Sign upLogin

crowbar/crowbar-ceph

View on GitHub
Star
chef/cookbooks/ceph/recipes/radosgw_keystone.rb

Summary

Maintainability
A
1 hr
Test Coverage
# Ceph integration with Keystone

# Keystone itself needs to be configured to point to the Ceph Object Gateway as an object-storage endpoint:
keystone_settings = KeystoneHelper.keystone_settings(node, @cookbook_name)
register_auth_hash = { user: keystone_settings["admin_user"],
                       password: keystone_settings["admin_password"],
                       domain: keystone_settings["admin_domain"],
                       project: keystone_settings["admin_project"] }

crowbar_pacemaker_sync_mark "wait-radosgw_register"

keystone_register "radosgw wakeup keystone" do
  protocol keystone_settings["protocol"]
  insecure keystone_settings["insecure"]
  host keystone_settings["internal_url_host"]
  port keystone_settings["admin_port"]
  auth register_auth_hash
  action :wakeup
end

keystone_register "register ceph user" do
  protocol keystone_settings["protocol"]
  insecure keystone_settings["insecure"]
  host keystone_settings["internal_url_host"]
  port keystone_settings["admin_port"]
  auth register_auth_hash
  user_name keystone_settings["service_user"]
  user_password keystone_settings["service_password"]
  project_name keystone_settings["service_tenant"]
  action :add_user
end

keystone_register "give ceph user access" do
  protocol keystone_settings["protocol"]
  insecure keystone_settings["insecure"]
  host keystone_settings["internal_url_host"]
  port keystone_settings["admin_port"]
  auth register_auth_hash
  user_name keystone_settings["service_user"]
  project_name keystone_settings["service_tenant"]
  role_name "admin"
  action :add_access
end

role = "ResellerAdmin"
keystone_register "add #{role} role" do
  protocol keystone_settings["protocol"]
  insecure keystone_settings["insecure"]
  host keystone_settings["internal_url_host"]
  port keystone_settings["admin_port"]
  auth register_auth_hash
  role_name role
  action :add_role
end

# keystone service-create --name swift --type object-store
keystone_register "register swift service" do
  protocol keystone_settings["protocol"]
  insecure keystone_settings["insecure"]
  host keystone_settings["internal_url_host"]
  port keystone_settings["admin_port"]
  auth register_auth_hash
  service_name "swift"
  service_type "object-store"
  service_description "Openstack Swift Object Store Service API provided by RADOS Gateway"
  action :add_service
end

# keystone endpoint-create --service-id <id> --publicurl http://radosgw.example.com/swift/v1 \
# --internalurl http://radosgw.example.com/swift/v1 --adminurl http://radosgw.example.com/swift/v1

if node[:ceph][:radosgw][:ssl][:enabled]
  protocol      = "https"
  port          = node["ceph"]["radosgw"]["rgw_port_ssl"]
else
  protocol      = "http"
  port          = node["ceph"]["radosgw"]["rgw_port"]
end
ha_enabled      = node[:ceph][:ha][:radosgw][:enabled]

admin_host = CrowbarHelper.get_host_for_admin_url(node, ha_enabled)
public_host = CrowbarHelper.get_host_for_public_url(node, protocol == "https", ha_enabled)

keystone_register "register radosgw endpoint" do
  protocol keystone_settings["protocol"]
  insecure keystone_settings["insecure"]
  host keystone_settings["internal_url_host"]
  port keystone_settings["admin_port"]
  auth register_auth_hash
  endpoint_service "swift"
  endpoint_region keystone_settings["endpoint_region"]
  endpoint_publicURL "#{protocol}://#{public_host}:#{port}/swift/v1"
  endpoint_adminURL "#{protocol}://#{admin_host}:#{port}/swift/v1"
  endpoint_internalURL "#{protocol}://#{admin_host}:#{port}/swift/v1"
  action :add_endpoint
end

crowbar_pacemaker_sync_mark "create-radosgw_register"

# Convert OpenSSL certificates that Keystone uses for creating the requests to the nss db format
# See http://ceph.com/docs/master/radosgw/keystone/
package "mozilla-nss-tools"

nss_dir = node["ceph"]["radosgw"]["nss_directory"]

directory nss_dir do
  owner node[:apache][:user]
  group node[:apache][:group]
  mode "0755"
  action :create
end

keystone_node = search_env_filtered(:node, "roles:keystone-server
  AND keystone_certificates_content:*").first

if !keystone_node.nil?
  file "#{nss_dir}/keystone_ca.pem" do
    content keystone_node[:keystone][:certificates][:content][:ca]
  end

  bash "convert signing ca certificate to nss db format" do
    code <<-EOH
openssl x509 -in #{nss_dir}/keystone_ca.pem -pubkey | certutil -d #{nss_dir} -A -n ca -t 'TCu,Cu,Tuw'
chown #{node[:apache][:user]}:#{node[:apache][:group]} #{nss_dir}/*.db
    EOH
    subscribes :run, "file[#{nss_dir}/keystone_ca.pem]"
  end

  file "#{nss_dir}/keystone_signing_cert.pem" do
    content keystone_node[:keystone][:certificates][:content][:signing_cert]
  end

  bash "convert signing certificate to nss db format" do
    code <<-EOH
openssl x509 -in #{nss_dir}/keystone_signing_cert.pem -pubkey | certutil -A -d #{nss_dir} -n signing_cert -t 'P,P,P'
chown #{node[:apache][:user]}:#{node[:apache][:group]} #{nss_dir}/*.db
    EOH
    subscribes :run, "file[#{nss_dir}/keystone_signing_cert.pem]"
  end
end