diff options
-rw-r--r-- | manifests/haproxy/endpoint.pp | 2 | ||||
-rw-r--r-- | manifests/profile/base/ceph/rgw.pp | 37 | ||||
-rw-r--r-- | manifests/profile/base/database/mysql.pp | 70 | ||||
-rw-r--r-- | manifests/profile/base/glance/api.pp | 9 | ||||
-rw-r--r-- | manifests/profile/base/nova.pp | 7 | ||||
-rw-r--r-- | manifests/profile/base/nova/api.pp | 19 | ||||
-rw-r--r-- | manifests/profile/base/panko.pp | 1 | ||||
-rw-r--r-- | releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml | 5 | ||||
-rw-r--r-- | spec/classes/tripleo_profile_base_ceph_rgw_spec.rb | 11 | ||||
-rw-r--r-- | spec/fixtures/hieradata/default.yaml | 7 |
10 files changed, 82 insertions, 86 deletions
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index 0bba245..2f60b24 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -166,6 +166,8 @@ define tripleo::haproxy::endpoint ( 'dport' => $public_ssl_port, }, } + } else { + $haproxy_ssl_firewall_rules = {} } $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules) if $service_port or $public_ssl_port { diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp index 2ecca52..8443de0 100644 --- a/manifests/profile/base/ceph/rgw.pp +++ b/manifests/profile/base/ceph/rgw.pp @@ -29,6 +29,10 @@ # [*keystone_admin_token*] # The keystone admin token # +# [*rgw_keystone_version*] The api version for keystone. +# Possible values 'v2.0', 'v3' +# Optional. Default is 'v2.0' +# # [*keystone_url*] # The internal or admin url for keystone # @@ -44,9 +48,10 @@ class tripleo::profile::base::ceph::rgw ( $keystone_admin_token, $keystone_url, $rgw_key, - $civetweb_bind_ip = '127.0.0.1', - $civetweb_bind_port = '8080', - $step = hiera('step'), + $civetweb_bind_ip = '127.0.0.1', + $civetweb_bind_port = '8080', + $rgw_keystone_version = 'v2.0', + $step = hiera('step'), ) { include ::tripleo::profile::base::ceph @@ -58,7 +63,8 @@ class tripleo::profile::base::ceph::rgw ( include ::ceph::profile::base ceph::rgw { $rgw_name: frontend_type => 'civetweb', - rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}" + rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}", + user => 'ceph', } ceph::key { "client.${rgw_name}": secret => $rgw_key, @@ -69,11 +75,24 @@ class tripleo::profile::base::ceph::rgw ( } if $step >= 4 { - ceph::rgw::keystone { $rgw_name: - rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'], - use_pki => false, - rgw_keystone_admin_token => $keystone_admin_token, - rgw_keystone_url => $keystone_url, + if $rgw_keystone_version == 'v2.0' { + ceph::rgw::keystone { $rgw_name: + rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'], + use_pki => false, + rgw_keystone_admin_token => $keystone_admin_token, + rgw_keystone_url => $keystone_url, + user => 'ceph', + } + } + else + { + ceph::rgw::keystone { $rgw_name: + rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'], + use_pki => false, + rgw_keystone_url => $keystone_url, + rgw_keystone_version => $rgw_keystone_version, + user => 'ceph', + } } } } diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp index 634b615..1e53048 100644 --- a/manifests/profile/base/database/mysql.pp +++ b/manifests/profile/base/database/mysql.pp @@ -66,37 +66,6 @@ # for more details. # Defaults to hiera('step') # -# [*nova_messaging_driver*] -# Driver for messaging service. Will fallback to looking up in hiera -# using hiera('messaging_service_name', 'rabbit') if the parameter is not -# specified. -# Defaults to undef. -# -# [*nova_messaging_hosts*] -# list of the messaging host fqdns. Will fallback to looking up in hiera -# using hiera('rabbitmq_node_names') if the parameter is not specified. -# Defaults to undef. -# -# [*nova_messaging_port*] -# IP port for messaging service. Will fallback to looking up in hiera using -# hiera('nova::rabbit_port', 5672) if the parameter is not specified. -# Defaults to undef. -# -# [*nova_messaging_username*] -# Username for messaging nova queue. Will fallback to looking up in hiera -# using hiera('nova::rabbit_userid', 'guest') if the parameter is not -# specified. -# Defaults to undef. -# -# [*nova_messaging_password*] -# Password for messaging nova queue. Will fallback to looking up in hiera -# using hiera('nova::rabbit_password') if the parameter is not specified. -# Defaults to undef. -# -# [*nova_messaging_use_ssl*] -# Flag indicating ssl usage. Will fallback to looking up in hiera using -# hiera('nova::rabbit_use_ssl', '0') if the parameter is not specified. -# Defaults to undef. # class tripleo::profile::base::database::mysql ( $bind_address = $::hostname, @@ -108,12 +77,6 @@ class tripleo::profile::base::database::mysql ( $mysql_server_options = {}, $remove_default_accounts = true, $step = hiera('step'), - $nova_messaging_driver = undef, - $nova_messaging_hosts = undef, - $nova_messaging_password = undef, - $nova_messaging_port = undef, - $nova_messaging_username = undef, - $nova_messaging_use_ssl = undef, ) { if $::hostname == downcase($bootstrap_node) { @@ -214,38 +177,7 @@ class tripleo::profile::base::database::mysql ( } if hiera('nova_api_enabled', false) { include ::nova::db::mysql - # NOTE(aschultz): I am generally opposed to this, however given that the - # nova api is optional, we need to do this lookups only if not provided - # via parameters. - $messaging_driver_real = pick($nova_messaging_driver, - hiera('messaging_service_name', 'rabbit')) - $messaging_hosts_real = any2array( - pick($nova_messaging_hosts, hiera('rabbitmq_node_names'))) - # TODO(aschultz): remove sprintf once we properly type the port, needs - # to be a string for the os_transport_url function. - $messaging_port_real = sprintf('%s', - pick($nova_messaging_port, hiera('nova::rabbit_port', '5672'))) - $messaging_username_real = pick($nova_messaging_username, - hiera('nova::rabbit_userid', 'guest')) - $messaging_password_real = pick($nova_messaging_password, - hiera('nova::rabbit_password')) - $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool( - pick($nova_messaging_use_ssl, hiera('nova::rabbit_user_ssl', '0'))))) - - # TODO(aschultz): switch this back to an include once setup_cell0 in THT - class { '::nova::db::mysql_api': - setup_cell0 => true, - } - class { '::nova::db::sync_cell_v2': - transport_url => os_transport_url({ - 'transport' => $messaging_driver_real, - 'hosts' => $messaging_hosts_real, - 'port' => $messaging_port_real, - 'username' => $messaging_username_real, - 'password' => $messaging_password_real, - 'ssl' => $messaging_use_ssl_real, - }), - } + include ::nova::db::mysql_api } if hiera('sahara_api_enabled', false) { include ::sahara::db::mysql diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index bfa9572..8945fff 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -77,14 +77,7 @@ class tripleo::profile::base::glance::api ( include ::glance::config class { '::glance::api': stores => $glance_store, - sync_db => false, - } - # When https://review.openstack.org/#/c/408554 is merged, - # Remove this block and set sync_db to $sync_db in glance::api. - if $sync_db { - class { '::glance::db::sync': - extra_params => '', - } + sync_db => $sync_db, } $rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}") class { '::glance::notify::rabbitmq' : diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index ab9700f..63adbef 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -50,6 +50,10 @@ # Username for messaging nova queue # Defaults to hiera('nova::rabbit_userid', 'guest') # +# [*messaging_use_ssl*] +# Flag indicating ssl usage. +# Defaults to hiera('nova::rabbit_use_ssl', '0') +# # [*nova_compute_enabled*] # (Optional) Whether or not nova-compute is enabled. # Defaults to false @@ -67,6 +71,7 @@ class tripleo::profile::base::nova ( $messaging_password = hiera('nova::rabbit_password'), $messaging_port = hiera('nova::rabbit_port', '5672'), $messaging_username = hiera('nova::rabbit_userid', 'guest'), + $messaging_use_ssl = hiera('nova::rabbit_use_ssl', '0'), $nova_compute_enabled = false, $step = hiera('step'), ) { @@ -83,6 +88,7 @@ class tripleo::profile::base::nova ( } if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) { + $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($messaging_use_ssl))) # TODO(ccamacho): remove sprintf once we properly type the port, needs # to be a string for the os_transport_url function. class { '::nova' : @@ -92,6 +98,7 @@ class tripleo::profile::base::nova ( 'port' => sprintf('%s', $messaging_port), 'username' => $messaging_username, 'password' => $messaging_password, + 'ssl' => $messaging_use_ssl_real, }), } include ::nova::config diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp index 69b90fa..b4e3d74 100644 --- a/manifests/profile/base/nova/api.pp +++ b/manifests/profile/base/nova/api.pp @@ -85,6 +85,25 @@ class tripleo::profile::base::nova::api ( $tls_keyfile = undef } + if ($step >= 3 and $sync_db) { + $messaging_hosts_real = any2array($::tripleo::profile::base::nova::messaging_hosts) + # TODO(aschultz): remove sprintf once we properly type the port, needs + # to be a string for the os_transport_url function. + $messaging_port_real = sprintf('%s', $::tripleo::profile::base::nova::messaging_port) + $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($::tripleo::profile::base::nova::messaging_use_ssl))) + + class { '::nova::db::sync_cell_v2': + transport_url => os_transport_url({ + 'transport' => $::tripleo::profile::base::nova::messaging_driver, + 'hosts' => $messaging_hosts_real, + 'port' => $messaging_port_real, + 'username' => $::tripleo::profile::base::nova::messaging_username, + 'password' => $::tripleo::profile::base::nova::messaging_password, + 'ssl' => $messaging_use_ssl_real, + }), + } + } + if $step >= 4 or ($step >= 3 and $sync_db) { if hiera('nova::use_ipv6', false) { diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp index 4abed56..880cf7d 100644 --- a/manifests/profile/base/panko.pp +++ b/manifests/profile/base/panko.pp @@ -40,6 +40,7 @@ class tripleo::profile::base::panko ( if $step >= 4 or ($step >= 3 and $sync_db) { include ::panko + include ::panko::db include ::panko::config include ::panko::db::sync } diff --git a/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml b/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml new file mode 100644 index 0000000..6159415 --- /dev/null +++ b/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml @@ -0,0 +1,5 @@ +--- +features: + - Add support for configuring Ceph RGW to use + keystone V3 service authentication instead + of admin token authentication diff --git a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb index 88f971b..4ebf521 100644 --- a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb +++ b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb @@ -85,6 +85,17 @@ describe 'tripleo::profile::base::ceph::rgw' do ) end end + + context 'with step 4 and keystone v3' do + let(:params) { default_params.merge({ :step => 4, :rgw_keystone_version => 'v3' }) } + it 'should include rgw configuration' do + is_expected.to contain_ceph__rgw__keystone('radosgw.gateway').with( + :rgw_keystone_accepted_roles => ["admin", "_member_", "Member"], + :use_pki => false, + :rgw_keystone_url => 'url' + ) + end + end end on_supported_os.each do |os, facts| diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index d63fc76..b09e914 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -14,6 +14,13 @@ barbican::keystone::authtoken::password: 'password' ceilometer::keystone::authtoken::password: 'password' # ceph related items ceph::profile::params::mon_key: 'password' +# NOTE(gfidente): we want to use keystone v3 API for RGW so the following are +# needed to comply with the if condition: +# https://github.com/openstack/puppet-ceph/blob/master/manifests/rgw/keystone.pp#L111 +ceph::profile::params::rgw_keystone_admin_domain: 'keystone_domain' +ceph::profile::params::rgw_keystone_admin_project: 'keystone_project' +ceph::profile::params::rgw_keystone_admin_user: 'keystone_admin_user' +ceph::profile::params::rgw_keystone_admin_password: 'keystone_admin_password' # cinder related items cinder::rabbit_password: 'password' cinder::keystone::authtoken::password: 'password' |