diff --git a/roles/cifmw_cephadm/README.md b/roles/cifmw_cephadm/README.md index bd940e9ecc..368af7ca40 100644 --- a/roles/cifmw_cephadm/README.md +++ b/roles/cifmw_cephadm/README.md @@ -103,6 +103,11 @@ that they do not need to be changed for a typical EDPM deployment. * `cifmw_cephadm_config_key_set_ssl_option`: Optional colon separated list of SSL context options (default: `no_sslv2:sslv3:no_tlsv1:no_tlsv1_1`) +* `cifmw_rgw_ssl_backward_compatibility`: This option is true by default + because this role is able to manage older Ceph releases (starting from + Squid). Set it to false if the target Ceph release is equal to or greater + than Tentacle. + Use the `cifmw_cephadm_pools` list of dictionaries to define pools for Nova (vms), Cinder (volumes), Cinder-backups (backups), and Glance (images). ``` diff --git a/roles/cifmw_cephadm/defaults/main.yml b/roles/cifmw_cephadm/defaults/main.yml index 5e049aeca7..c407da07a3 100644 --- a/roles/cifmw_cephadm/defaults/main.yml +++ b/roles/cifmw_cephadm/defaults/main.yml @@ -153,3 +153,6 @@ cifmw_cephadm_wait_install_retries: 8 cifmw_cephadm_wait_install_delay: 15 cifmw_cephadm_rgw_ingress_service_name: "ingress.rgw.default" cifmw_cephadm_rgw_ingress_service_id: "rgw.default" +# set ssl_backward compatibily to False if ceph version is equal or greater +# than Tentacle +cifmw_rgw_ssl_backward_compatibility: true diff --git a/roles/cifmw_cephadm/tasks/rgw.yml b/roles/cifmw_cephadm/tasks/rgw.yml index 2135d76eed..8fe6d89aa3 100644 --- a/roles/cifmw_cephadm/tasks/rgw.yml +++ b/roles/cifmw_cephadm/tasks/rgw.yml @@ -56,10 +56,11 @@ ansible.builtin.slurp: src: "{{ cifmw_cephadm_key }}" - - name: Set rgw_frontend_cert to cert/key concatenation + - name: Set SSL cert/key variables based on rgw_compatibility mode ansible.builtin.set_fact: - rgw_frontend_cert: "{{ slurp_cert['content'] | b64decode ~ - slurp_key['content'] | b64decode }}" + rgw_frontend_cert: "{{ (slurp_cert['content'] | b64decode ~ slurp_key['content'] | b64decode) if cifmw_rgw_ssl_backward_compatibility else omit }}" + rgw_ssl_cert: "{{ slurp_cert['content'] | b64decode if not cifmw_rgw_ssl_backward_compatibility else omit }}" + rgw_ssl_key: "{{ slurp_key['content'] | b64decode if not cifmw_rgw_ssl_backward_compatibility else omit }}" - name: Create a Ceph RGW spec ansible.builtin.template: diff --git a/roles/cifmw_cephadm/templates/ceph_rgw.yml.j2 b/roles/cifmw_cephadm/templates/ceph_rgw.yml.j2 index 76ba5ee265..81a7f51e30 100644 --- a/roles/cifmw_cephadm/templates/ceph_rgw.yml.j2 +++ b/roles/cifmw_cephadm/templates/ceph_rgw.yml.j2 @@ -11,11 +11,19 @@ networks: - {{ cifmw_cephadm_rgw_network }} spec: rgw_frontend_port: 8082 -{% if rgw_frontend_cert is defined %} +{% if rgw_frontend_cert is defined and cifmw_rgw_ssl_backward_compatibility %} ssl: true rgw_frontend_ssl_certificate: | {{ rgw_frontend_cert | indent( width=4 ) }} {% endif %} +{% if rgw_ssl_cert is defined %} + ssl: true + certificate_source: inline + ssl_cert: |- + {{ rgw_ssl_cert | indent( width=4 ) }} + ssl_key: |- + {{ rgw_ssl_key | indent( width=4 ) }} +{% endif %} --- {% if _hosts|length > 1 %} service_type: ingress @@ -28,8 +36,15 @@ spec: virtual_interface_networks: - {{ cifmw_cephadm_rgw_network }} virtual_ip: {{ cifmw_cephadm_rgw_vip }}/{{ cidr }} -{% if rgw_frontend_cert is defined %} +{% if rgw_frontend_cert is defined and cifmw_rgw_ssl_backward_compatibility %} ssl_cert: | {{ rgw_frontend_cert | indent( width=6 ) }} {% endif %} +{% if rgw_ssl_cert is defined %} + ssl: true + ssl_cert: |- + {{ rgw_ssl_cert | indent( width=6 ) }} + ssl_key: |- + {{ rgw_ssl_key | indent( width=6 ) }} +{% endif %} {% endif %}