Fix ceph 9 RGW deployment

rgw_frontend_ssl_certificate has been deprecated in ceph8 and in ceph9 doesn't
work properly anymore. There's a new way of setting both cert and key when ssl
is used and is fully documented in [1].
This patch still preserves the old way of deploying rgw through a new var used
to execute the old code. When "rgw_ssl_backward_compatibility" is set,
the old facts are set, resulting in populating the old variables, otherwise
the new method based on ssl_cert and ssl_key is applied.

[1] https://docs.ceph.com/en/latest/cephadm/services/rgw/

Signed-off-by: Francesco Pantano <[email protected]>

Author: fmount

roles/cifmw_cephadm/README.md

@@ -103,6 +103,11 @@ that they do not need to be changed for a typical EDPM deployment.
 * `cifmw_cephadm_config_key_set_ssl_option`: Optional colon separated
   list of SSL context options (default: `no_sslv2:sslv3:no_tlsv1:no_tlsv1_1`)
 
+* `cifmw_rgw_ssl_backward_compatibility`: This option is true by default
+  because this role is able to manage older Ceph releases (starting from
+  Squid). Set it to false if the target Ceph release is equal to or greater
+  than Tentacle.
+
 Use the `cifmw_cephadm_pools` list of dictionaries to define pools for
 Nova (vms), Cinder (volumes), Cinder-backups (backups), and Glance (images).
 ```

roles/cifmw_cephadm/defaults/main.yml

@@ -153,3 +153,6 @@ cifmw_cephadm_wait_install_retries: 8
 cifmw_cephadm_wait_install_delay: 15
 cifmw_cephadm_rgw_ingress_service_name: "ingress.rgw.default"
 cifmw_cephadm_rgw_ingress_service_id: "rgw.default"
+# set ssl_backward compatibily to False if ceph version is equal or greater
+# than Tentacle
+cifmw_rgw_ssl_backward_compatibility: true

roles/cifmw_cephadm/tasks/rgw.yml

@@ -56,10 +56,11 @@
       ansible.builtin.slurp:
         src: "{{ cifmw_cephadm_key }}"
 
-    - name: Set rgw_frontend_cert to cert/key concatenation
+    - name: Set SSL cert/key variables based on rgw_compatibility mode
       ansible.builtin.set_fact:
-        rgw_frontend_cert: "{{ slurp_cert['content'] | b64decode ~
-                               slurp_key['content'] | b64decode }}"
+        rgw_frontend_cert: "{{ (slurp_cert['content'] | b64decode ~ slurp_key['content'] | b64decode) if cifmw_rgw_ssl_backward_compatibility else omit }}"
+        rgw_ssl_cert: "{{ slurp_cert['content'] | b64decode if not cifmw_rgw_ssl_backward_compatibility else omit }}"
+        rgw_ssl_key: "{{ slurp_key['content'] | b64decode if not cifmw_rgw_ssl_backward_compatibility else omit }}"
 
 - name: Create a Ceph RGW spec
   ansible.builtin.template:

roles/cifmw_cephadm/templates/ceph_rgw.yml.j2

@@ -11,11 +11,19 @@ networks:
 - {{ cifmw_cephadm_rgw_network }}
 spec:
   rgw_frontend_port: 8082
-{% if rgw_frontend_cert is defined %}
+{% if rgw_frontend_cert is defined and cifmw_rgw_ssl_backward_compatibility %}
   ssl: true
   rgw_frontend_ssl_certificate: |
     {{ rgw_frontend_cert | indent( width=4 ) }}
 {% endif %}
+{% if rgw_ssl_cert is defined %}
+  ssl: true
+  certificate_source: inline
+  ssl_cert: |-
+    {{ rgw_ssl_cert | indent( width=4 ) }}
+  ssl_key: |-
+    {{ rgw_ssl_key | indent( width=4 ) }}
+{% endif %}
 ---
 {% if _hosts|length > 1 %}
   service_type: ingress
@@ -28,8 +36,15 @@ spec:
     virtual_interface_networks:
     - {{ cifmw_cephadm_rgw_network }}
     virtual_ip: {{ cifmw_cephadm_rgw_vip }}/{{ cidr }}
-{% if rgw_frontend_cert is defined %}
+{% if rgw_frontend_cert is defined and cifmw_rgw_ssl_backward_compatibility %}
     ssl_cert: |
       {{ rgw_frontend_cert | indent( width=6 ) }}
 {% endif %}
+{% if rgw_ssl_cert is defined %}
+    ssl: true
+    ssl_cert: |-
+      {{ rgw_ssl_cert | indent( width=6 ) }}
+    ssl_key: |-
+      {{ rgw_ssl_key | indent( width=6 ) }}
+{% endif %}
 {% endif %}