openstack/openstack-ansible-os_swift
Code Issues Proposed changes
openstack-ansible-os_swift/defaults/main.yml
Dmitriy Rabotyagov 0ba35bf841 Add quorum queues support for service 
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.

In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.

Change-Id: Id5f6cabed7ec035845865d6d5facc63590c56d43
2023-11-13 12:11:44 +00:00

610 lines
25 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Enable/Disable Telemetry projects
swift_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"
## Verbosity Options
debug: False
# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
swift_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
swift_service_setup_host_python_interpreter: >-
{{
openstack_service_setup_host_python_interpreter | default(
(swift_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
swift_package_state: "{{ package_state | default('latest') }}"
# Set installation method.
swift_install_method: "{{ service_install_method | default('source') }}"
swift_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"
# Git repo details for swift
swift_git_repo: https://opendev.org/openstack/swift
swift_git_install_branch: master
swift_upper_constraints_url: >-
{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
swift_git_constraints:
- "--constraint {{ swift_upper_constraints_url }}"
swift_pip_install_args: "{{ pip_install_options | default('') }}"
# Name of the virtual env to deploy into
swift_venv_tag: "{{ venv_tag | default('untagged') }}"
swift_bin: "{{ _swift_bin }}"
# Set the full path to the swift recon cron
recon_cron_path: "{{ swift_bin }}/swift-recon-cron"
## Swift User / Group
swift_system_user_name: swift
swift_system_group_name: swift
swift_system_shell: /bin/bash
swift_system_comment: swift system user
swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
swift_system_slice_name: swift
swift_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"
swift_cache_path: /var/cache/swift
## Auth token
swift_delay_auth_decision: true
## Swift middleware
# NB: The order is important!
swift_middleware_list:
- catch_errors
- gatekeeper
- healthcheck
- proxy-logging
- "{% if swift_ceilometer_enabled | bool %}ceilometer{% endif %}"
- cache
- container_sync
- bulk
- tempurl
- ratelimit
- authtoken
- keystoneauth
- staticweb
- copy
- container-quotas
- account-quotas
- slo
- dlo
- versioned_writes
- proxy-logging
- proxy-server
# Setup tempauth users list (user_<account>_<username> = <password> <roles>)
swift_tempauth_users:
- "user_admin_admin = admin .admin .reseller_admin"
## Swift default ports
swift_proxy_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
swift_proxy_port: "8080"
# You can change the object, container, account ports.
# This will update the ring, on the next playbook run,
# without requiring a rebalance.
# NB: There is service downtime, during the run, between
# the service restart and the ring updating.
swift_object_port: "6000"
swift_container_port: "6001"
swift_account_port: "6002"
# Default swift ring settings:
swift_default_replication_number: 3
swift_default_min_part_hours: 1
swift_default_host_zone: 0
swift_default_host_region: 1
swift_default_drive_weight: 100
## Swift service defaults
swift_service_name: swift
swift_service_user_name: swift
swift_service_project_name: service
swift_service_project_domain_id: "default"
swift_service_project_domain_name: "Default"
swift_service_user_domain_id: "default"
swift_service_role_names:
- admin
- service
swift_service_token_roles:
- service
swift_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
swift_service_type: object-store
swift_service_proto: http
swift_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(swift_service_proto) }}"
swift_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(swift_service_proto) }}"
swift_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(swift_service_proto) }}"
swift_service_description: "Object Storage Service"
swift_service_publicuri: "{{ swift_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ swift_proxy_port }}"
swift_service_publicurl: "{{ swift_service_publicuri }}/v1/AUTH_%(tenant_id)s"
swift_service_adminuri: "{{ swift_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ swift_proxy_port }}"
swift_service_adminurl: "{{ swift_service_adminuri }}/v1/AUTH_%(tenant_id)s"
swift_service_internaluri: "{{ swift_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ swift_proxy_port }}"
swift_service_internalurl: "{{ swift_service_internaluri }}/v1/AUTH_%(tenant_id)s"
swift_service_region: "{{ service_region | default('RegionOne') }}"
statsd_host:
statsd_port: 8125
statsd_default_sample_rate: 1.0
statsd_sample_rate_factor: 1.0
statsd_metric_prefix:
# Set the file limits
swift_hard_open_file_limits: 10240
swift_soft_open_file_limits: 4096
swift_max_file_limits: "{{ swift_hard_open_file_limits * 24 }}"
## Keystone authentication middleware
swift_keystone_auth_plugin: "{{ swift_keystone_auth_type }}"
swift_keystone_auth_type: "password"
swift_dispersion_user: dispersion
swift_dispersion_user_domain_name: "Default"
swift_operator_role: swiftoperator
swift_allow_versions: True
# This will allow all users to create containers and upload to swift if set to True
swift_allow_all_users: False
# If you want to regenerate the swift keys, on a run, for rsync purposes set this var to True
# otherwise keys will be generated on the first run and not regenerated each run.
swift_recreate_keys: False
swift_sorting_method: shuffle
# Set the fallocate_reserve value which will reserve space and fail on PUTs above this value in bytes (Default 10GB)
swift_fallocate_reserve: "1%"
swift_account_fallocate_reserve: "{{ swift_fallocate_reserve }}"
swift_container_fallocate_reserve: "{{ swift_fallocate_reserve }}"
swift_object_fallocate_reserve: "{{ swift_fallocate_reserve }}"
# Set this to true to disable fallocate
swift_disable_fallocate: false
swift_account_disable_fallocate: "{{ swift_disable_fallocate }}"
swift_container_disable_fallocate: "{{ swift_disable_fallocate }}"
swift_object_disable_fallocate: "{{ swift_disable_fallocate }}"
# This variable will protect against changing swift_hash_path_* variables unintentionally.
# If you wish to change them intentionally set the swift_force_change_hashes variable to True.
swift_force_change_hashes: False
## Swift ceilometer variables
swift_reselleradmin_role: ResellerAdmin
## Oslo Messaging
# Notify
swift_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
swift_oslomsg_notify_setup_host: "{{ (swift_oslomsg_notify_host_group in groups) | ternary(groups[swift_oslomsg_notify_host_group][0], 'localhost') }}"
swift_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
swift_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
swift_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
swift_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
swift_oslomsg_notify_userid: swift
swift_oslomsg_notify_vhost:
- name: /swift
state: "{{ swift_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
- name: swift
state: "{{ swift_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"
swift_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
swift_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
swift_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
swift_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
swift_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"
## General Swift configuration
# We are not capping the default value for these swift variables which define
# the number of worker threads for each of the swift services (except the swift
# proxy workers when proxy is in a container) because of the performace impact
# that may be seen due to capping worker threads for swift services.
# We would like to calculate the default value using vCPUs for good performance
# of swift services.
# If ``swift_account_server_replicator_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_account_server_replicator_workers: 16
# If ``swift_server_replicator_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_server_replicator_workers: 16
# If ``swift_object_replicator_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_object_replicator_workers: 16
# If ``swift_account_server_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_account_server_workers: 16
# If ``swift_container_server_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_container_server_workers: 16
# If ``swift_object_server_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_object_server_workers: 16
# If ``swift_proxy_server_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use. Capping this
# value at 16 if the swift proxy is in a container and user did not define
# this variable.
swift_proxy_server_workers_max: 16
swift_proxy_server_workers_not_capped: "{{ [(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2 }}"
swift_proxy_server_workers_capped: "{{ [swift_proxy_server_workers_max, swift_proxy_server_workers_not_capped | int] | min }}"
swift_proxy_server_workers: "{{ (inventory_hostname == physical_host) | ternary(swift_proxy_server_workers_not_capped, swift_proxy_server_workers_capped) }}"
# These are the storage addresses used to define the networks for swift storage and replication
# These are calculated by the tasks based on the "storage_network" and "replication_network" values
# set in the swift variables, if you set these per host the value won't be calculated.
# Setting swift_vars.storage_ip or swift_vars.repl_ip will take precedence.
# If none are set it will default to the "ansible_host" value.
# swift_storage_address: 127.0.0.1
# swift_replication_address: 127.0.0.1
# This var is calculated by the play itself, and should not need to be set
# It is defaulted for the benefit of the swift_proxy host which needs it
# for the swift-init-systemd.j2 template file.
swift_dedicated_replication: False
swift_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
# Basic swift configuration for the cluster
swift: {}
swift_vars: {}
swift_proxy_vars: {}
# Example basic swift configuration for the cluster
# swift:
# part_power: 8
# storage_network: 'br-storage'
# replication_network: 'br-storage'
# drives:
# - name: swift1.img
# - name: swift2.img
# - name: swift3.img
# mount_point: /srv
# storage_policies:
# - policy:
# name: default
# index: 0
# default: True
# Set rsync max_connections vars
swift_max_rsync_connections: 4
swift_account_max_rsync_connections: "{{ swift_max_rsync_connections }}"
swift_container_max_rsync_connections: "{{ swift_max_rsync_connections }}"
swift_object_max_rsync_connections: "{{ swift_max_rsync_connections }}"
# Set Swift to use rsync module per object server drive
swift_rsync_module_per_drive: False
# Set Swift to use reverse lookup - requires name resolution or hosts entries
swift_rsync_reverse_lookup: False
# Set the managed regions as a list of swift regions to manage
# Use for global clusters, default when not set is all regions.
# swift_managed_regions:
# - 1
# - 2
# swift_do_setup and swift_do_sync control which parts of the swift
# role get run. You should never need to adjust these, they are set
# within the swift-setup and swift-sync roles to ensure only the
# appropriate tasks within the os-swift role are run.
swift_do_setup: True
swift_do_sync: True
# Example swift_container_sync_realms to specify container_sync realms
# This can exist for multiple realms (in a list)
# swift_container_sync_realms:
# - name: realm1
# # You may want to put swift_realm_keyx in user_secrets.yml or ansible-vault
# # Otherwise specify it manually below.
# key1: {{ swift_realm_key1 }}
# # key2 is optional and used for rotating/deprecated keys
# key2: {{ swift_realm_key2 }}
# clustername1: https://<cluster1-ip>/v1
# clustername2: https://<cluster2-ip>/v1
swift_pip_packages:
- ceilometermiddleware
- cryptography
- dnspython
- ecdsa
- keystonemiddleware
- osprofiler
- pyeclib
- python-keystoneclient
- pymemcache
- python-memcached
- python-swiftclient
- "git+{{ swift_git_repo }}@{{ swift_git_install_branch }}#egg=swift"
- systemd-python
# Memcached override
swift_memcached_servers: "{{ memcached_servers }}"
swift_account_replicator_init_overrides: {}
swift_account_replicator_server_init_overrides: {}
swift_account_server_init_overrides: {}
swift_account_auditor_init_overrides: {}
swift_account_reaper_init_overrides: {}
swift_container_replicator_init_overrides: {}
swift_container_replicator_server_init_overrides: {}
swift_container_server_init_overrides: {}
swift_container_auditor_init_overrides: {}
swift_container_sync_init_overrides: {}
swift_container_updater_init_overrides: {}
swift_container_reconciler_init_overrides: {}
swift_object_replicator_init_overrides: {}
swift_object_replicator_server_init_overrides: {}
swift_object_server_init_overrides: {}
swift_object_auditor_init_overrides: {}
swift_object_updater_init_overrides: {}
swift_object_expirer_init_overrides: {}
swift_object_reconstructor_init_overrides: {}
swift_proxy_server_init_overrides: {}
# Default options applied to all swift service units
swift_service_defaults:
Service:
LimitNOFILE: "{{ swift_soft_open_file_limits }}:{{ swift_hard_open_file_limits }}"
Environment:
? "PYPY_GC_MIN={{ swift_pypy_gc_min }}"
? "PYPY_GC_MAX={{ swift_pypy_gc_max }}"
swift_services:
swift-proxy-server:
group: swift_proxy
service_name: "swift-proxy-server"
execstarts: "{{ swift_bin }}/swift-proxy-server /etc/swift/proxy-server/proxy-server.conf"
init_config_overrides: "{{ swift_proxy_server_init_overrides }}"
start_order: 1
swift-account-server:
group: swift_acc
service_name: "swift-account-server"
execstarts: "{{ swift_bin }}/swift-account-server /etc/swift/account-server/account-server.conf"
init_config_overrides: "{{ swift_account_server_init_overrides }}"
start_order: 2
swift-account-replicator-server:
group: swift_acc
service_name: "swift-account-replicator-server"
execstarts: "{{ swift_bin }}/swift-account-server /etc/swift/account-server/account-server-replicator.conf"
service_en: "{{ swift_dedicated_replication | bool }}"
init_config_overrides: "{{ swift_account_replicator_server_init_overrides }}"
start_order: 3
swift-container-server:
group: swift_cont
service_name: swift-container-server
execstarts: "{{ swift_bin }}/swift-container-server /etc/swift/container-server/container-server.conf"
init_config_overrides: "{{ swift_container_server_init_overrides }}"
start_order: 4
swift-container-replicator-server:
group: swift_cont
service_name: "swift-container-replicator-server"
execstarts: "{{ swift_bin }}/swift-container-server /etc/swift/container-server/container-server-replicator.conf"
service_en: "{{ swift_dedicated_replication | bool }}"
init_config_overrides: "{{ swift_container_replicator_server_init_overrides }}"
start_order: 5
swift-object-server:
group: swift_obj
service_name: swift-object-server
execstarts: "{{ swift_bin }}/swift-object-server /etc/swift/object-server/object-server.conf"
init_config_overrides: "{{ swift_object_server_init_overrides }}"
start_order: 6
swift-object-replicator-server:
group: swift_obj
service_name: "swift-object-replicator-server"
execstarts: "{{ swift_bin }}/swift-object-server /etc/swift/object-server/object-server-replicator.conf"
service_en: "{{ swift_dedicated_replication | bool }}"
init_config_overrides: "{{ swift_object_replicator_server_init_overrides }}"
start_order: 7
swift-account-auditor:
group: swift_acc
service_name: swift-account-auditor
execstarts: >-
{{ swift_bin }}/swift-account-auditor {{ swift_dedicated_replication | ternary(
'/etc/swift/account-server/account-server-replicator.conf', '/etc/swift/account-server/account-server.conf'
) }}
init_config_overrides: "{{ swift_account_auditor_init_overrides }}"
start_order: 8
swift-account-reaper:
group: swift_acc
service_name: swift-account-reaper
execstarts: "{{ swift_bin }}/swift-account-reaper /etc/swift/account-server/account-server.conf"
init_config_overrides: "{{ swift_account_reaper_init_overrides }}"
start_order: 9
swift-account-replicator:
group: swift_acc
service_name: swift-account-replicator
execstarts: >-
{{ swift_bin }}/swift-account-replicator {{ swift_dedicated_replication | ternary(
'/etc/swift/account-server/account-server-replicator.conf', '/etc/swift/account-server/account-server.conf'
) }}
init_config_overrides: "{{ swift_account_replicator_init_overrides }}"
start_order: 10
swift-container-auditor:
group: swift_cont
service_name: "swift-container-auditor"
execstarts: >-
{{ swift_bin }}/swift-container-auditor {{ swift_dedicated_replication | ternary(
'/etc/swift/container-server/container-server-replicator.conf', '/etc/swift/container-server/container-server.conf'
) }}
init_config_overrides: "{{ swift_container_auditor_init_overrides }}"
start_order: 11
swift-container-reconciler:
group: swift_cont
service_name: "swift-container-reconciler"
execstarts: "{{ swift_bin }}/swift-container-reconciler /etc/swift/container-server/container-reconciler.conf"
init_config_overrides: "{{ swift_container_reconciler_init_overrides }}"
start_order: 12
swift-container-replicator:
group: swift_cont
service_name: "swift-container-replicator"
execstarts: >-
{{ swift_bin }}/swift-container-replicator {{ swift_dedicated_replication | ternary(
'/etc/swift/container-server/container-server-replicator.conf', '/etc/swift/container-server/container-server.conf'
) }}
init_config_overrides: "{{ swift_container_replicator_init_overrides }}"
start_order: 13
swift-container-sync:
group: swift_cont
service_name: "swift-container-sync"
execstarts: "{{ swift_bin }}/swift-container-sync /etc/swift/container-server/container-server.conf"
init_config_overrides: "{{ swift_container_sync_init_overrides }}"
start_order: 14
swift-container-updater:
group: swift_cont
service_name: "swift-container-updater"
execstarts: "{{ swift_bin }}/swift-container-updater /etc/swift/container-server/container-server.conf"
init_config_overrides: "{{ swift_container_updater_init_overrides }}"
start_order: 15
swift-object-auditor:
group: swift_obj
service_name: "swift-object-auditor"
execstarts: >-
{{ swift_bin }}/swift-object-auditor {{ swift_dedicated_replication | ternary(
'/etc/swift/object-server/object-server-replicator.conf', '/etc/swift/object-server/object-server.conf'
) }}
init_config_overrides: "{{ swift_object_auditor_init_overrides }}"
start_order: 16
swift-object-expirer:
group: swift_obj
service_name: "swift-object-expirer"
execstarts: "{{ swift_bin }}/swift-object-expirer /etc/swift/object-server/object-expirer.conf"
init_config_overrides: "{{ swift_object_expirer_init_overrides }}"
start_order: 17
swift-object-reconstructor:
group: swift_obj
service_name: "swift-object-reconstructor"
execstarts: >-
{{ swift_bin }}/swift-object-reconstructor {{ swift_dedicated_replication | ternary(
'/etc/swift/object-server/object-server-replicator.conf', '/etc/swift/object-server/object-server.conf'
) }}
init_config_overrides: "{{ swift_object_reconstructor_init_overrides }}"
start_order: 18
swift-object-replicator:
group: swift_obj
service_name: "swift-object-replicator"
execstarts: >-
{{ swift_bin }}/swift-object-replicator {{ swift_dedicated_replication | ternary(
'/etc/swift/object-server/object-server-replicator.conf', '/etc/swift/object-server/object-server.conf'
) }}
init_config_overrides: "{{ swift_object_replicator_init_overrides }}"
start_order: 19
swift-object-updater:
group: swift_obj
service_name: "swift-object-updater"
execstarts: "{{ swift_bin }}/swift-object-updater /etc/swift/object-server/object-server.conf"
init_config_overrides: "{{ swift_object_updater_init_overrides }}"
start_order: 20
# Set to True to reset the clock on the last time a rebalance happened,
# circumventing the min_part_hours check.
# USE WITH EXTREME CAUTION
# If you run the swift playbook with this option enabled, before a swift
# replication pass completes, you may introduce unavailability in your
# cluster. This has an end-user impact.
swift_pretend_min_part_hours_passed: False
# Set this option to enable or disable the pypy interpreter for swift
swift_pypy_enabled: false
swift_pypy_archive:
url: "https://bitbucket.org/pypy/pypy/downloads/pypy2-v5.9.0-linux64.tar.bz2"
checksum: "sha256:790febd4f09e22d6e2f81154efc7dc4b2feec72712aaf4f82aa91b550abb4b48"
swift_pypy_version: "{{ swift_pypy_archive['url'] | basename | replace('.tar.bz2', '') }}"
swift_pypy_env: "/opt/pypy-runtime/{{ swift_pypy_version }}/bin/pypy"
# Set the Garbage Collection (GC) options for pypy if you would like to tune these
# More info on pypy garbage collection can be found here:
# http://doc.pypy.org/en/latest/gc_info.html
swift_pypy_gc_min: "15M"
swift_pypy_gc_max: "1GB"
## Tunable overrides
swift_swift_conf_overrides: {}
swift_swift_dispersion_conf_overrides: {}
swift_proxy_server_conf_overrides: {}
swift_account_server_conf_overrides: {}
swift_account_server_replicator_conf_overrides: {}
swift_container_server_conf_overrides: {}
swift_container_reconciler_conf_overrides: {}
swift_container_server_replicator_conf_overrides: {}
swift_container_sync_realms_conf_overrides: {}
swift_drive_audit_conf_overrides: {}
swift_internal_client_conf_overrides: {}
swift_object_server_conf_overrides: {}
swift_object_expirer_conf_overrides: {}
swift_object_server_replicator_conf_overrides: {}
swift_memcache_conf_overrides: {}
###
### Backend TLS
###
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
# `openstack_service_backend_ssl` is not taken into account
# because TLS in swift-proxy is only for testing purposes:
# https://opendev.org/openstack/swift/src/commit/c78a5962b5f6c9e75f154cac924a226815236e98/etc/proxy-server.conf-sample
swift_backend_ssl: False
# Storage location for SSL certificate authority
swift_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
# Delegated host for operating the certificate authority
swift_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# swift server certificate
swift_pki_keys_path: "{{ swift_pki_dir ~ '/certs/private/' }}"
swift_pki_certs_path: "{{ swift_pki_dir ~ '/certs/certs/' }}"
swift_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
swift_pki_regen_cert: ''
swift_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
swift_pki_certificates:
- name: "swift_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ swift_pki_san }}"
signed_by: "{{ swift_pki_intermediate_cert_name }}"
# swift destination files for SSL certificates
swift_ssl_cert: /etc/swift/swift.pem
swift_ssl_key: /etc/swift/swift.key
# Installation details for SSL certificates
swift_pki_install_certificates:
- src: "{{ swift_user_ssl_cert | default(swift_pki_certs_path ~ 'swift_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ swift_ssl_cert }}"
owner: "{{ swift_system_user_name }}"
group: "{{ swift_system_user_name }}"
mode: "0644"
- src: "{{ swift_user_ssl_key | default(swift_pki_keys_path ~ 'swift_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ swift_ssl_key }}"
owner: "{{ swift_system_user_name }}"
group: "{{ swift_system_user_name }}"
mode: "0600"
# Define user-provided SSL certificates
# swift_user_ssl_cert: <path to cert on ansible deployment host>
# swift_user_ssl_key: <path to cert on ansible deployment host>
View Git Blame Copy Permalink