10 files changed, 82 insertions, 86 deletions

diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 0bba245..2f60b24 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -166,6 +166,8 @@ define tripleo::haproxy::endpoint (
           'dport' => $public_ssl_port,
         },
       }
+    } else {
+      $haproxy_ssl_firewall_rules = {}
     }
     $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
     if $service_port or $public_ssl_port {
diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp
index 2ecca52..8443de0 100644
--- a/manifests/profile/base/ceph/rgw.pp
+++ b/manifests/profile/base/ceph/rgw.pp
@@ -29,6 +29,10 @@
 # [*keystone_admin_token*]
 #   The keystone admin token
 #
+# [*rgw_keystone_version*] The api version for keystone.
+#   Possible values 'v2.0', 'v3'
+#   Optional. Default is 'v2.0'
+#
 # [*keystone_url*]
 #   The internal or admin url for keystone
 #
@@ -44,9 +48,10 @@ class tripleo::profile::base::ceph::rgw (
   $keystone_admin_token,
   $keystone_url,
   $rgw_key,
-  $civetweb_bind_ip   = '127.0.0.1',
-  $civetweb_bind_port = '8080',
-  $step               = hiera('step'),
+  $civetweb_bind_ip            = '127.0.0.1',
+  $civetweb_bind_port          = '8080',
+  $rgw_keystone_version        = 'v2.0',
+  $step                        = hiera('step'),
 ) {
 
   include ::tripleo::profile::base::ceph
@@ -58,7 +63,8 @@ class tripleo::profile::base::ceph::rgw (
     include ::ceph::profile::base
     ceph::rgw { $rgw_name:
       frontend_type => 'civetweb',
-      rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}"
+      rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}",
+      user          => 'ceph',
     }
     ceph::key { "client.${rgw_name}":
       secret  => $rgw_key,
@@ -69,11 +75,24 @@ class tripleo::profile::base::ceph::rgw (
   }
 
   if $step >= 4 {
-    ceph::rgw::keystone { $rgw_name:
-      rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
-      use_pki                     => false,
-      rgw_keystone_admin_token    => $keystone_admin_token,
-      rgw_keystone_url            => $keystone_url,
+    if $rgw_keystone_version == 'v2.0' {
+      ceph::rgw::keystone { $rgw_name:
+        rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
+        use_pki                     => false,
+        rgw_keystone_admin_token    => $keystone_admin_token,
+        rgw_keystone_url            => $keystone_url,
+        user                        => 'ceph',
+      }
+    }
+    else
+    {
+      ceph::rgw::keystone { $rgw_name:
+        rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
+        use_pki                     => false,
+        rgw_keystone_url            => $keystone_url,
+        rgw_keystone_version        => $rgw_keystone_version,
+        user                        => 'ceph',
+      }
     }
   }
 }
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 634b615..1e53048 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -66,37 +66,6 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
-# [*nova_messaging_driver*]
-#   Driver for messaging service. Will fallback to looking up in hiera
-#   using hiera('messaging_service_name', 'rabbit') if the parameter is not
-#   specified.
-#   Defaults to undef.
-#
-# [*nova_messaging_hosts*]
-#   list of the messaging host fqdns. Will fallback to looking up in hiera
-#   using hiera('rabbitmq_node_names') if the parameter is not specified.
-#   Defaults to undef.
-#
-# [*nova_messaging_port*]
-#   IP port for messaging service. Will fallback to looking up in hiera using
-#   hiera('nova::rabbit_port', 5672) if the parameter is not specified.
-#   Defaults to undef.
-#
-# [*nova_messaging_username*]
-#   Username for messaging nova queue. Will fallback to looking up in hiera
-#   using hiera('nova::rabbit_userid', 'guest') if the parameter is not
-#   specified.
-#   Defaults to undef.
-#
-# [*nova_messaging_password*]
-#   Password for messaging nova queue. Will fallback to looking up in hiera
-#   using hiera('nova::rabbit_password') if the parameter is not specified.
-#   Defaults to undef.
-#
-# [*nova_messaging_use_ssl*]
-#   Flag indicating ssl usage. Will fallback to looking up in hiera using
-#   hiera('nova::rabbit_use_ssl', '0') if the parameter is not specified.
-#   Defaults to undef.
 #
 class tripleo::profile::base::database::mysql (
   $bind_address                  = $::hostname,
@@ -108,12 +77,6 @@ class tripleo::profile::base::database::mysql (
   $mysql_server_options          = {},
   $remove_default_accounts       = true,
   $step                          = hiera('step'),
-  $nova_messaging_driver         = undef,
-  $nova_messaging_hosts          = undef,
-  $nova_messaging_password       = undef,
-  $nova_messaging_port           = undef,
-  $nova_messaging_username       = undef,
-  $nova_messaging_use_ssl        = undef,
 ) {
 
   if $::hostname == downcase($bootstrap_node) {
@@ -214,38 +177,7 @@ class tripleo::profile::base::database::mysql (
     }
     if hiera('nova_api_enabled', false) {
       include ::nova::db::mysql
-      # NOTE(aschultz): I am generally opposed to this, however given that the
-      # nova api is optional, we need to do this lookups only if not provided
-      # via parameters.
-      $messaging_driver_real = pick($nova_messaging_driver,
-        hiera('messaging_service_name', 'rabbit'))
-      $messaging_hosts_real = any2array(
-        pick($nova_messaging_hosts, hiera('rabbitmq_node_names')))
-      # TODO(aschultz): remove sprintf once we properly type the port, needs
-      # to be a string for the os_transport_url function.
-      $messaging_port_real = sprintf('%s',
-        pick($nova_messaging_port, hiera('nova::rabbit_port', '5672')))
-      $messaging_username_real = pick($nova_messaging_username,
-        hiera('nova::rabbit_userid', 'guest'))
-      $messaging_password_real = pick($nova_messaging_password,
-        hiera('nova::rabbit_password'))
-      $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool(
-        pick($nova_messaging_use_ssl, hiera('nova::rabbit_user_ssl', '0')))))
-
-      # TODO(aschultz): switch this back to an include once setup_cell0 in THT
-      class { '::nova::db::mysql_api':
-        setup_cell0 => true,
-      }
-      class { '::nova::db::sync_cell_v2':
-        transport_url => os_transport_url({
-          'transport' => $messaging_driver_real,
-          'hosts'     => $messaging_hosts_real,
-          'port'      => $messaging_port_real,
-          'username'  => $messaging_username_real,
-          'password'  => $messaging_password_real,
-          'ssl'       => $messaging_use_ssl_real,
-        }),
-      }
+      include ::nova::db::mysql_api
     }
     if hiera('sahara_api_enabled', false) {
       include ::sahara::db::mysql
diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp
index bfa9572..8945fff 100644
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@@ -77,14 +77,7 @@ class tripleo::profile::base::glance::api (
     include ::glance::config
     class { '::glance::api':
       stores  => $glance_store,
-      sync_db => false,
-    }
-    # When https://review.openstack.org/#/c/408554 is merged,
-    # Remove this block and set sync_db to $sync_db in glance::api.
-    if $sync_db {
-      class { '::glance::db::sync':
-        extra_params => '',
-      }
+      sync_db => $sync_db,
     }
     $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}")
     class { '::glance::notify::rabbitmq' :
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index ab9700f..63adbef 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -50,6 +50,10 @@
 #   Username for messaging nova queue
 #   Defaults to hiera('nova::rabbit_userid', 'guest')
 #
+# [*messaging_use_ssl*]
+#   Flag indicating ssl usage.
+#   Defaults to hiera('nova::rabbit_use_ssl', '0')
+#
 # [*nova_compute_enabled*]
 #   (Optional) Whether or not nova-compute is enabled.
 #   Defaults to false
@@ -67,6 +71,7 @@ class tripleo::profile::base::nova (
   $messaging_password   = hiera('nova::rabbit_password'),
   $messaging_port       = hiera('nova::rabbit_port', '5672'),
   $messaging_username   = hiera('nova::rabbit_userid', 'guest'),
+  $messaging_use_ssl    = hiera('nova::rabbit_use_ssl', '0'),
   $nova_compute_enabled = false,
   $step                 = hiera('step'),
 ) {
@@ -83,6 +88,7 @@ class tripleo::profile::base::nova (
   }
 
   if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) {
+    $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($messaging_use_ssl)))
     # TODO(ccamacho): remove sprintf once we properly type the port, needs
     # to be a string for the os_transport_url function.
     class { '::nova' :
@@ -92,6 +98,7 @@ class tripleo::profile::base::nova (
         'port'      => sprintf('%s', $messaging_port),
         'username'  => $messaging_username,
         'password'  => $messaging_password,
+        'ssl'       => $messaging_use_ssl_real,
       }),
     }
     include ::nova::config
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp
index 69b90fa..b4e3d74 100644
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -85,6 +85,25 @@ class tripleo::profile::base::nova::api (
     $tls_keyfile = undef
   }
 
+  if ($step >= 3 and $sync_db) {
+    $messaging_hosts_real = any2array($::tripleo::profile::base::nova::messaging_hosts)
+    # TODO(aschultz): remove sprintf once we properly type the port, needs
+    # to be a string for the os_transport_url function.
+    $messaging_port_real = sprintf('%s', $::tripleo::profile::base::nova::messaging_port)
+    $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($::tripleo::profile::base::nova::messaging_use_ssl)))
+
+    class { '::nova::db::sync_cell_v2':
+      transport_url => os_transport_url({
+        'transport' => $::tripleo::profile::base::nova::messaging_driver,
+        'hosts'     => $messaging_hosts_real,
+        'port'      => $messaging_port_real,
+        'username'  => $::tripleo::profile::base::nova::messaging_username,
+        'password'  => $::tripleo::profile::base::nova::messaging_password,
+        'ssl'       => $messaging_use_ssl_real,
+        }),
+    }
+  }
+
   if $step >= 4 or ($step >= 3 and $sync_db) {
 
     if hiera('nova::use_ipv6', false) {
diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp
index 4abed56..880cf7d 100644
--- a/manifests/profile/base/panko.pp
+++ b/manifests/profile/base/panko.pp
@@ -40,6 +40,7 @@ class tripleo::profile::base::panko (
 
   if $step >= 4 or ($step >= 3 and $sync_db) {
     include ::panko
+    include ::panko::db
     include ::panko::config
     include ::panko::db::sync
   }
diff --git a/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml b/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml
new file mode 100644
index 0000000..6159415
--- /dev/null
+++ b/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Add support for configuring Ceph RGW to use
+    keystone V3 service authentication instead
+    of admin token authentication
diff --git a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
index 88f971b..4ebf521 100644
--- a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
+++ b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
@@ -85,6 +85,17 @@ describe 'tripleo::profile::base::ceph::rgw' do
         )
       end
     end
+
+    context 'with step 4 and keystone v3' do
+      let(:params) { default_params.merge({ :step => 4, :rgw_keystone_version => 'v3' }) }
+      it 'should include rgw configuration' do
+        is_expected.to contain_ceph__rgw__keystone('radosgw.gateway').with(
+          :rgw_keystone_accepted_roles => ["admin", "_member_", "Member"],
+          :use_pki                     => false,
+          :rgw_keystone_url            => 'url'
+        )
+      end
+    end
   end
 
   on_supported_os.each do |os, facts|
diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml
index d63fc76..b09e914 100644
--- a/spec/fixtures/hieradata/default.yaml
+++ b/spec/fixtures/hieradata/default.yaml
@@ -14,6 +14,13 @@ barbican::keystone::authtoken::password: 'password'
 ceilometer::keystone::authtoken::password: 'password'
 # ceph related items
 ceph::profile::params::mon_key: 'password'
+# NOTE(gfidente): we want to use keystone v3 API for RGW so the following are
+# needed to comply with the if condition:
+# https://github.com/openstack/puppet-ceph/blob/master/manifests/rgw/keystone.pp#L111
+ceph::profile::params::rgw_keystone_admin_domain: 'keystone_domain'
+ceph::profile::params::rgw_keystone_admin_project: 'keystone_project'
+ceph::profile::params::rgw_keystone_admin_user: 'keystone_admin_user'
+ceph::profile::params::rgw_keystone_admin_password: 'keystone_admin_password'
 # cinder related items
 cinder::rabbit_password: 'password'
 cinder::keystone::authtoken::password: 'password'