74 lines
3.2 KiB
YAML
74 lines
3.2 KiB
YAML
---
|
|
ceph_conf_overrides_rgw:
|
|
"client.rgw.{{ hostvars[inventory_hostname]['ansible_facts']['hostname'] }}.rgw0":
|
|
# OpenStack integration with Keystone
|
|
rgw_keystone_url: "{{ keystone_service_adminuri }}"
|
|
rgw_keystone_api_version: 3
|
|
rgw_keystone_admin_user: "{{ radosgw_admin_user }}"
|
|
rgw_keystone_admin_password: "{{ radosgw_admin_password }}"
|
|
rgw_keystone_admin_project: "{{ radosgw_admin_tenant }}"
|
|
rgw_keystone_admin_domain: default
|
|
rgw_keystone_accepted_roles: 'member, _member_, admin, swiftoperator'
|
|
rgw_keystone_implicit_tenants: 'true'
|
|
rgw_swift_account_in_url: 'true'
|
|
rgw_swift_versioning_enabled: 'true'
|
|
rgw_enable_apis: swift
|
|
# For S3 support, update/add below rows
|
|
# rgw_enable_apis: 'swift, s3'
|
|
# rgw_s3_auth_use_keystone: 'true'
|
|
|
|
###
|
|
### Backend TLS
|
|
###
|
|
|
|
# Ceph configuration options to enable TLS on ceph-rgw
|
|
radosgw_frontend_ssl_certificate: "{{ ceph_rgw_backend_ssl is truthy | ternary(ceph_rgw_ssl_cert, '') }}"
|
|
# Ceph-ansible requires to include private key in `radosgw_frontend_ssl_certificate`
|
|
# which is not possible with ansible-role-pki.
|
|
# That is why `ssl_private_key` is defined in `radosgw_frontend_options`.
|
|
radosgw_frontend_options: "{{ ceph_rgw_backend_ssl is truthy | ternary('ssl_private_key=' + ceph_rgw_ssl_key, '') }}"
|
|
|
|
# Define if communication between haproxy and service backends should be
|
|
# encrypted with TLS.
|
|
ceph_rgw_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
|
|
|
|
# Storage location for SSL certificate authority
|
|
ceph_rgw_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
|
|
|
|
# Delegated host for operating the certificate authority
|
|
ceph_rgw_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
|
|
|
|
# ceph_rgw server certificate
|
|
ceph_rgw_pki_keys_path: "{{ ceph_rgw_pki_dir ~ '/certs/private/' }}"
|
|
ceph_rgw_pki_certs_path: "{{ ceph_rgw_pki_dir ~ '/certs/certs/' }}"
|
|
ceph_rgw_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
|
|
ceph_rgw_pki_regen_cert: ''
|
|
ceph_rgw_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
|
|
ceph_rgw_pki_certificates:
|
|
- name: "ceph_rgw_{{ ansible_facts['hostname'] }}"
|
|
provider: ownca
|
|
cn: "{{ ansible_facts['hostname'] }}"
|
|
san: "{{ ceph_rgw_pki_san }}"
|
|
signed_by: "{{ ceph_rgw_pki_intermediate_cert_name }}"
|
|
|
|
# ceph_rgw destination files for SSL certificates
|
|
ceph_rgw_ssl_cert: /etc/ceph/ceph-rgw.pem
|
|
ceph_rgw_ssl_key: /etc/ceph/ceph-rgw.key
|
|
|
|
# Installation details for SSL certificates
|
|
ceph_rgw_pki_install_certificates:
|
|
- src: "{{ ceph_rgw_user_ssl_cert | default(ceph_rgw_pki_certs_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
|
|
dest: "{{ ceph_rgw_ssl_cert }}"
|
|
owner: "ceph"
|
|
group: "ceph"
|
|
mode: "0644"
|
|
- src: "{{ ceph_rgw_user_ssl_key | default(ceph_rgw_pki_keys_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
|
|
dest: "{{ ceph_rgw_ssl_key }}"
|
|
owner: "ceph"
|
|
group: "ceph"
|
|
mode: "0600"
|
|
|
|
# Define user-provided SSL certificates
|
|
#ceph_rgw_user_ssl_cert: <path to cert on ansible deployment host>
|
|
#ceph_rgw_user_ssl_key: <path to cert on ansible deployment host>
|