From: Giulio Fidente Date: Wed, 19 Jun 2019 12:59:15 +0000 (+0200) Subject: Add radosgw_frontend_ssl_certificate parameter X-Git-Tag: v4.0.0rc10~26 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=72e0ac1f44cb3586377618ac78a0cd5862e0fdcd;p=ceph-ansible.git Add radosgw_frontend_ssl_certificate parameter This is necessary when configuring RGW with SSL because in addition to passing specific frontend options, civetweb appends the 's' character to the binding port and beast uses ssl_endpoint instead of endpoint. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1722071 Signed-off-by: Giulio Fidente (cherry picked from commit d526803c6cbb6b04f181479d2087ed25bc0b2d31) --- diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index 0211eb43b..fd663afac 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -404,11 +404,13 @@ dummy: #radosgw_civetweb_port: 8080 #radosgw_civetweb_num_threads: 512 #radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}" -# For additional civetweb configuration options available such as SSL, logging, +# For additional civetweb configuration options available such as logging, # keepalive, and timeout settings, please see the civetweb docs at # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md #radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}" +# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format. +#radosgw_frontend_ssl_certificate: "" #radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}" #radosgw_thread_pool_size: 512 diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index 6f8a25ea4..a149ca744 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -404,11 +404,13 @@ ceph_rhcs_version: 4 #radosgw_civetweb_port: 8080 #radosgw_civetweb_num_threads: 512 #radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}" -# For additional civetweb configuration options available such as SSL, logging, +# For additional civetweb configuration options available such as logging, # keepalive, and timeout settings, please see the civetweb docs at # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md #radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}" +# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format. +#radosgw_frontend_ssl_certificate: "" #radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}" #radosgw_thread_pool_size: 512 diff --git a/roles/ceph-config/templates/ceph.conf.j2 b/roles/ceph-config/templates/ceph.conf.j2 index 90db6e77d..d90a74ad5 100644 --- a/roles/ceph-config/templates/ceph.conf.j2 +++ b/roles/ceph-config/templates/ceph.conf.j2 @@ -117,7 +117,15 @@ osd memory target = {{ _osd_memory_target | default(osd_memory_target) }} host = {{ _rgw_hostname }} keyring = /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ _rgw_hostname + '.' + instance['instance_name'] }}/keyring log file = /var/log/ceph/{{ cluster }}-rgw-{{ hostvars[host]['ansible_hostname'] + '.' + instance['instance_name'] }}.log -rgw frontends = {{ radosgw_frontend_type }} {{ 'port' if radosgw_frontend_type == 'civetweb' else 'endpoint' }}={{ instance['radosgw_address'] }}:{{ instance['radosgw_frontend_port'] }} {{ radosgw_frontend_options }} +{% set _rgw_binding_socket = instance['radosgw_address']|string + ':' + instance['radosgw_frontend_port']|string %} +{%- macro frontend_line(frontend_type) -%} +{%- if frontend_type == 'civetweb' -%} +{{ radosgw_frontend_type }} port={{ _rgw_binding_socket }}{{ 's ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }} +{%- elif frontend_type == 'beast' -%} +{{ radosgw_frontend_type }} {{ 'ssl_' if radosgw_frontend_ssl_certificate else '' }}endpoint={{ _rgw_binding_socket }}{{ ' ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }} +{%- endif -%} +{%- endmacro -%} +rgw frontends = {{ frontend_line(radosgw_frontend_type) }} {{ radosgw_frontend_options }} {% if 'num_threads' not in radosgw_frontend_options %} rgw thread pool size = {{ radosgw_thread_pool_size }} {% endif %} diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index 2fd9f9f3c..4a68cc324 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -396,11 +396,13 @@ radosgw_frontend_type: beast # For additionnal frontends see: http://docs.ceph.c radosgw_civetweb_port: 8080 radosgw_civetweb_num_threads: 512 radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}" -# For additional civetweb configuration options available such as SSL, logging, +# For additional civetweb configuration options available such as logging, # keepalive, and timeout settings, please see the civetweb docs at # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}" +# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format. +radosgw_frontend_ssl_certificate: "" radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}" radosgw_thread_pool_size: 512 diff --git a/roles/ceph-handler/templates/restart_rgw_daemon.sh.j2 b/roles/ceph-handler/templates/restart_rgw_daemon.sh.j2 index b6f58b08b..e78a54102 100644 --- a/roles/ceph-handler/templates/restart_rgw_daemon.sh.j2 +++ b/roles/ceph-handler/templates/restart_rgw_daemon.sh.j2 @@ -5,6 +5,12 @@ DELAY="{{ handler_health_rgw_check_delay }}" HOST_NAME="{{ ansible_hostname }}" RGW_NUMS={{ radosgw_num_instances }} RGW_BASE_PORT={{ radosgw_frontend_port }} +RGW_FRONTEND_SSL_CERT={{ radosgw_frontend_ssl_certificate }} +if [ -n "$RGW_FRONTEND_SSL_CERT" ]; then + RGW_PROTOCOL=https +else + RGW_PROTOCOL=http +fi declare -a DOCKER_EXECS for ((i=0; i<${RGW_NUMS}; i++)); do DOCKER_EXECS[i]="" @@ -57,13 +63,13 @@ check_rest() { check_for_curl_or_wget ${i} local succ=0 while [ $RETRIES -ne 0 ]; do - test "$rgw_test_command http://$RGW_IP:$((RGW_BASE_PORT+i))" && succ=$((succ+1)) && break + test "$rgw_test_command $RGW_PROTOCOL://$RGW_IP:$((RGW_BASE_PORT+i))" && succ=$((succ+1)) && break sleep $DELAY let RETRIES=RETRIES-1 done if [ $succ -ne 1 ]; then # If we reach this point, it means there is a problem with the connection to rgw - echo "Error connecting locally to Rados Gateway service: http://$rgw_listen" + echo "Error connecting locally to Rados Gateway service: $RGW_PROTOCOL://$rgw_listen" exit 1 fi } diff --git a/roles/ceph-rgw/templates/ceph-radosgw.service.j2 b/roles/ceph-rgw/templates/ceph-radosgw.service.j2 index 4b882a863..aa9422aab 100644 --- a/roles/ceph-rgw/templates/ceph-radosgw.service.j2 +++ b/roles/ceph-rgw/templates/ceph-radosgw.service.j2 @@ -32,6 +32,9 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \ {% if ansible_distribution == 'RedHat' -%} -v /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:z \ {% endif -%} + {% if radosgw_frontend_ssl_certificate -%} + -v {{ radosgw_frontend_ssl_certificate }}:{{ radosgw_frontend_ssl_certificate }}:ro \ + {% endif -%} -e CEPH_DAEMON=RGW \ -e CLUSTER={{ cluster }} \ -e RGW_NAME={{ ansible_hostname }}.${INST_NAME} \