Add radosgw_frontend_ssl_certificate parameter

This is necessary when configuring RGW with SSL because
in addition to passing specific frontend options, civetweb
appends the 's' character to the binding port and beast uses
ssl_endpoint instead of endpoint.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1722071
Signed-off-by: Giulio Fidente <gfidente@redhat.com>

group_vars/all.yml.sample

@@ -404,11 +404,13 @@ dummy:
 #radosgw_civetweb_port: 8080
 #radosgw_civetweb_num_threads: 512
 #radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}"
-# For additional civetweb configuration options available such as SSL, logging,
+# For additional civetweb configuration options available such as logging,
 # keepalive, and timeout settings, please see the civetweb docs at
 # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md
 
 #radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}"
+# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format.
+#radosgw_frontend_ssl_certificate: ""
 #radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}"
 #radosgw_thread_pool_size: 512
 

group_vars/rhcs.yml.sample

@@ -404,11 +404,13 @@ ceph_rhcs_version: 4
 #radosgw_civetweb_port: 8080
 #radosgw_civetweb_num_threads: 512
 #radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}"
-# For additional civetweb configuration options available such as SSL, logging,
+# For additional civetweb configuration options available such as logging,
 # keepalive, and timeout settings, please see the civetweb docs at
 # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md
 
 #radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}"
+# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format.
+#radosgw_frontend_ssl_certificate: ""
 #radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}"
 #radosgw_thread_pool_size: 512
 

roles/ceph-config/templates/ceph.conf.j2

@@ -117,7 +117,15 @@ osd memory target = {{ _osd_memory_target | default(osd_memory_target) }}
 host = {{ _rgw_hostname }}
 keyring = /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ _rgw_hostname + '.' + instance['instance_name'] }}/keyring
 log file = /var/log/ceph/{{ cluster }}-rgw-{{ hostvars[host]['ansible_hostname'] + '.' + instance['instance_name'] }}.log
-rgw frontends = {{ radosgw_frontend_type }} {{ 'port' if radosgw_frontend_type == 'civetweb' else 'endpoint' }}={{ instance['radosgw_address'] }}:{{ instance['radosgw_frontend_port'] }} {{ radosgw_frontend_options }}
+{% set _rgw_binding_socket = instance['radosgw_address']|string + ':' + instance['radosgw_frontend_port']|string %}
+{%- macro frontend_line(frontend_type) -%}
+{%- if frontend_type == 'civetweb' -%}
+{{ radosgw_frontend_type }} port={{ _rgw_binding_socket }}{{ 's ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }}
+{%- elif frontend_type == 'beast' -%}
+{{ radosgw_frontend_type }} {{ 'ssl_' if radosgw_frontend_ssl_certificate else '' }}endpoint={{ _rgw_binding_socket }}{{ ' ssl_certificate='+radosgw_frontend_ssl_certificate if radosgw_frontend_ssl_certificate else '' }}
+{%- endif -%}
+{%- endmacro -%}
+rgw frontends = {{ frontend_line(radosgw_frontend_type) }} {{ radosgw_frontend_options }}
 {% if 'num_threads' not in radosgw_frontend_options %}
 rgw thread pool size = {{ radosgw_thread_pool_size }}
 {% endif %}

roles/ceph-defaults/defaults/main.yml

@@ -396,11 +396,13 @@ radosgw_frontend_type: beast # For additionnal frontends see: http://docs.ceph.c
 radosgw_civetweb_port: 8080
 radosgw_civetweb_num_threads: 512
 radosgw_civetweb_options: "num_threads={{ radosgw_civetweb_num_threads }}"
-# For additional civetweb configuration options available such as SSL, logging,
+# For additional civetweb configuration options available such as logging,
 # keepalive, and timeout settings, please see the civetweb docs at
 # https://github.com/civetweb/civetweb/blob/master/docs/UserManual.md
 
 radosgw_frontend_port: "{{ radosgw_civetweb_port if radosgw_frontend_type == 'civetweb' else '8080' }}"
+# The server private key, public certificate and any other CA or intermediate certificates should be in one file, in PEM format.
+radosgw_frontend_ssl_certificate: ""
 radosgw_frontend_options: "{{ radosgw_civetweb_options if radosgw_frontend_type == 'civetweb' else '' }}"
 radosgw_thread_pool_size: 512
 

roles/ceph-handler/templates/restart_rgw_daemon.sh.j2

@@ -5,6 +5,12 @@ DELAY="{{ handler_health_rgw_check_delay }}"
 HOST_NAME="{{ ansible_hostname }}"
 RGW_NUMS={{ radosgw_num_instances }}
 RGW_BASE_PORT={{ radosgw_frontend_port }}
+RGW_FRONTEND_SSL_CERT={{ radosgw_frontend_ssl_certificate }}
+if [ -n "$RGW_FRONTEND_SSL_CERT" ]; then
+    RGW_PROTOCOL=https
+else
+    RGW_PROTOCOL=http
+fi
 declare -a DOCKER_EXECS
 for ((i=0; i<${RGW_NUMS}; i++)); do
   DOCKER_EXECS[i]=""
@@ -57,13 +63,13 @@ check_rest() {
   check_for_curl_or_wget ${i}
   local succ=0
   while [ $RETRIES -ne 0 ]; do
-    test "$rgw_test_command http://$RGW_IP:$((RGW_BASE_PORT+i))" && succ=$((succ+1)) && break
+    test "$rgw_test_command $RGW_PROTOCOL://$RGW_IP:$((RGW_BASE_PORT+i))" && succ=$((succ+1)) && break
     sleep $DELAY
     let RETRIES=RETRIES-1
   done
   if [ $succ -ne 1 ]; then
     # If we reach this point, it means there is a problem with the connection to rgw
-    echo "Error connecting locally to Rados Gateway service: http://$rgw_listen"
+    echo "Error connecting locally to Rados Gateway service: $RGW_PROTOCOL://$rgw_listen"
     exit 1
   fi
 }

roles/ceph-rgw/templates/ceph-radosgw.service.j2

@@ -32,6 +32,9 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   {% if ansible_distribution == 'RedHat' -%}
   -v /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:z \
   {% endif -%}
+  {% if radosgw_frontend_ssl_certificate -%}
+  -v {{ radosgw_frontend_ssl_certificate }}:{{ radosgw_frontend_ssl_certificate }}:ro \
+  {% endif -%}
   -e CEPH_DAEMON=RGW \
   -e CLUSTER={{ cluster }} \
   -e RGW_NAME={{ ansible_hostname }}.${INST_NAME} \