Ansible: Enable Ceph rgw role

To support OpenStack object storage with Ceph, the "Ceph rgw" role
in ERP reference architecture has been added.

In the patch, the object storage is based on Ceph rgw.

Change-Id: If3a42d4407fcd963917f50d5b9f0ea16332fba5e

4 files changed, 70 insertions, 0 deletions

diff --git a/ansible/roles/ceph/tasks/main.yml b/ansible/roles/ceph/tasks/main.yml
index c045800..f3f2dec 100644
--- a/ansible/roles/ceph/tasks/main.yml
+++ b/ansible/roles/ceph/tasks/main.yml
@@ -1,6 +1,9 @@
 - name: Install Ceph
   package: name=ceph state=present
 
+- name: Install Ceph rgw
+  package: name=radosgw state=present
+
 - name: Copy ceph.conf
   template: src=ceph.conf dest=/etc/ceph/
 
@@ -34,3 +37,5 @@
    when: "{{osd}}"}
 - {include: mon.yml,
    when: "{{mon}}"}
+- {include: rgw.yml,
+   when: "{{rgw}}"}
diff --git a/ansible/roles/ceph/tasks/rgw.yml b/ansible/roles/ceph/tasks/rgw.yml
new file mode 100644
index 0000000..032e7e8
--- /dev/null
+++ b/ansible/roles/ceph/tasks/rgw.yml
@@ -0,0 +1,40 @@
+- name: Create radosgw key
+  template: src=rgw_keyring dest=/etc/ceph/ceph.client.radosgw.{{rgw_host}}.keyring
+
+- name:  Authrize the rgw keyring
+  shell: ceph -k /etc/ceph/ceph.client.admin.keyring auth add client.radosgw.{{rgw_host}} -i /etc/ceph/ceph.client.radosgw.{{rgw_host}}.keyring
+  ignore_errors: False
+
+- name: Generate Keystone SSL key
+  shell: keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
+  ignore_errors: False
+
+- name: Create SSL key path in Ceph
+  file:
+    path: /etc/ceph/nss
+    mode: 0775
+    state: directory
+
+- name: Copy ca.pem
+  shell: cp /etc/keystone/ssl/certs/ca.pem /etc/ceph/nss/ca.pem
+  ignore_errors: False
+
+- name: Copy signing_cert.pem
+  shell: cp /etc/keystone/ssl/certs/signing_cert.pem /etc/ceph/nss/signing_cert.pem
+  ignore_errors: False
+
+- name: Install libnss3-tools
+  apt:
+    name: libnss3-tools
+    state: present
+
+- name: Synchronize Keystone SSL key with Ceph rgw step1
+  shell: openssl x509 -in /etc/ceph/nss/ca.pem -pubkey | certutil -d /etc/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
+  ignore_errors: False
+
+- name: Synchronize Keystone SSL key with Ceph rgw step2
+  shell: openssl x509 -in /etc/ceph/nss/signing_cert.pem -pubkey | certutil -A -d /etc/ceph/nss -n signing_cert -t "P,P,P"
+  ignore_errors: False
+
+- name: Enable Ceph rgw service and running
+  service: name=radosgw.service enabled=yes state=started
diff --git a/ansible/roles/ceph/templates/ceph.conf b/ansible/roles/ceph/templates/ceph.conf
index 65f0be2..bb0dcaf 100644
--- a/ansible/roles/ceph/templates/ceph.conf
+++ b/ansible/roles/ceph/templates/ceph.conf
@@ -23,3 +23,23 @@ keyring = /etc/ceph/ceph.client.nova.keyring
 
 [client.cinder]
 keyring = /etc/ceph/ceph.client.cinder.keyring
+
+[client.radosgw.{{rgw_host}}]
+host={{rgw_host}}
+keyring=/etc/ceph/ceph.client.radosgw.{{rgw_host}}.keyring
+rgw socket path=/tmp/radosgw.sock
+log file=/var/log/ceph/radosgw.{{rgw_host}}.log
+rgw dns name={{rgw_host}}
+rgw keystone url=http://{{keystone_host}}:5000
+rgw keystone api version=3
+rgw keystone admin user={{swift_user}}
+rgw keystone admin password={{swift_pass}}
+rgw keystone admin domain=default
+rgw keystone admin project=service
+rgw keystone accepted roles=SwiftOperator,admin,anotherrole,ResellerAdmin,service,_member_,Member
+rgw keystone token cache size=4096
+rgw keystone revocation interval=2
+rgw keystone implicit tenants=true
+rgw s3 auth use keystone=true
+rgw keystone verify ssl=false
+nss db path=/etc/ceph/nss
diff --git a/ansible/roles/ceph/templates/rgw_keyring b/ansible/roles/ceph/templates/rgw_keyring
new file mode 100644
index 0000000..53fb0ca
--- /dev/null
+++ b/ansible/roles/ceph/templates/rgw_keyring
@@ -0,0 +1,5 @@
+[client.radosgw.{{rgw_host}}]
+        key = {{ceph_admin_pass}}
+        caps mds = "allow *"
+        caps mon = "allow *"
+        caps osd = "allow *"