This is to resolve the issue with objects containing slash in the name
not correctly synced in multisite environments.
Closes-Bug: #1974138
Change-Id: I71ac000bb4754c9cb987d703f145dc2a5ff032ad
This option is required for server-side encryption to be allowed
if radosgw is behind a reverse proxy,
such as here when certificates are configured and apache2 is running.
ref. https://docs.ceph.com/en/latest/radosgw/encryption/
It is safe to always enable when https is configured in the charm,
because it will be securely behind the reverse proxy in the unit.
This option must not be enabled when https is not configured in the charm,
because this would allow clients to spoof headers.
Closes-Bug: #2021560
Change-Id: I940f9b2f424a3d98936b5f185bf8f87b71091317
This patchset adds these 2 additional keys to the ceph.conf file,
which are used in multisite configurations when present.
Change-Id: I51ca46bbb3479cb73ec4d9966208ed794f0ed774
Closes-Bug: #1975857
The Ceph RADOS Gateway uses some unusual URI's for multisite
replication; ensure that mod_proxy passes the 'raw' URI down
to the radosgw http endpoint so that client and server side
signatures continue to match.
This seems quite Ceph specific so the template is specialised
into the charm rather than updated in charm-helpers.
Change-Id: Iede49ba8904500076d53388345e154a3ed18e761
Closes-Bug: 1966669
Introduce support for the beast web frontend for the Ceph
RADOS Gateway which brings improvements to speed and scalability.
Default behaviour is changed in that for Octopus and later
(aside from some unsupported architectures) beast is enabled by
default; for older releases civetweb is still used.
This may be overridden using the 'http-frontend' configuration
option which accepts either 'beast' or 'civetweb' as valid
values. 'beast' is only supported with Ceph Mimic or later.
Closes-Bug: 1865396
Change-Id: Ib73e58e21219eca611cd4293da69bf80040f5803
Ceph RGW checks revocation list for every 600 seconds. This is not
required for non PKI tokens and PKI tokens are removed in OpenStack
Pike release. This results in unnecessary logs in ceph and keystone.
Set the rgw keystone revocation interval to 0 in ceph conf. Also
this parameter is removed in upstream from Ceph Octopus. So ensure
not to add this parameter from ceph release Octopus.
Closes-Bug: #1758982
Change-Id: Iaeb10dc25bb52df9dd3746ecf4fe5859d4efd459
This patch adds the config option rgw-swift-versioning-enabled boolean that enables swift versioning for the ceph-backed storage solution. This uses X-Versions-Location as it is the only header that radosgw interprets.
closes-bug: #1910679
Change-Id: I5b42c34882b46e96f4cc92d91ec441a4bdfd76f6
At present the charm configures the Ceph RADOS GW with the
admin_token as credentials when connecting to a deployment with
Keystone V2.0 API.
We want to move away from that and as such we need to update the
charm to configure username, password and project name instead.
Change-Id: Idab6a5740a541b922f9dbd65165d0328d747e78e
This change enabled automatic tenant namespacing,
which also allows enabling global read permissions
on buckets.
Change-Id: Ic37c7161b7dddad49e3c2ab075d7e8b72f436b35
Closes-Bug: #1833072
RADOS Gateway supports setting keystone operator and admin
roles. RADOS Gateway requires admin roles for keystone users
to change their user quota. Regular operator/member roles
are not allowed to do so.
The lack of this config option prevents swift users with admin
roles from being able to set their quotas. Therefore, a config
option 'admin-roles' is now added to the charm to map to
'rgw keystone accepted admin roles' RADOS Gateway config.
Please note that this is only effective from Luminous
Ceph Release.
Change-Id: Ic0b9aa39eef9fbc6c43eb4e66ab72d90787c2017
Closes-Bug: #1831577
When deploying the RGW in multi-site configurations, communication
between sites is authenticated using S3 credentials managed within
RGW. In the event that keystone authentication is in use this
generates a large number of s3 authentication attempts to keystone
which will always fail.
Switch the default order to check local auth first and then fallback
to external.
Change-Id: I7bfc016baf99188ba5a36f663145eeff465d25e8
Add new radosgw-multisite typed master and slave relations to
support configuration of separate ceph-radosgw deployments as
a single realm and zonegroup to support replication of data
between distinct RADOS gateway deployments.
This mandates the use of the realm, zonegroup and zone
configuration options of which realm and zonegroup must match
between instances of the ceph-radosgw application participating
in the master/slave relation.
The radosgw-multisite relation may be deployed as a model local
relation or as a cross-model relation.
Change-Id: I094f89b0f668e012482ca8aace1756c911b79d17
Closes-Bug: 1666880
The PKI token format is no longer supported by the keystone charm;
drop code, tests and associated template fragments which deal with
configuration of PKI revocation list processing.
Change-Id: Ie08779c2aef15589b621c324808bb13089fb4f72
Closes-Bug: 1586550
Switch to using systemd configurations to manage radosgw instances;
the radosgw init script is obsolete and will be removed at some
point in time, and the newer style of managing radosgw daemons is
inline with current best-practice.
This changeset also changes the way cephx keys are issues; before
all rgw instances shared a key, now a key is issued per host.
The key is named 'rgw.`hostname`' to identify the application
and host using the key.
Existing deployments using the radosgw init script will be switched
to use the new systemd named units; this occurs once the new key
for the unit has been presented by the ceph-mon cluster over the
mon relation. A small period of outage will occur as the radosgw
init based daemon is stopped and disabled prior to the start of
the new systemd based radosgw unit.
This commit also includes a resync for charmhelpers to pickup
support for '@' in NRPE service check names.
Change-Id: Ic0d634e619185931633712cb3e3685051a28749d
Depends-On: I289b75a2935184817b424c5eceead16235c3f53b
Closes-Bug: 1808140
Incase we do *not* use keystone as an authentication mechanism, let the
built-in authentication work with this charm.
Without this change, the Swift authentication itself will work, but the
X-Storage-URL header will point to the port the storage daemon listens
on - which is not open in the firewall (70).
This change instead forces the URL to be "the unit's public IP" with the
default port (80), on which haproxy is listening, and will do the right
thing.
Change-Id: Ia2b12153eca3074392aad6dea6ee995990f15633
Signed-off-by: Christopher Glass <chris.glass@canonical.com>
The ceph project has focussed on running the RADOS Gateway using
the embedded civetweb engine for many cycles now; mod-fastcgi is
buggy and no longer provided in Ubuntu as of 17.04, so switch to
always running in embedded mode.
Existing installs will be upgraded to run in this mode, purging
apache related packaging and configuration.
Change-Id: I90e6c047d78de2b0ebf8c24bd2f2d6d1bfbd5c5d
Closes-Bug: 1657370
This changeset increases the initialization timeout
for rgw instances from 300 -> 1200 seconds.
This change decreases the chance that the rgw instance
will timeout prior to OSD's actually joing the Ceph storage
cluster as usable storage is required for this operation.
Change-Id: I6c5442edc2fb25ff37d7a4bd0bc49aabd6f2d24c
Closes-Bug: 1577519
Adds a new config-flags option to the charm that
supports setting a dictionary of ceph configuration
settings that will be applied to ceph.conf.
This implementation supports config sections so that
settings can be applied to any section supported by
the ceph.conf template in the charm.
Change-Id: I8a447209b9040890e7c10585321b71da08a26b11
Closes-Bug: 1522375
Adds support for configuring the Rados Gateway to use IPv6
addresses and networks. This can be enabled by setting
prefer-ipv6=True.
Change-Id: I801fab14accd8c3498ea5468d135f34f159717cb
Closes-Bug: 1513524
Configure rados gateway nss with CA and signing certs
from keystone so that it can decrypt revoked token
list from keystone.
Partially-Closes-Bug: 1520339
Shunde Zhang