[ English | русский | español | Indonesia | English (United Kingdom) | Deutsch ]
Using radosgw as a drop-in replacement for Swift¶
OpenStack-Ansible gives you the option of deploying radosgw as a drop-in replacement for native OpenStack Swift.
In particular, the ceph-rgw-install.yml
playbook (which includes
ceph-rgw-keystone-setup.yml
) will deploy radosgw to any
ceph-rgw
hosts, and create a corresponding Keystone
object-store
service catalog entry. The service endpoints do
contain the AUTH_%(tenant_id)s
prefix just like in native Swift,
so public read ACLs and temp URLs will work just like they do in
Swift.
By default, OSA enables only the Swift API in radosgw.
Adding S3 API support¶
You may want to enable the default radosgw S3 API, in addition to the
Swift API. In order to do so, you need to override the
ceph_conf_overrides_rgw
variable in user_variables.yml
. Below
is an example configuration snippet:
Note
Mentioned below overrides are default ones and will be applied to ceph-rgw group
---
ceph_conf_overrides_rgw: |-
{{
{
'client.rgw.' ~ hostvars[inventory_hostname]['ansible_facts']['hostname'] ~ '.rgw0': {
'rgw_keystone_url': keystone_service_adminuri,
'rgw_keystone_api_version': 3,
'rgw_keystone_admin_user': radosgw_admin_user,
'rgw_keystone_admin_password': radosgw_admin_password,
'rgw_keystone_admin_project': radosgw_admin_tenant,
'rgw_keystone_admin_domain': 'default',
'rgw_keystone_accepted_roles': 'member, admin, swiftoperator',
'rgw_keystone_implicit_tenants': 'true',
'rgw_swift_account_in_url': 'true',
'rgw_swift_versioning_enabled': 'true',
'rgw_enable_apis': 'swift, s3',
'rgw_s3_auth_use_keystone': 'true'
}
}
}}
###
### Backend TLS
###
# Ceph configuration options to enable TLS on ceph-rgw
radosgw_frontend_ssl_certificate: "{{ ceph_rgw_backend_ssl is truthy | ternary(ceph_rgw_ssl_cert, '') }}"
# Ceph-ansible requires to include private key in `radosgw_frontend_ssl_certificate`
# which is not possible with ansible-role-pki.
# That is why `ssl_private_key` is defined in `radosgw_frontend_options`.
radosgw_frontend_options: "{{ ceph_rgw_backend_ssl is truthy | ternary('ssl_private_key=' + ceph_rgw_ssl_key, '') }}"
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
ceph_rgw_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
# Storage location for SSL certificate authority
ceph_rgw_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
# Delegated host for operating the certificate authority
ceph_rgw_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# ceph_rgw server certificate
ceph_rgw_pki_keys_path: "{{ ceph_rgw_pki_dir ~ '/certs/private/' }}"
ceph_rgw_pki_certs_path: "{{ ceph_rgw_pki_dir ~ '/certs/certs/' }}"
ceph_rgw_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
ceph_rgw_pki_regen_cert: ''
ceph_rgw_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
ceph_rgw_pki_certificates:
- name: "ceph_rgw_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ ceph_rgw_pki_san }}"
signed_by: "{{ ceph_rgw_pki_intermediate_cert_name }}"
# ceph_rgw destination files for SSL certificates
ceph_rgw_ssl_cert: /etc/ceph/ceph-rgw.pem
ceph_rgw_ssl_key: /etc/ceph/ceph-rgw.key
# Installation details for SSL certificates
ceph_rgw_pki_install_certificates:
- src: "{{ ceph_rgw_user_ssl_cert | default(ceph_rgw_pki_certs_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ ceph_rgw_ssl_cert }}"
owner: "ceph"
group: "ceph"
mode: "0644"
- src: "{{ ceph_rgw_user_ssl_key | default(ceph_rgw_pki_keys_path ~ 'ceph_rgw_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ ceph_rgw_ssl_key }}"
owner: "ceph"
group: "ceph"
mode: "0600"
# Define user-provided SSL certificates
#ceph_rgw_user_ssl_cert: <path to cert on ansible deployment host>
#ceph_rgw_user_ssl_key: <path to cert on ansible deployment host>
You may also want to add the rgw_dns_name
option if you want to
enable bucket hostnames with the S3 API.