diff --git a/inventory/group_vars/ceph-rgw.yml b/inventory/group_vars/ceph-rgw.yml index d791a9c62c..eabe10fdb0 100644 --- a/inventory/group_vars/ceph-rgw.yml +++ b/inventory/group_vars/ceph-rgw.yml @@ -17,3 +17,57 @@ ceph_conf_overrides_rgw: # rgw_enable_apis: 'swift, s3' # rgw_s3_auth_use_keystone: 'true' +### +### Backend TLS +### + +# Ceph configuration options to enable TLS on ceph-rgw +radosgw_frontend_ssl_certificate: "{{ ceph_rgw_backend_ssl is truthy | ternary(ceph_rgw_ssl_cert, '') }}" +# Ceph-ansible requires to include private key in `radosgw_frontend_ssl_certificate` +# which is not possible with ansible-role-pki. +# That is why `ssl_private_key` is defined in `radosgw_frontend_options`. +radosgw_frontend_options: "{{ ceph_rgw_backend_ssl is truthy | ternary('ssl_private_key=' + ceph_rgw_ssl_key, '') }}" + +# Define if communication between haproxy and service backends should be +# encrypted with TLS. +ceph_rgw_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" + +# Storage location for SSL certificate authority +ceph_rgw_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}" + +# Delegated host for operating the certificate authority +ceph_rgw_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}" + +# ceph_rgw server certificate +ceph_rgw_pki_keys_path: "{{ ceph_rgw_pki_dir ~ '/certs/private/' }}" +ceph_rgw_pki_certs_path: "{{ ceph_rgw_pki_dir ~ '/certs/certs/' }}" +ceph_rgw_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}" +ceph_rgw_pki_regen_cert: '' +ceph_rgw_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" +ceph_rgw_pki_certificates: + - name: "ceph_rgw_{{ ansible_facts['hostname'] }}" + provider: ownca + cn: "{{ ansible_facts['hostname'] }}" + san: "{{ ceph_rgw_pki_san }}" + signed_by: "{{ ceph_rgw_pki_intermediate_cert_name }}" + +# ceph_rgw destination files for SSL certificates +ceph_rgw_ssl_cert: /etc/ceph/ceph-rgw.pem +ceph_rgw_ssl_key: /etc/ceph/ceph-rgw.key + +# Installation details for SSL certificates +ceph_rgw_pki_install_certificates: + - src: "{{ ceph_rgw_user_ssl_cert | default(ceph_rgw_pki_certs_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}" + dest: "{{ ceph_rgw_ssl_cert }}" + owner: "ceph" + group: "ceph" + mode: "0644" + - src: "{{ ceph_rgw_user_ssl_key | default(ceph_rgw_pki_keys_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" + dest: "{{ ceph_rgw_ssl_key }}" + owner: "ceph" + group: "ceph" + mode: "0600" + +# Define user-provided SSL certificates +#ceph_rgw_user_ssl_cert: +#ceph_rgw_user_ssl_key: diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml index 444e658b5d..275973798c 100644 --- a/inventory/group_vars/haproxy/haproxy.yml +++ b/inventory/group_vars/haproxy/haproxy.yml @@ -116,6 +116,10 @@ haproxy_ceph_rgw_service: - httpchk HEAD / haproxy_backend_httpcheck_options: - expect rstatus 200|405 + # `openstack_service_backend_ssl` is not taken into account if ceph is installed independently. + haproxy_backend_ssl: "{{ ceph_rgw_backend_ssl | default((groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(openstack_service_backend_ssl, False)) }}" + haproxy_backend_ca: "{{ ceph_rgw_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}" + haproxy_accept_both_protocols: "{{ ceph_rgw_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}" haproxy_default_services: diff --git a/playbooks/ceph-rgw-install.yml b/playbooks/ceph-rgw-install.yml index 4a768d9125..eeba71da99 100644 --- a/playbooks/ceph-rgw-install.yml +++ b/playbooks/ceph-rgw-install.yml @@ -43,6 +43,26 @@ - ceph-mon-facts - ceph-rgw + - name: Create and install SSL certificates + include_role: + name: pki + tasks_from: main_certs.yml + apply: + tags: + - ceph-rgw-config + - pki + vars: + pki_setup_host: "{{ ceph_rgw_pki_setup_host }}" + pki_dir: "{{ ceph_rgw_pki_dir }}" + pki_create_certificates: "{{ ceph_rgw_user_ssl_cert is not defined and ceph_rgw_user_ssl_key is not defined }}" + pki_regen_cert: "{{ ceph_rgw_pki_regen_cert }}" + pki_certificates: "{{ ceph_rgw_pki_certificates }}" + pki_install_certificates: "{{ ceph_rgw_pki_install_certificates }}" + when: + - ceph_rgw_backend_ssl + tags: + - always + roles: - role: ceph-defaults tags: