${SECRET}" "${KEYRING}"
   }
   trap cleanup EXIT
 fi
 
 set -ex
-if [ "x$STORAGE_BACKEND" == "xpvc" ] || [ "x$STORAGE_BACKEND" == "xswift" ]; then
+if [ "x$STORAGE_BACKEND" == "xpvc" ]; then
   echo "No action required."
+elif [ "x$STORAGE_BACKEND" == "xswift" ]; then
+  OS_TOKEN="$(openstack token issue -f value -c id)"
+  OS_PROJECT_ID="$(openstack project show service -f value -c id)"
+  OS_SWIFT_ENDPOINT_PREFIX="$(openstack endpoint list --service swift --interface public -f value -c URL | awk -F '$' '{ print $1 }')"
+  OS_SWIFT_SCOPED_ENDPOINT="${OS_SWIFT_ENDPOINT_PREFIX}${OS_PROJECT_ID}"
+  curl -i -X POST "${OS_SWIFT_SCOPED_ENDPOINT}" \
+    -H "X-Auth-Token: ${OS_TOKEN}" \
+    -H "X-Account-Meta-Temp-URL-Key: ${SWIFT_TMPURL_KEY}"
 elif [ "x$STORAGE_BACKEND" == "xrbd" ]; then
   ceph -s
   function ensure_pool () {
-    ceph osd pool stats $1 || ceph osd pool create $1 $2
-    local test_luminous=$(ceph tell osd.* version | egrep -c "12.2|luminous")
+    ceph osd pool stats "$1" || ceph osd pool create "$1" "$2"
+    local test_luminous
+    test_luminous=$(ceph tell osd.* version | egrep -c "12.2|luminous")
     if [[ ${test_luminous} -gt 0 ]]; then
-      ceph osd pool application enable $1 $3
+      ceph osd pool application enable "$1" "$3"
     fi
   }
-  ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "glance-image"
+  ensure_pool "${RBD_POOL_NAME}" "${RBD_POOL_CHUNK_SIZE}" "glance-image"
 
-  if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
-    KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
-    echo $KEYSTR  > ${KEYRING}
+  if USERINFO=$(ceph auth get "client.${RBD_POOL_USER}"); then
+    KEYSTR=$(echo "${USERINFO}" | sed 's/.*\( key = .*\) caps mon.*/\1/')
+    echo "${KEYSTR}" > "${KEYRING}"
   else
     #NOTE(Portdirect): Determine proper privs to assign keyring
-    ceph auth get-or-create client.${RBD_POOL_USER} \
+    ceph auth get-or-create "client.${RBD_POOL_USER}" \
       mon "allow *" \
       osd "allow *" \
       mgr "allow *" \
-      -o ${KEYRING}
+      -o "${KEYRING}"
   fi
 
-  ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' ${KEYRING} | base64 -w0)
-  cat > ${SECRET} <<EOF
+  ENCODED_KEYRING=$(sed -n 's/^[[:blank:]]*key[[:blank:]]\+=[[:blank:]]\(.*\)/\1/p' "${KEYRING}" | base64 -w0)
+  cat > "${SECRET}" <<EOF
 apiVersion: v1
 kind: Secret
 metadata:
   name: "${RBD_POOL_SECRET}"
 type: kubernetes.io/rbd
 data:
-  key: $( echo ${ENCODED_KEYRING} )
+  key: "${ENCODED_KEYRING}"
 EOF
-  kubectl apply --namespace ${NAMESPACE} -f ${SECRET}
-elif [ "x$STORAGE_BACKEND" == "xradosgw" ]; then
+  kubectl apply --namespace "${NAMESPACE}" -f "${SECRET}"
+elif [ "x${STORAGE_BACKEND}" == "xradosgw" ]; then
   radosgw-admin user stats --uid="${RADOSGW_USERNAME}" || \
     radosgw-admin user create \
       --uid="${RADOSGW_USERNAME}" \
       --display-name="${RADOSGW_USERNAME} user"
 
   radosgw-admin subuser create \
-    --uid=${RADOSGW_USERNAME} \
-    --subuser=${RADOSGW_USERNAME}:swift \
+    --uid="${RADOSGW_USERNAME}" \
+    --subuser="${RADOSGW_USERNAME}:swift" \
     --access=full
 
   radosgw-admin key create \
-    --subuser=${RADOSGW_USERNAME}:swift \
+    --subuser="${RADOSGW_USERNAME}:swift" \
     --key-type=swift \
-    --secret=${RADOSGW_PASSWORD}
+    --secret="${RADOSGW_PASSWORD}"
 
   radosgw-admin user modify \
-    --uid=${RADOSGW_USERNAME} \
-    --temp-url-key=${RADOSGW_TMPURL_KEY}
+    --uid="${RADOSGW_USERNAME}" \
+    --temp-url-key="${RADOSGW_TMPURL_KEY}"
 fi
diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml
index eb4727c709..e3fd37a5f3 100644
--- a/glance/templates/job-storage-init.yaml
+++ b/glance/templates/job-storage-init.yaml
@@ -116,6 +116,13 @@ spec:
             - name: RADOSGW_TMPURL_KEY
               value: {{ .Values.endpoints.ceph_object_store.auth.glance.tmpurlkey | quote }}
             {{ end }}
+            {{- if eq .Values.storage "swift" }}
+            - name: SWIFT_TMPURL_KEY
+              value: {{ .Values.endpoints.object_store.auth.glance.tmpurlkey | quote }}
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.glance }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            {{ end }}
           command:
             - /tmp/storage-init.sh
           volumeMounts:
diff --git a/glance/values.yaml b/glance/values.yaml
index 44974cf49a..4247bc4859 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -39,7 +39,7 @@ release_group: null
 images:
   tags:
     test: docker.io/kolla/ubuntu-source-rally:4.0.0
-    glance_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+    glance_storage_init: docker.io/port/ceph-config-helper:v1.10.2
     db_init: docker.io/openstackhelm/heat:newton
     glance_db_sync: docker.io/openstackhelm/glance:newton
     db_drop: docker.io/openstackhelm/heat:newton
@@ -411,6 +411,8 @@ dependencies:
         - endpoint: internal
           service: image
     storage_init:
+      jobs:
+        - glance-ks-user
       services: null
     tests:
       services:
@@ -578,6 +580,23 @@ endpoints:
         default: 5672
       http:
         default: 15672
+  object_store:
+    name: swift
+    namespace: ceph
+    auth:
+      glance:
+        tmpurlkey: supersecret
+    hosts:
+      default: ceph-rgw
+    host_fqdn_override:
+      default: null
+    path:
+      default: /swift/v1/KEY_$(tenant_id)s
+    scheme:
+      default: http
+    port:
+      api:
+        default: 8088
   ceph_object_store:
     name: radosgw
     namespace: ceph
diff --git a/gnocchi/values.yaml b/gnocchi/values.yaml
index 2d4ab3ad78..95a17d9a81 100644
--- a/gnocchi/values.yaml
+++ b/gnocchi/values.yaml
@@ -24,7 +24,7 @@ release_group: null
 images:
   tags:
     dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
-    gnocchi_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
+    gnocchi_storage_init: docker.io/port/ceph-config-helper:v1.10.2
     db_init_indexer: docker.io/postgres:9.5
     # using non-kolla images until kolla supports postgres as
     # an indexer
diff --git a/ironic/templates/bin/_ironic-api.sh.tpl b/ironic/templates/bin/_ironic-api.sh.tpl
index 97e312ab9d..6c6c8225ca 100644
--- a/ironic/templates/bin/_ironic-api.sh.tpl
+++ b/ironic/templates/bin/_ironic-api.sh.tpl
@@ -22,6 +22,7 @@ COMMAND="${@:-start}"
 function start () {
   exec ironic-api \
         --config-file /etc/ironic/ironic.conf \
+        --config-file /tmp/pod-shared/swift.conf \
         --config-file /tmp/pod-shared/cleaning-network.conf
 }
 
diff --git a/ironic/templates/bin/_ironic-conductor.sh.tpl b/ironic/templates/bin/_ironic-conductor.sh.tpl
index c5e471b51e..a59e68738c 100644
--- a/ironic/templates/bin/_ironic-conductor.sh.tpl
+++ b/ironic/templates/bin/_ironic-conductor.sh.tpl
@@ -24,4 +24,5 @@ mkdir -p /var/lib/openstack-helm/ironic/master_images
 exec ironic-conductor \
       --config-file /etc/ironic/ironic.conf \
       --config-file /tmp/pod-shared/conductor-local-ip.conf \
+      --config-file /tmp/pod-shared/swift.conf \
       --config-file /tmp/pod-shared/cleaning-network.conf
diff --git a/ironic/templates/bin/_retreive-swift-config.sh.tpl b/ironic/templates/bin/_retreive-swift-config.sh.tpl
new file mode 100644
index 0000000000..6868e06fc4
--- /dev/null
+++ b/ironic/templates/bin/_retreive-swift-config.sh.tpl
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+OS_SWIFT_ENDPOINT="$(openstack endpoint list \
+    --service swift \
+    --interface public \
+    -f value \
+    -c URL | head -1 )"
+OS_SWIFT_HOST_AND_PATH_PREFIX="$(echo "${OS_SWIFT_ENDPOINT}" | awk -F "/${OS_SWIFT_API_VERSION}" '{ print $1 }')"
+OS_SWIFT_ACCOUNT_PREFIX="$(echo "${OS_SWIFT_ENDPOINT}" | awk -F "/${OS_SWIFT_API_VERSION}/" '{ print $NF }' | awk -F '$' '{ print $1 }')"
+OS_PROJECT_ID="$(openstack project show ${OS_PROJECT_NAME} -f value -c id)"
+OS_SWIFT_ACCOUNT="$(echo "${OS_SWIFT_ACCOUNT_PREFIX}${OS_PROJECT_ID}")"
+
+tee /tmp/pod-shared/swift.conf <<EOF
+[glance]
+swift_endpoint_url: "${OS_SWIFT_HOST_AND_PATH_PREFIX}"
+swift_account: "${OS_SWIFT_ACCOUNT}"
+EOF
diff --git a/ironic/templates/configmap-bin.yaml b/ironic/templates/configmap-bin.yaml
index 32cc667edf..1b6852c8eb 100644
--- a/ironic/templates/configmap-bin.yaml
+++ b/ironic/templates/configmap-bin.yaml
@@ -34,6 +34,8 @@ data:
 {{ tuple "bin/_manage-cleaning-network.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   retreive-cleaning-network.sh: |
 {{ tuple "bin/_retreive-cleaning-network.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  retreive-swift-config.sh: |
+{{ tuple "bin/_retreive-swift-config.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   db-init.py: |
 {{- include "helm-toolkit.scripts.db_init" . | indent 4 }}
   db-sync.sh: |
diff --git a/ironic/templates/configmap-etc.yaml b/ironic/templates/configmap-etc.yaml
index 73bd0def3e..d8a6487fa9 100644
--- a/ironic/templates/configmap-etc.yaml
+++ b/ironic/templates/configmap-etc.yaml
@@ -68,19 +68,19 @@ limitations under the License.
 {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.ironic.glance "auth_url" | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.project_name -}}
-{{- set .Values.conf.ironic.glance "project_name" .Values.endpoints.identity.auth.ironic.project_name | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "project_name" .Values.endpoints.identity.auth.glance.project_name | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.project_domain_name -}}
-{{- set .Values.conf.ironic.glance "project_domain_name" .Values.endpoints.identity.auth.ironic.project_domain_name | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "project_domain_name" .Values.endpoints.identity.auth.glance.project_domain_name | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.user_domain_name -}}
-{{- set .Values.conf.ironic.glance "user_domain_name" .Values.endpoints.identity.auth.ironic.user_domain_name | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "user_domain_name" .Values.endpoints.identity.auth.glance.user_domain_name | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.username -}}
-{{- set .Values.conf.ironic.glance "username" .Values.endpoints.identity.auth.ironic.username | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "username" .Values.endpoints.identity.auth.glance.username | quote | trunc 0 -}}
 {{- end -}}
 {{- if empty .Values.conf.ironic.glance.password -}}
-{{- set .Values.conf.ironic.glance "password" .Values.endpoints.identity.auth.ironic.password | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "password" .Values.endpoints.identity.auth.glance.password | quote | trunc 0 -}}
 {{- end -}}
 
 
@@ -173,11 +173,11 @@ limitations under the License.
 {{- end -}}
 
 {{- if empty .Values.conf.ironic.glance.swift_endpoint_url -}}
-{{- tuple "ceph_object_store" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| trimSuffix .Values.endpoints.ceph_object_store.path.default | set .Values.conf.ironic.glance "swift_endpoint_url" | quote | trunc 0 -}}
+{{- tuple "object_store" "public" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| trimSuffix .Values.endpoints.object_store.path.default | set .Values.conf.ironic.glance "swift_endpoint_url" | quote | trunc 0 -}}
 {{- end -}}
 
 {{- if empty .Values.conf.ironic.glance.swift_temp_url_key -}}
-{{- set .Values.conf.ironic.glance "swift_temp_url_key" .Values.endpoints.ceph_object_store.auth.glance.tmpurlkey | quote | trunc 0 -}}
+{{- set .Values.conf.ironic.glance "swift_temp_url_key" .Values.endpoints.object_store.auth.glance.tmpurlkey | quote | trunc 0 -}}
 {{- end -}}
 
 {{- if empty .Values.conf.ironic.api.port -}}
@@ -196,4 +196,4 @@ data:
 {{  toJson .Values.conf.policy | indent 4 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.tftp_map_file "key" "tftp-map-file") | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.nginx "key" "nginx.conf") | indent 2 }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/ironic/templates/deployment-api.yaml b/ironic/templates/deployment-api.yaml
index 402471aff1..340d4f48ae 100644
--- a/ironic/templates/deployment-api.yaml
+++ b/ironic/templates/deployment-api.yaml
@@ -46,6 +46,25 @@ spec:
       terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.api.timeout | default "30" }}
       initContainers:
 {{ tuple $envAll "api" $mounts_ironic_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+        - name: ironic-retrive-swift-config
+          image: {{ .Values.images.tags.ironic_retrive_swift_config }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: OS_SWIFT_API_VERSION
+              value: {{ .Values.conf.ironic.glance.swift_api_version | quote }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.glance }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/retreive-swift-config.sh
+          volumeMounts:
+            - name: ironic-bin
+              mountPath: /tmp/retreive-swift-config.sh
+              subPath: retreive-swift-config.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
         - name: ironic-retrive-cleaning-net
           image: {{ .Values.images.tags.ironic_retrive_cleaning_network }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
diff --git a/ironic/templates/secret-keystone.yaml b/ironic/templates/secret-keystone.yaml
index 0d76607df0..38b4f13665 100644
--- a/ironic/templates/secret-keystone.yaml
+++ b/ironic/templates/secret-keystone.yaml
@@ -16,7 +16,7 @@ limitations under the License.
 
 {{- if .Values.manifests.secret_keystone }}
 {{- $envAll := . }}
-{{- range $key1, $userClass := tuple "admin" "ironic" }}
+{{- range $key1, $userClass := tuple "admin" "ironic" "glance" }}
 {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
 ---
 apiVersion: v1
diff --git a/ironic/templates/statefulset-conductor.yaml b/ironic/templates/statefulset-conductor.yaml
index 347729b52e..2bfc1d07b4 100644
--- a/ironic/templates/statefulset-conductor.yaml
+++ b/ironic/templates/statefulset-conductor.yaml
@@ -96,6 +96,25 @@ spec:
               readOnly: true
             - name: pod-shared
               mountPath: /tmp/pod-shared
+        - name: ironic-retrive-swift-config
+          image: {{ .Values.images.tags.ironic_retrive_swift_config }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.conductor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: OS_SWIFT_API_VERSION
+              value: {{ .Values.conf.ironic.glance.swift_api_version | quote }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.glance }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+          command:
+            - /tmp/retreive-swift-config.sh
+          volumeMounts:
+            - name: ironic-bin
+              mountPath: /tmp/retreive-swift-config.sh
+              subPath: retreive-swift-config.sh
+              readOnly: true
+            - name: pod-shared
+              mountPath: /tmp/pod-shared
         - name: ironic-retrive-cleaning-net
           image: {{ .Values.images.tags.ironic_retrive_cleaning_network }}
           imagePullPolicy: {{ .Values.images.pull_policy }}
diff --git a/ironic/values.yaml b/ironic/values.yaml
index 6cdb7dd21a..08bab364df 100644
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@@ -34,6 +34,7 @@ images:
   tags:
     ironic_manage_cleaning_network: docker.io/openstackhelm/heat:newton
     ironic_retrive_cleaning_network: docker.io/openstackhelm/heat:newton
+    ironic_retrive_swift_config: docker.io/openstackhelm/heat:newton
     # Bootstrap image requires curl
     bootstrap: docker.io/openstackhelm/heat:newton
     db_init: docker.io/openstackhelm/heat:newton
@@ -109,7 +110,10 @@ conf:
     glance:
       auth_type: password
       swift_temp_url_duration: 86400
-      temp_url_endpoint_type: radosgw
+      temp_url_endpoint_type: swift
+      swift_container: glance
+      swift_api_version: v1
+      auth_section: glance
     inspector:
       auth_type: password
     keystone_authtoken:
@@ -117,7 +121,6 @@ conf:
       auth_version: v3
     neutron:
       auth_type: password
-      cleaning_network_uuid: null
     pxe:
       pxe_append_params: "nofb nomodeset vga=normal ipa-debug=1"
       images_path: /var/lib/openstack-helm/ironic/images
@@ -280,6 +283,7 @@ secrets:
   identity:
     admin: ironic-keystone-admin
     ironic: ironic-keystone-user
+    glance: ironic-glance-keystone-user
   oslo_db:
     admin: ironic-db-admin
     ironic: ironic-db-user
@@ -314,6 +318,14 @@ endpoints:
         project_name: admin
         user_domain_name: default
         project_domain_name: default
+      glance:
+        role: admin
+        region_name: RegionOne
+        username: glance
+        password: password
+        project_name: service
+        user_domain_name: default
+        project_domain_name: default
       ironic:
         role: admin
         region_name: RegionOne
@@ -368,23 +380,6 @@ endpoints:
       api:
         default: 9292
         public: 80
-  ceph_object_store:
-    name: radosgw
-    namespace: ceph
-    auth:
-      glance:
-        tmpurlkey: supersecret
-    hosts:
-      default: ceph-rgw
-    host_fqdn_override:
-      default: null
-    path:
-      default: /auth/v1.0
-    scheme:
-      default: http
-    port:
-      api:
-        default: 8088
   oslo_db:
     auth:
       admin:
@@ -451,6 +446,23 @@ endpoints:
       api:
         default: 9696
         public: 80
+  object_store:
+    name: swift
+    namespace: ceph
+    auth:
+      glance:
+        tmpurlkey: supersecret
+    hosts:
+      default: ceph-rgw
+    host_fqdn_override:
+      default: null
+    path:
+      default: /swift/v1/KEY_$(tenant_id)s
+    scheme:
+      default: http
+    port:
+      api:
+        default: 8088
 
 pod:
   affinity:
diff --git a/tools/deployment/baremetal/080-keystone.sh b/tools/deployment/baremetal/070-keystone.sh
similarity index 100%
rename from tools/deployment/baremetal/080-keystone.sh
rename to tools/deployment/baremetal/070-keystone.sh
diff --git a/tools/deployment/baremetal/080-ceph-radosgateway.sh b/tools/deployment/baremetal/080-ceph-radosgateway.sh
new file mode 120000
index 0000000000..c7c9affb15
--- /dev/null
+++ b/tools/deployment/baremetal/080-ceph-radosgateway.sh
@@ -0,0 +1 @@
+../developer/ceph/110-ceph-radosgateway.sh
\ No newline at end of file
diff --git a/tools/deployment/developer/ceph/120-glance.sh b/tools/deployment/developer/ceph/120-glance.sh
index 05f54c95da..01b9867278 100755
--- a/tools/deployment/developer/ceph/120-glance.sh
+++ b/tools/deployment/developer/ceph/120-glance.sh
@@ -22,7 +22,7 @@ make glance
 #NOTE: Deploy command
 : ${OSH_EXTRA_HELM_ARGS:=""}
 #NOTE(portdirect), this could be: radosgw, rbd, swift or pvc
-: ${GLANCE_BACKEND:="radosgw"}
+: ${GLANCE_BACKEND:="swift"}
 helm upgrade --install glance ./glance \
   --namespace=openstack \
   --set storage=${GLANCE_BACKEND} \
diff --git a/tools/gate/playbooks/ironic-deploy.yaml b/tools/gate/playbooks/ironic-deploy.yaml
index d1391c8e1a..3d2bf4e575 100644
--- a/tools/gate/playbooks/ironic-deploy.yaml
+++ b/tools/gate/playbooks/ironic-deploy.yaml
@@ -75,7 +75,13 @@
     - name: Deploy Keystone
       shell: |
         set -xe;
-        ./tools/deployment/baremetal/080-keystone.sh
+        ./tools/deployment/baremetal/070-keystone.sh
+      args:
+        chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
+    - name: Deploy Ceph RadosGW Endpoints
+      shell: |
+        set -xe;
+        ./tools/deployment/baremetal/080-ceph-radosgateway.sh
       args:
         chdir: "{{ zuul_osh_relative_path | default(zuul.project.src_dir) }}"
     - name: Deploy Glance
diff --git a/tools/images/ceph-config-helper/Dockerfile b/tools/images/ceph-config-helper/Dockerfile
index 0222b9f8f0..0b5e88d30e 100644
--- a/tools/images/ceph-config-helper/Dockerfile
+++ b/tools/images/ceph-config-helper/Dockerfile
@@ -1,7 +1,7 @@
 FROM docker.io/ubuntu:xenial
 MAINTAINER pete.birley@att.com
 
-ARG KUBE_VERSION=v1.10.1
+ARG KUBE_VERSION=v1.10.2
 ARG CEPH_RELEASE=luminous
 
 ADD https://download.ceph.com/keys/release.asc /etc/apt/ceph-release.asc
@@ -19,13 +19,21 @@ RUN set -ex ;\
         ca-certificates \
         ceph \
         curl \
+        gcc \
         python \
+        python-dev \
         jq ;\
     curl -sSL https://bootstrap.pypa.io/get-pip.py | python ;\
     pip --no-cache-dir install --upgrade \
       crush \
-      six ;\
+      six \
+      python-openstackclient \
+      python-swiftclient ;\
     curl -sSL https://dl.k8s.io/${KUBE_VERSION}/kubernetes-client-linux-amd64.tar.gz | tar -zxv --strip-components=1 ;\
     mv ${TMP_DIR}/client/bin/kubectl /usr/bin/kubectl ;\
     chmod +x /usr/bin/kubectl ;\
-    rm -rf ${TMP_DIR}
+    rm -rf ${TMP_DIR} ;\
+    apt-get purge -y --auto-remove \
+        python-dev \
+        gcc ;\
+    rm -rf /var/lib/apt/lists/*
diff --git a/tools/images/ceph-config-helper/Makefile b/tools/images/ceph-config-helper/Makefile
index ff51d32ca7..755ab22b68 100644
--- a/tools/images/ceph-config-helper/Makefile
+++ b/tools/images/ceph-config-helper/Makefile
@@ -19,7 +19,7 @@ DOCKER_REGISTRY            ?= docker.io
 IMAGE_NAME                 ?= ceph-config-helper
 IMAGE_PREFIX               ?= openstackhelm
 IMAGE_TAG                  ?= latest
-KUBE_VERSION               ?= v1.10.1
+KUBE_VERSION               ?= v1.10.2
 LABEL                      ?= putlabelshere
 
 IMAGE := ${DOCKER_REGISTRY}/${IMAGE_PREFIX}/${IMAGE_NAME}:${IMAGE_TAG}
diff --git a/tools/images/ceph-config-helper/README.rst b/tools/images/ceph-config-helper/README.rst
index 82f4b31d85..73d1b994f0 100644
--- a/tools/images/ceph-config-helper/README.rst
+++ b/tools/images/ceph-config-helper/README.rst
@@ -31,7 +31,7 @@ repo run:
 
 .. code:: bash
 
-    export KUBE_VERSION=v1.10.1
+    export KUBE_VERSION=v1.10.2
     sudo docker build \
       --network host \
       --build-arg KUBE_VERSION=${KUBE_VERSION} \