From 6c2daf043fd10c5ecaf264b3d79bfd3b3f57e1e2 Mon Sep 17 00:00:00 2001 From: Andrey Shestakov Date: Tue, 27 Dec 2016 13:28:44 +0200 Subject: [PATCH] Add local radosgw and API to ironic-conductor pod. Currenty ironic depends on external dns, ingress, ssl, and network routing. To download image to baremetal node in provisioning network, traffic going from ceph to radosgw to ingress proxy and then to node. It utilizes all networks (storage, public, provisioning) and loads radosgw and ingress on controller nodes. This change introduces local radosgw and ironic API inside of ironic-conductor pod. For provision baremetal node, traffic will go from ceph to radosgw on ironic-conductor node and then to baremetal node. Also ironic provisioning will not depends on external network access, ingress, valid ssl, external dns. Change-Id: Ib2e2027ae80ad222e64c7e85cf7ddb1da95ca5ed --- docker/ironic-ipxe/Dockerfile.j2 | 1 - service/files/ceph.client.radosgw.keyring.j2 | 3 ++ service/files/ceph.conf.j2 | 26 ++++++++++++++++ service/files/ironic.conf.j2 | 7 +++-- service/ironic-conductor.yaml | 32 ++++++++++++++++++-- 5 files changed, 62 insertions(+), 7 deletions(-) create mode 100644 service/files/ceph.client.radosgw.keyring.j2 create mode 100644 service/files/ceph.conf.j2 diff --git a/docker/ironic-ipxe/Dockerfile.j2 b/docker/ironic-ipxe/Dockerfile.j2 index 4c34e81..fd9905b 100644 --- a/docker/ironic-ipxe/Dockerfile.j2 +++ b/docker/ironic-ipxe/Dockerfile.j2 @@ -9,4 +9,3 @@ RUN apt-get install -y --no-install-recommends \ RUN chmod 777 /run -USER ironic diff --git a/service/files/ceph.client.radosgw.keyring.j2 b/service/files/ceph.client.radosgw.keyring.j2 new file mode 100644 index 0000000..1cd3972 --- /dev/null +++ b/service/files/ceph.client.radosgw.keyring.j2 @@ -0,0 +1,3 @@ +[client.radosgw.gateway] + key = {{ radosgw.key }} + diff --git a/service/files/ceph.conf.j2 b/service/files/ceph.conf.j2 new file mode 100644 index 0000000..0feadb7 --- /dev/null +++ b/service/files/ceph.conf.j2 @@ -0,0 +1,26 @@ +[global] +fsid = {{ ceph.fsid }} +mon_host = {{ ceph.mon_host }} +auth_cluster_required = cephx +auth_service_required = cephx +auth_client_required = cephx +debug_rgw = 20 + +[client.radosgw.gateway] +keyring = /var/lib/ceph/radosgw/ceph-rgw/keyring +rgw socket path = /tmp/radosgw.sock +log file = /var/log/ceph/ceph-rgw-{{ namespace }}.log +rgw data = /var/lib/ceph/radosgw/ceph-rgw +rgw frontends = civetweb port={{ radosgw.port.cont }} num_threads=50 + +rgw keystone api version = 3 +rgw keystone admin domain = Default +rgw keystone admin project = {{ openstack.project_name }} +rgw keystone url = {{ address('keystone', keystone.admin_port, with_scheme=True) }} +rgw keystone accepted roles = Member, _member_, admin +rgw keystone revocation interval = 900 +rgw s3 auth use keystone = true +rgw keystone verify ssl = {{ keystone.tls.enabled }} +rgw keystone admin user = {{ openstack.user_name }} +rgw keystone admin password = {{ openstack.user_password }} + diff --git a/service/files/ironic.conf.j2 b/service/files/ironic.conf.j2 index a85ba55..205b9d1 100644 --- a/service/files/ironic.conf.j2 +++ b/service/files/ironic.conf.j2 @@ -11,7 +11,7 @@ enabled_network_interfaces = noop,flat default_network_interface = flat [api] -public_endpoint = http://{{ address('ironic', ironic.api_port, external=True, with_scheme=False) }} +public_endpoint = http://{{ network_topology["private"]["address"] }}:{{ ironic.api_port.cont }} host_ip = {{ network_topology["private"]["address"] }} port = {{ ironic.api_port.cont }} @@ -20,6 +20,7 @@ connection = mysql+pymysql://{{ ironic.db.username }}:{{ ironic.db.password }}@{ max_retries = -1 {{ keystone_authtoken.keystone_authtoken(ironic.username, ironic.password) }} +auth_version = 3 [service_catalog] auth_type = password @@ -31,7 +32,7 @@ username = {{ ironic.username }} password = {{ ironic.password }} [conductor] -api_url = http://{{ address('ironic', ironic.api_port, external=True, with_scheme=False) }} +api_url = http://{{ network_topology["private"]["address"] }}:{{ ironic.api_port.cont }} automated_clean = {{ ironic.automated_clean }} [neutron] @@ -56,7 +57,7 @@ password = {{ ironic.password }} glance_api_servers = {{ address('glance-api', glance.api_port, with_scheme=True) }} -swift_endpoint_url = http://{{ address('radosgw', radosgw.port, external=True, with_scheme=False) }} +swift_endpoint_url = http://{{ network_topology["private"]["address"] }}:{{ radosgw.port.cont }}/swift swift_temp_url_key = {{ ironic.swift.temp_url_key }} temp_url_endpoint_type = radosgw diff --git a/service/ironic-conductor.yaml b/service/ironic-conductor.yaml index 2b8e754..e18db03 100644 --- a/service/ironic-conductor.yaml +++ b/service/ironic-conductor.yaml @@ -4,7 +4,7 @@ service: hostNetwork: true kind: DaemonSet containers: - - name: ironic-conductor + - name: conductor image: ironic-conductor probes: readiness: "true" @@ -34,7 +34,7 @@ service: dependencies: - ironic-db-sync - ironic-post-swift-tempurl-key - - name: ironic-pxe + - name: pxe image: ironic-pxe probes: readiness: "true" @@ -54,7 +54,7 @@ service: /var/lib/ironic/tftpboot files: - pxe-bootstrap.sh - - name: ironic-ipxe + - name: ipxe image: ironic-ipxe probes: readiness: "true" @@ -69,6 +69,23 @@ service: command: nginx -g 'daemon off; error_log stderr;' files: - nginx-ipxe.conf + - name: radosgw + image: radosgw + daemon: + command: radosgw -c /etc/ceph/ceph.conf -n client.radosgw.gateway -d + files: + - ceph-conf + - radosgw-ceph-key + - radosgw-keyring + - name: api + image: ironic-api + daemon: + command: ironic-api --config-file /etc/ironic/ironic.conf + files: + - ironic.conf + dependencies: + - rpc + - ironic-db-sync files: ironic.conf: path: /etc/ironic/ironic.conf @@ -86,3 +103,12 @@ files: path: /home/ironic/.ssh/id_rsa content: ssh_key.j2 perm: "0400" + ceph-conf: + path: /etc/ceph/ceph.conf + content: ceph.conf.j2 + radosgw-ceph-key: + path: /etc/ceph/ceph.client.radosgw.keyring + content: ceph.client.radosgw.keyring.j2 + radosgw-keyring: + path: /var/lib/ceph/radosgw/ceph-rgw/keyring + content: ceph.client.radosgw.keyring.j2