aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/haproxy/endpoint.pp2
-rw-r--r--manifests/profile/base/ceph/rgw.pp37
-rw-r--r--manifests/profile/base/database/mysql.pp70
-rw-r--r--manifests/profile/base/glance/api.pp9
-rw-r--r--manifests/profile/base/nova.pp7
-rw-r--r--manifests/profile/base/nova/api.pp19
-rw-r--r--manifests/profile/base/panko.pp1
-rw-r--r--releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml5
-rw-r--r--spec/classes/tripleo_profile_base_ceph_rgw_spec.rb11
-rw-r--r--spec/fixtures/hieradata/default.yaml7
10 files changed, 82 insertions, 86 deletions
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 0bba245..2f60b24 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -166,6 +166,8 @@ define tripleo::haproxy::endpoint (
'dport' => $public_ssl_port,
},
}
+ } else {
+ $haproxy_ssl_firewall_rules = {}
}
$firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
if $service_port or $public_ssl_port {
diff --git a/manifests/profile/base/ceph/rgw.pp b/manifests/profile/base/ceph/rgw.pp
index 2ecca52..8443de0 100644
--- a/manifests/profile/base/ceph/rgw.pp
+++ b/manifests/profile/base/ceph/rgw.pp
@@ -29,6 +29,10 @@
# [*keystone_admin_token*]
# The keystone admin token
#
+# [*rgw_keystone_version*] The api version for keystone.
+# Possible values 'v2.0', 'v3'
+# Optional. Default is 'v2.0'
+#
# [*keystone_url*]
# The internal or admin url for keystone
#
@@ -44,9 +48,10 @@ class tripleo::profile::base::ceph::rgw (
$keystone_admin_token,
$keystone_url,
$rgw_key,
- $civetweb_bind_ip = '127.0.0.1',
- $civetweb_bind_port = '8080',
- $step = hiera('step'),
+ $civetweb_bind_ip = '127.0.0.1',
+ $civetweb_bind_port = '8080',
+ $rgw_keystone_version = 'v2.0',
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::ceph
@@ -58,7 +63,8 @@ class tripleo::profile::base::ceph::rgw (
include ::ceph::profile::base
ceph::rgw { $rgw_name:
frontend_type => 'civetweb',
- rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}"
+ rgw_frontends => "civetweb port=${civetweb_bind_ip_real}:${civetweb_bind_port}",
+ user => 'ceph',
}
ceph::key { "client.${rgw_name}":
secret => $rgw_key,
@@ -69,11 +75,24 @@ class tripleo::profile::base::ceph::rgw (
}
if $step >= 4 {
- ceph::rgw::keystone { $rgw_name:
- rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
- use_pki => false,
- rgw_keystone_admin_token => $keystone_admin_token,
- rgw_keystone_url => $keystone_url,
+ if $rgw_keystone_version == 'v2.0' {
+ ceph::rgw::keystone { $rgw_name:
+ rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
+ use_pki => false,
+ rgw_keystone_admin_token => $keystone_admin_token,
+ rgw_keystone_url => $keystone_url,
+ user => 'ceph',
+ }
+ }
+ else
+ {
+ ceph::rgw::keystone { $rgw_name:
+ rgw_keystone_accepted_roles => ['admin', '_member_', 'Member'],
+ use_pki => false,
+ rgw_keystone_url => $keystone_url,
+ rgw_keystone_version => $rgw_keystone_version,
+ user => 'ceph',
+ }
}
}
}
diff --git a/manifests/profile/base/database/mysql.pp b/manifests/profile/base/database/mysql.pp
index 634b615..1e53048 100644
--- a/manifests/profile/base/database/mysql.pp
+++ b/manifests/profile/base/database/mysql.pp
@@ -66,37 +66,6 @@
# for more details.
# Defaults to hiera('step')
#
-# [*nova_messaging_driver*]
-# Driver for messaging service. Will fallback to looking up in hiera
-# using hiera('messaging_service_name', 'rabbit') if the parameter is not
-# specified.
-# Defaults to undef.
-#
-# [*nova_messaging_hosts*]
-# list of the messaging host fqdns. Will fallback to looking up in hiera
-# using hiera('rabbitmq_node_names') if the parameter is not specified.
-# Defaults to undef.
-#
-# [*nova_messaging_port*]
-# IP port for messaging service. Will fallback to looking up in hiera using
-# hiera('nova::rabbit_port', 5672) if the parameter is not specified.
-# Defaults to undef.
-#
-# [*nova_messaging_username*]
-# Username for messaging nova queue. Will fallback to looking up in hiera
-# using hiera('nova::rabbit_userid', 'guest') if the parameter is not
-# specified.
-# Defaults to undef.
-#
-# [*nova_messaging_password*]
-# Password for messaging nova queue. Will fallback to looking up in hiera
-# using hiera('nova::rabbit_password') if the parameter is not specified.
-# Defaults to undef.
-#
-# [*nova_messaging_use_ssl*]
-# Flag indicating ssl usage. Will fallback to looking up in hiera using
-# hiera('nova::rabbit_use_ssl', '0') if the parameter is not specified.
-# Defaults to undef.
#
class tripleo::profile::base::database::mysql (
$bind_address = $::hostname,
@@ -108,12 +77,6 @@ class tripleo::profile::base::database::mysql (
$mysql_server_options = {},
$remove_default_accounts = true,
$step = hiera('step'),
- $nova_messaging_driver = undef,
- $nova_messaging_hosts = undef,
- $nova_messaging_password = undef,
- $nova_messaging_port = undef,
- $nova_messaging_username = undef,
- $nova_messaging_use_ssl = undef,
) {
if $::hostname == downcase($bootstrap_node) {
@@ -214,38 +177,7 @@ class tripleo::profile::base::database::mysql (
}
if hiera('nova_api_enabled', false) {
include ::nova::db::mysql
- # NOTE(aschultz): I am generally opposed to this, however given that the
- # nova api is optional, we need to do this lookups only if not provided
- # via parameters.
- $messaging_driver_real = pick($nova_messaging_driver,
- hiera('messaging_service_name', 'rabbit'))
- $messaging_hosts_real = any2array(
- pick($nova_messaging_hosts, hiera('rabbitmq_node_names')))
- # TODO(aschultz): remove sprintf once we properly type the port, needs
- # to be a string for the os_transport_url function.
- $messaging_port_real = sprintf('%s',
- pick($nova_messaging_port, hiera('nova::rabbit_port', '5672')))
- $messaging_username_real = pick($nova_messaging_username,
- hiera('nova::rabbit_userid', 'guest'))
- $messaging_password_real = pick($nova_messaging_password,
- hiera('nova::rabbit_password'))
- $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool(
- pick($nova_messaging_use_ssl, hiera('nova::rabbit_user_ssl', '0')))))
-
- # TODO(aschultz): switch this back to an include once setup_cell0 in THT
- class { '::nova::db::mysql_api':
- setup_cell0 => true,
- }
- class { '::nova::db::sync_cell_v2':
- transport_url => os_transport_url({
- 'transport' => $messaging_driver_real,
- 'hosts' => $messaging_hosts_real,
- 'port' => $messaging_port_real,
- 'username' => $messaging_username_real,
- 'password' => $messaging_password_real,
- 'ssl' => $messaging_use_ssl_real,
- }),
- }
+ include ::nova::db::mysql_api
}
if hiera('sahara_api_enabled', false) {
include ::sahara::db::mysql
diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp
index bfa9572..8945fff 100644
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@@ -77,14 +77,7 @@ class tripleo::profile::base::glance::api (
include ::glance::config
class { '::glance::api':
stores => $glance_store,
- sync_db => false,
- }
- # When https://review.openstack.org/#/c/408554 is merged,
- # Remove this block and set sync_db to $sync_db in glance::api.
- if $sync_db {
- class { '::glance::db::sync':
- extra_params => '',
- }
+ sync_db => $sync_db,
}
$rabbit_endpoints = suffix(any2array($rabbit_hosts), ":${rabbit_port}")
class { '::glance::notify::rabbitmq' :
diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index ab9700f..63adbef 100644
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -50,6 +50,10 @@
# Username for messaging nova queue
# Defaults to hiera('nova::rabbit_userid', 'guest')
#
+# [*messaging_use_ssl*]
+# Flag indicating ssl usage.
+# Defaults to hiera('nova::rabbit_use_ssl', '0')
+#
# [*nova_compute_enabled*]
# (Optional) Whether or not nova-compute is enabled.
# Defaults to false
@@ -67,6 +71,7 @@ class tripleo::profile::base::nova (
$messaging_password = hiera('nova::rabbit_password'),
$messaging_port = hiera('nova::rabbit_port', '5672'),
$messaging_username = hiera('nova::rabbit_userid', 'guest'),
+ $messaging_use_ssl = hiera('nova::rabbit_use_ssl', '0'),
$nova_compute_enabled = false,
$step = hiera('step'),
) {
@@ -83,6 +88,7 @@ class tripleo::profile::base::nova (
}
if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) {
+ $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($messaging_use_ssl)))
# TODO(ccamacho): remove sprintf once we properly type the port, needs
# to be a string for the os_transport_url function.
class { '::nova' :
@@ -92,6 +98,7 @@ class tripleo::profile::base::nova (
'port' => sprintf('%s', $messaging_port),
'username' => $messaging_username,
'password' => $messaging_password,
+ 'ssl' => $messaging_use_ssl_real,
}),
}
include ::nova::config
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp
index 69b90fa..b4e3d74 100644
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -85,6 +85,25 @@ class tripleo::profile::base::nova::api (
$tls_keyfile = undef
}
+ if ($step >= 3 and $sync_db) {
+ $messaging_hosts_real = any2array($::tripleo::profile::base::nova::messaging_hosts)
+ # TODO(aschultz): remove sprintf once we properly type the port, needs
+ # to be a string for the os_transport_url function.
+ $messaging_port_real = sprintf('%s', $::tripleo::profile::base::nova::messaging_port)
+ $messaging_use_ssl_real = sprintf('%s', bool2num(str2bool($::tripleo::profile::base::nova::messaging_use_ssl)))
+
+ class { '::nova::db::sync_cell_v2':
+ transport_url => os_transport_url({
+ 'transport' => $::tripleo::profile::base::nova::messaging_driver,
+ 'hosts' => $messaging_hosts_real,
+ 'port' => $messaging_port_real,
+ 'username' => $::tripleo::profile::base::nova::messaging_username,
+ 'password' => $::tripleo::profile::base::nova::messaging_password,
+ 'ssl' => $messaging_use_ssl_real,
+ }),
+ }
+ }
+
if $step >= 4 or ($step >= 3 and $sync_db) {
if hiera('nova::use_ipv6', false) {
diff --git a/manifests/profile/base/panko.pp b/manifests/profile/base/panko.pp
index 4abed56..880cf7d 100644
--- a/manifests/profile/base/panko.pp
+++ b/manifests/profile/base/panko.pp
@@ -40,6 +40,7 @@ class tripleo::profile::base::panko (
if $step >= 4 or ($step >= 3 and $sync_db) {
include ::panko
+ include ::panko::db
include ::panko::config
include ::panko::db::sync
}
diff --git a/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml b/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml
new file mode 100644
index 0000000..6159415
--- /dev/null
+++ b/releasenotes/notes/rgw-keystone-v3-43ef17dd10f825be.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - Add support for configuring Ceph RGW to use
+ keystone V3 service authentication instead
+ of admin token authentication
diff --git a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
index 88f971b..4ebf521 100644
--- a/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
+++ b/spec/classes/tripleo_profile_base_ceph_rgw_spec.rb
@@ -85,6 +85,17 @@ describe 'tripleo::profile::base::ceph::rgw' do
)
end
end
+
+ context 'with step 4 and keystone v3' do
+ let(:params) { default_params.merge({ :step => 4, :rgw_keystone_version => 'v3' }) }
+ it 'should include rgw configuration' do
+ is_expected.to contain_ceph__rgw__keystone('radosgw.gateway').with(
+ :rgw_keystone_accepted_roles => ["admin", "_member_", "Member"],
+ :use_pki => false,
+ :rgw_keystone_url => 'url'
+ )
+ end
+ end
end
on_supported_os.each do |os, facts|
diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml
index d63fc76..b09e914 100644
--- a/spec/fixtures/hieradata/default.yaml
+++ b/spec/fixtures/hieradata/default.yaml
@@ -14,6 +14,13 @@ barbican::keystone::authtoken::password: 'password'
ceilometer::keystone::authtoken::password: 'password'
# ceph related items
ceph::profile::params::mon_key: 'password'
+# NOTE(gfidente): we want to use keystone v3 API for RGW so the following are
+# needed to comply with the if condition:
+# https://github.com/openstack/puppet-ceph/blob/master/manifests/rgw/keystone.pp#L111
+ceph::profile::params::rgw_keystone_admin_domain: 'keystone_domain'
+ceph::profile::params::rgw_keystone_admin_project: 'keystone_project'
+ceph::profile::params::rgw_keystone_admin_user: 'keystone_admin_user'
+ceph::profile::params::rgw_keystone_admin_password: 'keystone_admin_password'
# cinder related items
cinder::rabbit_password: 'password'
cinder::keystone::authtoken::password: 'password'