Add radosgw_frontend_ssl_certificate parameter

This is necessary when configuring RGW with SSL because
in addition to passing specific frontend options, civetweb
appends the 's' character to the binding port and beast uses
ssl_endpoint instead of endpoint.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1722071
Signed-off-by: Giulio Fidente <gfidente@redhat.com>
(cherry picked from commit d526803c6cbb6b04f181479d2087ed25bc0b2d31)

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 0211eb43be8b1e6c39dabb759c08473fc5148bf1..fd663afac48febe2de89568a4601d6e7e2de1c24 100644 (file)
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -404,11 +404,13 @@ dummy:
 #radosgw_civetweb_port: 8080
 #radosgw_civetweb_num_threads: 512
 #radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}"
-# For additional civetweb configuration options available such as SSL, logging,
+# For additional civetweb configuration options available such as logging,
 # keepalive, and timeout settings, please see the civetweb docs at
 # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md
 
 #radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}"
+# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format.
+#radosgw_frontend_ssl_certificate: ""
 #radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}"
 #radosgw_thread_pool_size: 512
 

diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index 6f8a25ea41ae1e31d76a33eca7a3e691ac24bd65..a149ca744c94912654d3f3d1c6c39c0bed0e72e7 100644 (file)
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -404,11 +404,13 @@ ceph_rhcs_version: 4
 #radosgw_civetweb_port: 8080
 #radosgw_civetweb_num_threads: 512
 #radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}"
-# For additional civetweb configuration options available such as SSL, logging,
+# For additional civetweb configuration options available such as logging,
 # keepalive, and timeout settings, please see the civetweb docs at
 # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md
 
 #radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}"
+# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format.
+#radosgw_frontend_ssl_certificate: ""
 #radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}"
 #radosgw_thread_pool_size: 512
 

diff --git a/roles/ceph-config/templates/ceph.conf.j2 b/roles/ceph-config/templates/ceph.conf.j2
index 90db6e77d885adcfd1b070fcc0fc20fbecc87c1e..d90a74ad543d0ab0ecb78594ba63ef7af2681448 100644 (file)
--- a/roles/ceph-config/templates/ceph.conf.j2
+++ b/roles/ceph-config/templates/ceph.conf.j2
@@ -117,7 +117,15 @@ osd memory target = {{ _osd_memory_target | default(osd_memory_target) }}
 host = {{ _rgw_hostname }}
 keyring = /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ _rgw_hostname + '.' + instance['instance_name'] }}/keyring
 log file = /var/log/ceph/{{ cluster }}-rgw-{{ hostvars[host]['ansible_hostname'] + '.' + instance['instance_name'] }}.log
-rgw frontends = {{ radosgw_frontend_type }} {{ 'port' if radosgw_frontend_type == 'civetweb' else 'endpoint' }}={{ instance['radosgw_address'] }}:{{ instance['radosgw_frontend_port'] }} {{ radosgw_frontend_options }}
+{% set _rgw_binding_socket = instance['radosgw_address']|string + ':' + instance['radosgw_frontend_port']|string %}
+{%- macro frontend_line(frontend_type) -%}
+{%- if frontend_type == 'civetweb' -%}
+{{ radosgw_frontend_type }} port={{ _rgw_binding_socket }}{{ 's ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }}
+{%- elif frontend_type == 'beast' -%}
+{{ radosgw_frontend_type }} {{ 'ssl_' if radosgw_frontend_ssl_certificate else '' }}endpoint={{ _rgw_binding_socket }}{{ ' ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }}
+{%- endif -%}
+{%- endmacro -%}
+rgw frontends = {{ frontend_line(radosgw_frontend_type) }} {{ radosgw_frontend_options }}
 {% if 'num_threads' not in radosgw_frontend_options %}
 rgw thread pool size = {{ radosgw_thread_pool_size }}
 {% endif %}

diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index 2fd9f9f3c35ab6a228c6e3b940cee0029943208d..4a68cc324d3a8e6c3ca98e9bc4df6833ab6fa4e8 100644 (file)
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -396,11 +396,13 @@ radosgw_frontend_type: beast # For additionnal frontends see: http://docs.ceph.c
 radosgw_civetweb_port: 8080
 radosgw_civetweb_num_threads: 512
 radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}"
-# For additional civetweb configuration options available such as SSL, logging,
+# For additional civetweb configuration options available such as logging,
 # keepalive, and timeout settings, please see the civetweb docs at
 # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md
 
 radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}"
+# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format.
+radosgw_frontend_ssl_certificate: ""
 radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}"
 radosgw_thread_pool_size: 512
 

diff --git a/roles/ceph-handler/templates/restart_rgw_daemon.sh.j2 b/roles/ceph-handler/templates/restart_rgw_daemon.sh.j2
index b6f58b08b24da54efadb1ce4cb575d64fb425b60..e78a5410242356a6da8a26fbfc0616c17bc82655 100644 (file)
--- a/roles/ceph-handler/templates/restart_rgw_daemon.sh.j2
+++ b/roles/ceph-handler/templates/restart_rgw_daemon.sh.j2
@@ -5,6 +5,12 @@ DELAY="{{ handler_health_rgw_check_delay }}"
 HOST_NAME="{{ ansible_hostname }}"
 RGW_NUMS={{ radosgw_num_instances }}
 RGW_BASE_PORT={{ radosgw_frontend_port }}
+RGW_FRONTEND_SSL_CERT={{ radosgw_frontend_ssl_certificate }}
+if [ -n "$RGW_FRONTEND_SSL_CERT" ]; then
+    RGW_PROTOCOL=https
+else
+    RGW_PROTOCOL=http
+fi
 declare -a DOCKER_EXECS
 for ((i=0; i<${RGW_NUMS}; i++)); do
   DOCKER_EXECS[i]=""
@@ -57,13 +63,13 @@ check_rest() {
   check_for_curl_or_wget ${i}
   local succ=0
   while [ $RETRIES -ne 0 ]; do
-    test "$rgw_test_command http://$RGW_IP:$((RGW_BASE_PORT+i))" && succ=$((succ+1)) && break
+    test "$rgw_test_command $RGW_PROTOCOL://$RGW_IP:$((RGW_BASE_PORT+i))" && succ=$((succ+1)) && break
     sleep $DELAY
     let RETRIES=RETRIES-1
   done
   if [ $succ -ne 1 ]; then
     # If we reach this point, it means there is a problem with the connection to rgw
-    echo "Error connecting locally to Rados Gateway service: http://$rgw_listen"
+    echo "Error connecting locally to Rados Gateway service: $RGW_PROTOCOL://$rgw_listen"
     exit 1
   fi
 }

diff --git a/roles/ceph-rgw/templates/ceph-radosgw.service.j2 b/roles/ceph-rgw/templates/ceph-radosgw.service.j2
index 4b882a863c671e1287fe610fcaa7902c866b4529..aa9422aab2d9760002d4322d61f73c1ec081129b 100644 (file)
--- a/roles/ceph-rgw/templates/ceph-radosgw.service.j2
+++ b/roles/ceph-rgw/templates/ceph-radosgw.service.j2
@@ -32,6 +32,9 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   {% if ansible_distribution == 'RedHat' -%}
   -v /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:z \
   {% endif -%}
+  {% if radosgw_frontend_ssl_certificate -%}
+  -v {{ radosgw_frontend_ssl_certificate }}:{{ radosgw_frontend_ssl_certificate }}:ro \
+  {% endif -%}
   -e CEPH_DAEMON=RGW \
   -e CLUSTER={{ cluster }} \
   -e RGW_NAME={{ ansible_hostname }}.${INST_NAME} \