stackhpc · markgoddard · Nov 9, 2023 · Sep 1, 2023 · Sep 1, 2023 · Sep 19, 2023
@@ -11,10 +11,6 @@ on:
         description: Build Ubuntu 22.04 Jammy
         type: boolean
         default: true
-      SMS:
-        description: Push images to SMS
-        type: boolean
-        default: true
     secrets:
       KAYOBE_VAULT_PASSWORD:
         required: true
@@ -166,7 +162,7 @@ jobs:
         env:
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
-        if: inputs.rocky9 && steps.build_rocky_9.outcome == 'success' && inputs.sms
+        if: inputs.rocky9 && steps.build_rocky_9.outcome == 'success'
 
       - name: Build an Ubuntu Jammy 22.04 overcloud host image
         id: build_ubuntu_jammy
@@ -210,7 +206,7 @@ jobs:
         env:
           OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
           OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
-        if: inputs.ubuntu-jammy && steps.build_ubuntu_jammy.outcome == 'success' && inputs.sms
+        if: inputs.ubuntu-jammy && steps.build_ubuntu_jammy.outcome == 'success'
 
       - name: Upload updated images artifact
         uses: actions/upload-artifact@v3

@@ -308,6 +308,136 @@ should be used in the Kolla Manila configuration e.g.:
 
   manila_cephfs_filesystem_name: manila-cephfs
 
+RADOS Gateways
+--------------
+
+RADOS Gateways (RGWs) are defined with the following:
+
+.. code:: yaml
+
+  cephadm_radosgw_services:
+    - id: myrgw
+      count_per_host: 1
+      spec:
+        rgw_frontend_port: 8100
+
+The port chosen must not conflict with any other processes running on the Ceph
+hosts. Port 8100 does not conflict with our default suite of services.
+
+Ceph RGWs require additional configuration to:
+
+  * Support both S3 and Swift APIs.
+
+  * Authenticate user access via Keystone.
+
+  * Allow cross-project and public object access.
+
+The set of commands below configure all of these.
+
+.. code:: yaml
+
+  # Append the following to cephadm_commands_post:
+  - "config set client.rgw rgw_content_length_compat true"
+  - "config set client.rgw rgw_enable_apis 's3, swift, swift_auth, admin'"
+  - "config set client.rgw rgw_enforce_swift_acls true"
+  - "config set client.rgw rgw_keystone_accepted_admin_roles 'admin'"
+  - "config set client.rgw rgw_keystone_accepted_roles 'member, Member, _member_, admin'"
+  - "config set client.rgw rgw_keystone_admin_domain Default"
+  - "config set client.rgw rgw_keystone_admin_password {{ secrets_ceph_rgw_keystone_password }}"
+  - "config set client.rgw rgw_keystone_admin_project service"
+  - "config set client.rgw rgw_keystone_admin_user 'ceph_rgw'"
+  - "config set client.rgw rgw_keystone_api_version '3'"
+  - "config set client.rgw rgw_keystone_token_cache_size '10000'"
+  - "config set client.rgw rgw_keystone_url https://{{ kolla_internal_fqdn }}:5000"
+  - "config set client.rgw rgw_keystone_verify_ssl false"
+  - "config set client.rgw rgw_max_attr_name_len '1000'"
+  - "config set client.rgw rgw_max_attr_size '1000'"
+  - "config set client.rgw rgw_max_attrs_num_in_req '1000'"
+  - "config set client.rgw rgw_s3_auth_use_keystone true"
+  - "config set client.rgw rgw_swift_account_in_url true"
+  - "config set client.rgw rgw_swift_versioning_enabled true"
+
+As we have configured Ceph to respond to Swift APIs, you will need to tell
+Kolla to account for this when registering Swift endpoints with Keystone. Also,
+when ``rgw_swift_account_in_url`` is set, the equivalent Kolla variable should
+be set in Kolla ``globals.yml`` too:
+
+.. code:: yaml
+
+  ceph_rgw_swift_compatibility: false
+  ceph_rgw_swift_account_in_url: true
+
+``secrets_ceph_rgw_keystone_password`` should be stored in the Kayobe
+``secrets.yml``, and set to the same value as ``ceph_rgw_keystone_password`` in
+the Kolla ``passwords.yml``. As such, you will need to configure Keystone
+before deploying the RADOS gateways. If you are using the Kolla load balancer
+(see :ref:`RGWs-with-hyper-converged-Ceph` for more info), you can specify the
+``haproxy`` and ``loadbalancer`` tags here too.
+
+.. code:: yaml
+
+  kayobe overcloud service deploy -kt ceph-rgw,keystone,haproxy,loadbalancer
+
+
+.. _RGWs-with-hyper-converged-Ceph:
+
+RGWs with hyper-converged Ceph
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you are using a hyper-converged Ceph setup (i.e. your OpenStack controllers
+and Ceph storage nodes share the same hosts), you should double-check that
+``rgw_frontend_port`` does not conflict with any processes on the controllers.
+For example, port 80 (and 443) will be bound to the Kolla-deployed haproxy. You
+should choose a custom port that does not conflict with any OpenStack endpoints
+too (``openstack endpoint list``).
+
+You may also want to use the Kolla-deployed haproxy to load balance your RGWs.
+This means you will not need to define any Ceph ingress services. Instead, you
+add definitions of your Ceph hosts to Kolla ``globals.yml``:
+
+.. code:: yaml
+
+  ceph_rgw_hosts:
+    - host: controller1
+      ip: <host IP on storage net>
+      port: 8100
+    - host: controller2
+      ip: <host IP on storage net>
+      port: 8100
+    - host: controller3
+      ip: <host IP on storage net>
+      port: 8100
+
+HA with Ingress services
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Ingress services are defined with the following. ``id`` should match the name
+(not id) of the RGW service to which ingress will point to. ``spec`` is a
+service specification required by Cephadm to deploy the ingress (haproxy +
+keepalived pair).
+
+Note that the ``virtual_ip`` here must be different than the Kolla VIP. The
+choice of subnet will be dependent on your deployment, and can be outside
+of any Ceph networks.
+
+.. code:: yaml
+
+  cephadm_ingress_services:
+    - id: rgw.myrgw
+      spec:
+        frontend_port: 443
+        monitor_port: 1967
+        virtual_ip: 10.66.0.1/24
+        ssl_cert: {example_certificate_chain}
+
+When using ingress services, you will need to stop Kolla from configuring your
+RGWs to use the Kolla-deployed haproxy. Set the following in Kolla
+``globals.yml``:
+
+.. code:: yaml
+
+  enable_ceph_rgw_loadbalancer: false
+
 Deployment
 ==========
 
@@ -345,8 +475,14 @@ cephadm.yml playbook to perform post-deployment configuration:
 
    kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm.yml
 
-The ``cephadm.yml`` playbook imports various other playbooks, which may
-also be run individually to perform specific tasks.
+The ``cephadm.yml`` playbook imports various other playbooks, which may also be
+run individually to perform specific tasks. Note that if you want to deploy
+additional services (such as RGWs or ingress) after an initial deployment, you
+will need to set ``cephadm_bootstrap`` to true. For example:
+
+.. code:: bash
+
+   kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/cephadm.yml -e cephadm_bootstrap=true
 
 Configuration generation
 ------------------------

@@ -2,6 +2,10 @@
 collections:
   - name: stackhpc.cephadm
     version: 1.14.0
+  # NOTE: Pinning pulp.squeezer to 0.0.13 because 0.0.14+ depends on the
+  # pulp_glue Python library being installed.
+  - name: pulp.squeezer
+    version: 0.0.13
   - name: stackhpc.pulp
     version: 0.5.2
   - name: stackhpc.hashicorp

@@ -5,3 +5,35 @@
   tasks:
     - import_role:
         name: "wazuh-ansible/wazuh-ansible/roles/wazuh/ansible-wazuh-agent"
+  post_tasks:
+    - name: Check if custom SCA policies directory exists
+      stat:
+        path: "{{ local_custom_sca_policies_path }}"
+      register: custom_sca_policies_folder
+      delegate_to: localhost
+
+    - name: Gather list of custom SCA policies
+      find:
+        paths: "{{ local_custom_sca_policies_path }}"
+        patterns: '*.yml'
+      delegate_to: localhost
+      register: custom_sca_policies
+      when: custom_sca_policies_folder.stat.exists
+
+    - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
+      become: yes
+      blockinfile:
+        path: "/var/ossec/etc/local_internal_options.conf"
+        state: present
+        owner: wazuh
+        group: wazuh
+        block: sca.remote_commands=1
+      when: custom_sca_policies.files | length > 0
+      notify:
+        - Restart wazuh-agent
+
+  handlers:
+    - name: Restart wazuh-agent
+      service:
+        name: wazuh-agent
+        state: restarted
@@ -32,16 +32,7 @@
           delegate_to: localhost
           register: custom_sca_policies
           when: custom_sca_policies_folder.stat.exists
-
-        - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
-          blockinfile:
-            path: "/var/ossec/etc/local_internal_options.conf"
-            state: present
-            owner: wazuh
-            group: wazuh
-            block: |
-              sca.remote_commands=1
-          when: custom_sca_policies.files | length > 0
+          become: no
 
         - name: Copy custom SCA policy files to Wazuh manager
           copy:
@@ -112,7 +103,6 @@
     - name: Perform health check against filebeat
       command: filebeat test output
       changed_when: false
-      become: true
       retries: 2
 
   handlers:

@@ -5,11 +5,11 @@
 # Bifrost installation.
 
 # URL of Bifrost source code repository.
-kolla_bifrost_source_url: "{{ stackhpc_bifrost_source_url }}"
+#kolla_bifrost_source_url:
 
 # Version (branch, tag, etc.) of Bifrost source code repository. Default is
 # {{ openstack_branch }}.
-kolla_bifrost_source_version: "{{ stackhpc_bifrost_source_version }}"
+#kolla_bifrost_source_version:
 
 # Whether Bifrost uses firewalld. Default value is false to avoid conflicting
 # with iptables rules configured on the seed host by Kayobe.

@@ -86,8 +86,14 @@ cephadm_cluster_network: "{{ storage_mgmt_net_name | net_cidr }}"
 # stackhpc.cephadm.commands for format. Pre commands run before the rest of the
 # post-deployment configuration, post commands run after the rest of the
 # post-deployment configuration.
-#cephadm_commands_pre:
-#cephadm_commands_post:
+cephadm_commands_pre: "{{ cephadm_commands_pre_default + cephadm_commands_pre_extra }}"
+cephadm_commands_post: "{{ cephadm_commands_post_default + cephadm_commands_post_extra }}"
+
+cephadm_commands_pre_default: []
+cephadm_commands_pre_extra: []
+
+cephadm_commands_post_default: "{{ ['mgr module enable prometheus'] if kolla_enable_prometheus_ceph_mgr_exporter | bool else [] }}"
+cephadm_commands_post_extra: []
 
 ###############################################################################
 # Kolla Ceph auto-configuration.

@@ -0,0 +1,3 @@
+---
+# Ansible custom SCA policies directory
+local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
@@ -24,9 +24,6 @@ local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
 # Ansible control host custom certificates directory
 local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
 
-# Ansible custom SCA policies directory
-local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
-
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"
 

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The Cephadm pre and post commands now support default commands with the
+    variables ``cephadm_commands_pre_default`` and
+    ``cephadm_commands_post_default``. As such, any extra commands should be
+    added to the variables ``cephadm_commands_pre_extra`` and
+    ``cephadm_commands_post_extra``.
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    When using custom SCA policies for Wazuh, the agents are now correctly
+    configured to allow commands to be executed from the manager.
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Fixes an issue with Ansible Pulp modules depending on the ``pulp_glue``
+    Python library since the ``pulp.squeezer`` 0.0.14 release.