[ English | Deutsch | English (United Kingdom) | español | русский | Indonesia ]

Using radosgw as a drop-in replacement for Swift

OpenStack-Ansible gives you the option of deploying radosgw as a drop-in replacement for native OpenStack Swift.

In particular, the ceph-rgw-install.yml playbook (which includes ceph-rgw-keystone-setup.yml) will deploy radosgw to any ceph-rgw hosts, and create a corresponding Keystone object-store service catalog entry. The service endpoints do contain the AUTH_%(tenant_id)s prefix just like in native Swift, so public read ACLs and temp URLs will work just like they do in Swift.

By default, OSA enables only the Swift API in radosgw.

Adding S3 API support

You may want to enable the default radosgw S3 API, in addition to the Swift API. In order to do so, you need to override the ceph_conf_overrides_rgw variable in user_variables.yml. Below is an example configuration snippet:

Note

Mentioned below overrides are default ones and will be applied to ceph-rgw group

---
ceph_conf_overrides_rgw: |-
  {{
    {
      'client.rgw.' ~ hostvars[inventory_hostname]['ansible_facts']['hostname'] ~ '.rgw0': {
        'rgw_keystone_url': keystone_service_adminuri,
        'rgw_keystone_api_version': 3,
        'rgw_keystone_admin_user': radosgw_admin_user,
        'rgw_keystone_admin_password': radosgw_admin_password,
        'rgw_keystone_admin_project': radosgw_admin_tenant,
        'rgw_keystone_admin_domain': 'default',
        'rgw_keystone_accepted_roles': 'member, admin, swiftoperator',
        'rgw_keystone_implicit_tenants': 'true',
        'rgw_swift_account_in_url': 'true',
        'rgw_swift_versioning_enabled': 'true',
        'rgw_enable_apis': 'swift, s3',
        'rgw_s3_auth_use_keystone': 'true'
      }
    }
  }}

###
### Backend TLS
###

# Ceph configuration options to enable TLS on ceph-rgw
radosgw_frontend_ssl_certificate: "{{ ceph_rgw_backend_ssl is truthy | ternary(ceph_rgw_ssl_cert, '') }}"
# Ceph-ansible requires to include private key in `radosgw_frontend_ssl_certificate`
# which is not possible with ansible-role-pki.
# That is why `ssl_private_key` is defined in `radosgw_frontend_options`.
radosgw_frontend_options: "{{ ceph_rgw_backend_ssl is truthy | ternary('ssl_private_key=' + ceph_rgw_ssl_key, '') }}"

# Define if communication between haproxy and service backends should be
# encrypted with TLS.
ceph_rgw_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"

# Storage location for SSL certificate authority
ceph_rgw_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"

# Delegated host for operating the certificate authority
ceph_rgw_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"

# ceph_rgw server certificate
ceph_rgw_pki_keys_path: "{{ ceph_rgw_pki_dir ~ '/certs/private/' }}"
ceph_rgw_pki_certs_path: "{{ ceph_rgw_pki_dir ~ '/certs/certs/' }}"
ceph_rgw_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
ceph_rgw_pki_regen_cert: ''
ceph_rgw_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
ceph_rgw_pki_certificates:
  - name: "ceph_rgw_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ ceph_rgw_pki_san }}"
    signed_by: "{{ ceph_rgw_pki_intermediate_cert_name }}"

# ceph_rgw destination files for SSL certificates
ceph_rgw_ssl_cert: /etc/ceph/ceph-rgw.pem
ceph_rgw_ssl_key: /etc/ceph/ceph-rgw.key

# Installation details for SSL certificates
ceph_rgw_pki_install_certificates:
  - src: "{{ ceph_rgw_user_ssl_cert | default(ceph_rgw_pki_certs_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
    dest: "{{ ceph_rgw_ssl_cert }}"
    owner: "ceph"
    group: "ceph"
    mode: "0644"
  - src: "{{ ceph_rgw_user_ssl_key | default(ceph_rgw_pki_keys_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ ceph_rgw_ssl_key }}"
    owner: "ceph"
    group: "ceph"
    mode: "0600"

# Define user-provided SSL certificates
#ceph_rgw_user_ssl_cert: <path to cert on ansible deployment host>
#ceph_rgw_user_ssl_key: <path to cert on ansible deployment host>

You may also want to add the rgw_dns_name option if you want to enable bucket hostnames with the S3 API.