]> git.apps.os.sepia.ceph.com Git - ceph.git/commitdiff
rgw/kms/kmip - correct documentation.
authorMarcus Watts <mwatts@redhat.com>
Thu, 29 Oct 2020 16:04:36 +0000 (12:04 -0400)
committerMarcus Watts <mwatts@redhat.com>
Thu, 4 Mar 2021 00:14:10 +0000 (19:14 -0500)
The pykmip task should be after ceph, and before rgw.

kmip needs ssl certs in order to function correctly.
Because the openssl_keys task has an indeterminate
order of execution, it is best to create the ca as
a separate task.  The ca can be shared with rgw, but
real life deployments of kmip are likely to have their
own CA.

In order to create kmip secrets, a client certificate
is necessary, so must be supplied to the pykmip task.

Signed-off-by: Marcus Watts <mwatts@redhat.com>
qa/tasks/pykmip.py

index 8f9b18c297ef1aab0e0ee05575b47fd1532156c8..d0b72f69ecc0a5bd4e86c3aa5e500a2de3772e6b 100644 (file)
@@ -383,37 +383,52 @@ def create_secrets(ctx, config):
 @contextlib.contextmanager
 def task(ctx, config):
     """
-    Deploy and configure Keystone
+    Deploy and configure PyKMIP
 
     Example of configuration:
 
     tasks:
-      - local_cluster:
-          cluster_path: /home/adam/ceph-1/build
-      - local_rgw:
-      - tox: [ client.0 ]
-      - pykmip:
-          client.0:
-            force-branch: master
-            config:
-              clientca: ca-ssl-cert
-              servercert: pykmkp-ssl-cert-and-key
-            secrets:
-              - name: my-key-1
-                base64: a2V5MS5GcWVxKzhzTGNLaGtzQkg5NGVpb1FKcFpGb2c=
-              - name: my-key-2
-                base64: a2V5Mi5yNUNNMGFzMVdIUVZxcCt5NGVmVGlQQ1k4YWg=
-      - s3tests:
-          client.0:
-            force-branch: master
-            kms_key: my-key-1
-      - rgw:
-          client.0:
-            use-pykmip-role: client.0
+    - install:
+    - ceph:
+       conf:
+        client:
+         rgw crypt s3 kms backend: kmip
+         rgw crypt kmip ca path: /home/ubuntu/cephtest/ca/kmiproot.crt
+         rgw crypt kmip client cert: /home/ubuntu/cephtest/ca/kmip-client.crt
+         rgw crypt kmip client key: /home/ubuntu/cephtest/ca/kmip-client.key
+         rgw crypt kmip kms key template: pykmip-$keyid
+    - openssl_keys:
+       kmiproot:
+         client: client.0
+         cn: kmiproot
+         key-type: rsa:4096
+    - openssl_keys:
+       kmip-server:
+         client: client.0
+         ca: kmiproot
+       kmip-client:
+         client: client.0
+         ca: kmiproot
+         cn: rgw-client
+    - pykmip:
+        client.0:
+          force-branch: master
+          clientca: kmiproot
+          servercert: kmip-server
+          clientcert: kmip-client
+          secrets:
+          - name: pykmip-key-1
+          - name: pykmip-key-2
+    - rgw:
+        client.0:
+          use-pykmip-role: client.0
+    - s3tests:
+        client.0:
+          force-branch: master
     """
     assert config is None or isinstance(config, list) \
         or isinstance(config, dict), \
-        "task keystone only supports a list or dictionary for configuration"
+        "task pykmip only supports a list or dictionary for configuration"
     all_clients = ['client.{id}'.format(id=id_)
                    for id_ in teuthology.all_roles_of_type(ctx.cluster, 'client')]
     if config is None: