diff --git a/files/certmonger-rgw-refresh.sh b/files/certmonger-rgw-refresh.sh new file mode 100644 index 000000000..301385ffc --- /dev/null +++ b/files/certmonger-rgw-refresh.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Get ceph rgw systemd unit +rgw_unit=$(systemctl list-unit-files | awk '/radosgw/ {print $1}') + +# Restart the rgw systemd unit +if [ -n "$rgw_unit" ]; then + systemctl restart "$rgw_unit" +fi diff --git a/manifests/certmonger/ceph_rgw.pp b/manifests/certmonger/ceph_rgw.pp new file mode 100644 index 000000000..b0b7aa8fd --- /dev/null +++ b/manifests/certmonger/ceph_rgw.pp @@ -0,0 +1,117 @@ +# Copyright 2020 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::ceph_grafana +# +# Request a certificate for RabbitMQ and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_pem*] +# The file in PEM format that the HAProxy service will use as a certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# Defaults to undef. +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +class tripleo::certmonger::ceph_rgw ( + $hostname, + $service_certificate, + $service_key, + $service_pem, + $postsave_cmd = undef, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $principal = undef, +) { + + ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', { + source => 'puppet:///modules/tripleo/certmonger-rgw-refresh.sh', + mode => '0700', + seltype => 'bin_t', + notify => Service['certmonger'] + }) + + certmonger_certificate { 'ceph_rgw' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + + concat { $service_pem : + ensure => present, + mode => '0640', + owner => 472, + group => 472, + tag => 'ceph-rgw-cert', + } + + concat::fragment { "${title}-cert-fragment": + target => $service_pem, + source => $service_certificate, + order => '01', + tag => 'ceph_rgw-cert', + require => Concat["${service_pem}"] + } + + if $certmonger_ca == 'local' { + $ca_pem = getparam(Class['tripleo::certmonger::ca::local'], 'ca_pem') + concat::fragment { "${title}-ca-fragment": + target => $service_pem, + source => $ca_pem, + order => '10', + tag => 'ceph_rgw-cert', + require => [ Class['tripleo::certmonger::ca::local'], Concat::Fragment["${title}-cert-fragment"] ] + } + } elsif $certmonger_ca == 'IPA' { + concat::fragment { "${title}-ca-fragment": + target => $service_pem, + source => '/etc/ipa/ca.crt', + order => '10', + tag => 'ceph_rgw-cert', + require => Concat::Fragment["${title}-cert-fragment"] + } + } + + concat::fragment { "${title}-key-fragment": + target => $service_pem, + source => $service_key, + order => 20, + tag => 'ceph_rgw-cert', + require => Concat::Fragment["${title}-ca-fragment"], + } +} diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 1fb2cebc9..79a0d1db2 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -112,6 +112,11 @@ # it will create. # Defaults to hiera('ceph_dashboard_certificate_specs', {}). # +# [*ceph_rgw_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('ceph_rgw_certificate_specs', {}). +# # [*etcd_certificate_specs*] # (Optional) The specifications to give to certmonger for the certificate(s) # it will create. @@ -196,6 +201,7 @@ class tripleo::profile::base::certmonger_user ( $novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}), $ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}), $ceph_dashboard_certificate_specs = hiera('ceph_dashboard_certificate_specs', {}), + $ceph_rgw_certificate_specs = hiera('ceph_rgw_certificate_specs', {}), $ovn_dbs_certificate_specs = hiera('ovn_dbs_certificate_specs', {}), $ovn_controller_certificate_specs = hiera('ovn_controller_certificate_specs', {}), $ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}), @@ -293,6 +299,9 @@ class tripleo::profile::base::certmonger_user ( unless empty($ceph_dashboard_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::ceph_dashboard', $ceph_dashboard_certificate_specs) } + unless empty($ceph_rgw_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::ceph_rgw', $ceph_rgw_certificate_specs) + } unless empty($ovn_dbs_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs) }