openstack/openstack-ansible-os_swift
Code Issues Proposed changes
openstack-ansible-os_swift/defaults/main.yml
Dmitriy Rabotyagov 8a252a7d2d Auto-fix yaml rules 
In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.

In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.

Change-Id: I173a7f009412285c1d15f05b76b4ff24fb2b67ad
2025-02-12 14:48:48 +01:00

612 lines
26 KiB
YAML
Raw Blame History

---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Enable/Disable Telemetry projects
swift_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"
## Verbosity Options
debug: false
# Set the host which will execute the shade modules
# for the service setup. The host must already have
# clouds.yaml properly configured.
swift_service_setup_host: "{{ openstack_service_setup_host | default('localhost') }}"
swift_service_setup_host_python_interpreter: >-
{{
openstack_service_setup_host_python_interpreter | default(
(swift_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))
}}
# Set the package install state for distribution packages
# Options are 'present' and 'latest'
swift_package_state: "{{ package_state | default('latest') }}"
# Set installation method.
swift_install_method: "{{ service_install_method | default('source') }}"
swift_venv_python_executable: "{{ openstack_venv_python_executable | default('python3') }}"
# Git repo details for swift
swift_git_repo: https://opendev.org/openstack/swift
swift_git_install_branch: master
swift_upper_constraints_url: >-
{{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}
swift_git_constraints:
- "--constraint {{ swift_upper_constraints_url }}"
swift_pip_install_args: "{{ pip_install_options | default('') }}"
# Name of the virtual env to deploy into
swift_venv_tag: "{{ venv_tag | default('untagged') }}"
swift_bin: "{{ _swift_bin }}"
# Set the full path to the swift recon cron
recon_cron_path: "{{ swift_bin }}/swift-recon-cron"
## Swift User / Group
swift_system_user_name: swift
swift_system_group_name: swift
swift_system_shell: /bin/bash
swift_system_comment: swift system user
swift_system_home_folder: "/var/lib/{{ swift_system_user_name }}"
swift_system_slice_name: swift
swift_lock_dir: "{{ openstack_lock_dir | default('/run/lock') }}"
swift_cache_path: /var/cache/swift
## Auth token
swift_delay_auth_decision: true
## Swift middleware
# NB: The order is important!
swift_middleware_list:
- catch_errors
- gatekeeper
- healthcheck
- proxy-logging
- "{% if swift_ceilometer_enabled | bool %}ceilometer{% endif %}"
- cache
- container_sync
- bulk
- tempurl
- ratelimit
- authtoken
- keystoneauth
- staticweb
- copy
- container-quotas
- account-quotas
- slo
- dlo
- versioned_writes
- proxy-logging
- proxy-server
# Setup tempauth users list (user_<account>_<username> = <password> <roles>)
swift_tempauth_users:
- "user_admin_admin = admin .admin .reseller_admin"
## Swift default ports
swift_proxy_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
swift_proxy_port: "8080"
# You can change the object, container, account ports.
# This will update the ring, on the next playbook run,
# without requiring a rebalance.
# NB: There is service downtime, during the run, between
# the service restart and the ring updating.
swift_object_port: "6000"
swift_container_port: "6001"
swift_account_port: "6002"
# Default swift ring settings:
swift_default_replication_number: 3
swift_default_min_part_hours: 1
swift_default_host_zone: 0
swift_default_host_region: 1
swift_default_drive_weight: 100
## Swift service defaults
swift_service_name: swift
swift_service_user_name: swift
swift_service_project_name: service
swift_service_project_domain_id: "default"
swift_service_project_domain_name: "Default"
swift_service_user_domain_id: "default"
swift_service_role_names:
- admin
- service
swift_service_token_roles:
- service
swift_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
swift_service_type: object-store
swift_service_proto: http
swift_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(swift_service_proto) }}"
swift_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(swift_service_proto) }}"
swift_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(swift_service_proto) }}"
swift_service_description: "Object Storage Service"
swift_service_publicuri: "{{ swift_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ swift_proxy_port }}"
swift_service_publicurl: "{{ swift_service_publicuri }}/v1/AUTH_%(tenant_id)s"
swift_service_adminuri: "{{ swift_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ swift_proxy_port }}"
swift_service_adminurl: "{{ swift_service_adminuri }}/v1/AUTH_%(tenant_id)s"
swift_service_internaluri: "{{ swift_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ swift_proxy_port }}"
swift_service_internalurl: "{{ swift_service_internaluri }}/v1/AUTH_%(tenant_id)s"
swift_service_region: "{{ service_region | default('RegionOne') }}"
statsd_host:
statsd_port: 8125
statsd_default_sample_rate: 1.0
statsd_sample_rate_factor: 1.0
statsd_metric_prefix:
# Set the file limits
swift_hard_open_file_limits: 10240
swift_soft_open_file_limits: 4096
swift_max_file_limits: "{{ swift_hard_open_file_limits * 24 }}"
## Keystone authentication middleware
swift_keystone_auth_plugin: "{{ swift_keystone_auth_type }}"
swift_keystone_auth_type: "password"
swift_dispersion_user: dispersion
swift_dispersion_user_domain_name: "Default"
swift_operator_role: swiftoperator
swift_allow_versions: true
# This will allow all users to create containers and upload to swift if set to True
swift_allow_all_users: false
# If you want to regenerate the swift keys, on a run, for rsync purposes set this var to True
# otherwise keys will be generated on the first run and not regenerated each run.
swift_recreate_keys: false
swift_sorting_method: shuffle
# Set the fallocate_reserve value which will reserve space and fail on PUTs above this value in bytes (Default 10GB)
swift_fallocate_reserve: "1%"
swift_account_fallocate_reserve: "{{ swift_fallocate_reserve }}"
swift_container_fallocate_reserve: "{{ swift_fallocate_reserve }}"
swift_object_fallocate_reserve: "{{ swift_fallocate_reserve }}"
# Set this to true to disable fallocate
swift_disable_fallocate: false
swift_account_disable_fallocate: "{{ swift_disable_fallocate }}"
swift_container_disable_fallocate: "{{ swift_disable_fallocate }}"
swift_object_disable_fallocate: "{{ swift_disable_fallocate }}"
# This variable will protect against changing swift_hash_path_* variables unintentionally.
# If you wish to change them intentionally set the swift_force_change_hashes variable to True.
swift_force_change_hashes: false
## Swift ceilometer variables
swift_reselleradmin_role: ResellerAdmin
## Oslo Messaging
# Notify
swift_oslomsg_notify_policies: []
swift_oslomsg_notify_host_group: "{{ oslomsg_notify_host_group | default('rabbitmq_all') }}"
swift_oslomsg_notify_setup_host: "{{ (swift_oslomsg_notify_host_group in groups) | ternary(groups[swift_oslomsg_notify_host_group][0], 'localhost') }}"
swift_oslomsg_notify_transport: "{{ oslomsg_notify_transport | default('rabbit') }}"
swift_oslomsg_notify_servers: "{{ oslomsg_notify_servers | default('127.0.0.1') }}"
swift_oslomsg_notify_port: "{{ oslomsg_notify_port | default('5672') }}"
swift_oslomsg_notify_use_ssl: "{{ oslomsg_notify_use_ssl | default(False) }}"
swift_oslomsg_notify_userid: swift
swift_oslomsg_notify_vhost:
- name: /swift
state: "{{ swift_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}"
- name: swift
state: "{{ swift_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}"
swift_oslomsg_notify_ssl_version: "{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}"
swift_oslomsg_notify_ssl_ca_file: "{{ oslomsg_notify_ssl_ca_file | default('') }}"
swift_oslomsg_rabbit_quorum_queues: "{{ oslomsg_rabbit_quorum_queues | default(True) }}"
swift_oslomsg_rabbit_quorum_delivery_limit: "{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}"
swift_oslomsg_rabbit_quorum_max_memory_bytes: "{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}"
## General Swift configuration
# We are not capping the default value for these swift variables which define
# the number of worker threads for each of the swift services (except the swift
# proxy workers when proxy is in a container) because of the performace impact
# that may be seen due to capping worker threads for swift services.
# We would like to calculate the default value using vCPUs for good performance
# of swift services.
# If ``swift_account_server_replicator_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_account_server_replicator_workers: 16
# If ``swift_server_replicator_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_server_replicator_workers: 16
# If ``swift_object_replicator_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_object_replicator_workers: 16
# If ``swift_account_server_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_account_server_workers: 16
# If ``swift_container_server_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_container_server_workers: 16
# If ``swift_object_server_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use.
# swift_object_server_workers: 16
# If ``swift_proxy_server_workers`` is unset the system will use half the number
# of available VCPUS to compute the number of api workers to use. Capping this
# value at 16 if the swift proxy is in a container and user did not define
# this variable.
swift_proxy_server_workers_max: 16
swift_proxy_server_workers_not_capped: "{{ [(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2 }}"
swift_proxy_server_workers_capped: "{{ [swift_proxy_server_workers_max, swift_proxy_server_workers_not_capped | int] | min }}"
swift_proxy_server_workers: "{{ (inventory_hostname == physical_host) | ternary(swift_proxy_server_workers_not_capped, swift_proxy_server_workers_capped) }}"
# These are the storage addresses used to define the networks for swift storage and replication
# These are calculated by the tasks based on the "storage_network" and "replication_network" values
# set in the swift variables, if you set these per host the value won't be calculated.
# Setting swift_vars.storage_ip or swift_vars.repl_ip will take precedence.
# If none are set it will default to the "ansible_host" value.
# swift_storage_address: 127.0.0.1
# swift_replication_address: 127.0.0.1
# This var is calculated by the play itself, and should not need to be set
# It is defaulted for the benefit of the swift_proxy host which needs it
# for the swift-init-systemd.j2 template file.
swift_dedicated_replication: false
swift_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
# Basic swift configuration for the cluster
swift: {}
swift_vars: {}
swift_proxy_vars: {}
# Example basic swift configuration for the cluster
# swift:
# part_power: 8
# storage_network: 'br-storage'
# replication_network: 'br-storage'
# drives:
# - name: swift1.img
# - name: swift2.img
# - name: swift3.img
# mount_point: /srv
# storage_policies:
# - policy:
# name: default
# index: 0
# default: True
# Set rsync max_connections vars
swift_max_rsync_connections: 4
swift_account_max_rsync_connections: "{{ swift_max_rsync_connections }}"
swift_container_max_rsync_connections: "{{ swift_max_rsync_connections }}"
swift_object_max_rsync_connections: "{{ swift_max_rsync_connections }}"
# Set Swift to use rsync module per object server drive
swift_rsync_module_per_drive: false
# Set Swift to use reverse lookup - requires name resolution or hosts entries
swift_rsync_reverse_lookup: false
# Set the managed regions as a list of swift regions to manage
# Use for global clusters, default when not set is all regions.
# swift_managed_regions:
# - 1
# - 2
# swift_do_setup and swift_do_sync control which parts of the swift
# role get run. You should never need to adjust these, they are set
# within the swift-setup and swift-sync roles to ensure only the
# appropriate tasks within the os-swift role are run.
swift_do_setup: true
swift_do_sync: true
# Example swift_container_sync_realms to specify container_sync realms
# This can exist for multiple realms (in a list)
# swift_container_sync_realms:
# - name: realm1
# # You may want to put swift_realm_keyx in user_secrets.yml or ansible-vault
# # Otherwise specify it manually below.
# key1: {{ swift_realm_key1 }}
# # key2 is optional and used for rotating/deprecated keys
# key2: {{ swift_realm_key2 }}
# clustername1: https://<cluster1-ip>/v1
# clustername2: https://<cluster2-ip>/v1
swift_pip_packages:
- ceilometermiddleware
- cryptography
- dnspython
- ecdsa
- keystonemiddleware
- osprofiler
- pyeclib
- python-keystoneclient
- pymemcache
- python-memcached
- python-swiftclient
- "git+{{ swift_git_repo }}@{{ swift_git_install_branch }}#egg=swift"
- systemd-python
# Memcached override
swift_memcached_servers: "{{ memcached_servers }}"
swift_account_replicator_init_overrides: {}
swift_account_replicator_server_init_overrides: {}
swift_account_server_init_overrides: {}
swift_account_auditor_init_overrides: {}
swift_account_reaper_init_overrides: {}
swift_container_replicator_init_overrides: {}
swift_container_replicator_server_init_overrides: {}
swift_container_server_init_overrides: {}
swift_container_auditor_init_overrides: {}
swift_container_sync_init_overrides: {}
swift_container_updater_init_overrides: {}
swift_container_reconciler_init_overrides: {}
swift_object_replicator_init_overrides: {}
swift_object_replicator_server_init_overrides: {}
swift_object_server_init_overrides: {}
swift_object_auditor_init_overrides: {}
swift_object_updater_init_overrides: {}
swift_object_expirer_init_overrides: {}
swift_object_reconstructor_init_overrides: {}
swift_proxy_server_init_overrides: {}
# Default options applied to all swift service units
swift_service_defaults:
Service:
LimitNOFILE: "{{ swift_soft_open_file_limits }}:{{ swift_hard_open_file_limits }}"
Environment:
? "PYPY_GC_MIN={{ swift_pypy_gc_min }}"
? "PYPY_GC_MAX={{ swift_pypy_gc_max }}"
swift_services:
swift-proxy-server:
group: swift_proxy
service_name: "swift-proxy-server"
execstarts: "{{ swift_bin }}/swift-proxy-server /etc/swift/proxy-server/proxy-server.conf"
init_config_overrides: "{{ swift_proxy_server_init_overrides }}"
start_order: 1
swift-account-server:
group: swift_acc
service_name: "swift-account-server"
execstarts: "{{ swift_bin }}/swift-account-server /etc/swift/account-server/account-server.conf"
init_config_overrides: "{{ swift_account_server_init_overrides }}"
start_order: 2
swift-account-replicator-server:
group: swift_acc
service_name: "swift-account-replicator-server"
execstarts: "{{ swift_bin }}/swift-account-server /etc/swift/account-server/account-server-replicator.conf"
service_en: "{{ swift_dedicated_replication | bool }}"
init_config_overrides: "{{ swift_account_replicator_server_init_overrides }}"
start_order: 3
swift-container-server:
group: swift_cont
service_name: swift-container-server
execstarts: "{{ swift_bin }}/swift-container-server /etc/swift/container-server/container-server.conf"
init_config_overrides: "{{ swift_container_server_init_overrides }}"
start_order: 4
swift-container-replicator-server:
group: swift_cont
service_name: "swift-container-replicator-server"
execstarts: "{{ swift_bin }}/swift-container-server /etc/swift/container-server/container-server-replicator.conf"
service_en: "{{ swift_dedicated_replication | bool }}"
init_config_overrides: "{{ swift_container_replicator_server_init_overrides }}"
start_order: 5
swift-object-server:
group: swift_obj
service_name: swift-object-server
execstarts: "{{ swift_bin }}/swift-object-server /etc/swift/object-server/object-server.conf"
init_config_overrides: "{{ swift_object_server_init_overrides }}"
start_order: 6
swift-object-replicator-server:
group: swift_obj
service_name: "swift-object-replicator-server"
execstarts: "{{ swift_bin }}/swift-object-server /etc/swift/object-server/object-server-replicator.conf"
service_en: "{{ swift_dedicated_replication | bool }}"
init_config_overrides: "{{ swift_object_replicator_server_init_overrides }}"
start_order: 7
swift-account-auditor:
group: swift_acc
service_name: swift-account-auditor
execstarts: >-
{{ swift_bin }}/swift-account-auditor {{ swift_dedicated_replication | ternary(
'/etc/swift/account-server/account-server-replicator.conf', '/etc/swift/account-server/account-server.conf'
) }}
init_config_overrides: "{{ swift_account_auditor_init_overrides }}"
start_order: 8
swift-account-reaper:
group: swift_acc
service_name: swift-account-reaper
execstarts: "{{ swift_bin }}/swift-account-reaper /etc/swift/account-server/account-server.conf"
init_config_overrides: "{{ swift_account_reaper_init_overrides }}"
start_order: 9
swift-account-replicator:
group: swift_acc
service_name: swift-account-replicator
execstarts: >-
{{ swift_bin }}/swift-account-replicator {{ swift_dedicated_replication | ternary(
'/etc/swift/account-server/account-server-replicator.conf', '/etc/swift/account-server/account-server.conf'
) }}
init_config_overrides: "{{ swift_account_replicator_init_overrides }}"
start_order: 10
swift-container-auditor:
group: swift_cont
service_name: "swift-container-auditor"
execstarts: >-
{{ swift_bin }}/swift-container-auditor {{ swift_dedicated_replication | ternary(
'/etc/swift/container-server/container-server-replicator.conf', '/etc/swift/container-server/container-server.conf'
) }}
init_config_overrides: "{{ swift_container_auditor_init_overrides }}"
start_order: 11
swift-container-reconciler:
group: swift_cont
service_name: "swift-container-reconciler"
execstarts: "{{ swift_bin }}/swift-container-reconciler /etc/swift/container-server/container-reconciler.conf"
init_config_overrides: "{{ swift_container_reconciler_init_overrides }}"
start_order: 12
swift-container-replicator:
group: swift_cont
service_name: "swift-container-replicator"
execstarts: >-
{{ swift_bin }}/swift-container-replicator {{ swift_dedicated_replication | ternary(
'/etc/swift/container-server/container-server-replicator.conf', '/etc/swift/container-server/container-server.conf'
) }}
init_config_overrides: "{{ swift_container_replicator_init_overrides }}"
start_order: 13
swift-container-sync:
group: swift_cont
service_name: "swift-container-sync"
execstarts: "{{ swift_bin }}/swift-container-sync /etc/swift/container-server/container-server.conf"
init_config_overrides: "{{ swift_container_sync_init_overrides }}"
start_order: 14
swift-container-updater:
group: swift_cont
service_name: "swift-container-updater"
execstarts: "{{ swift_bin }}/swift-container-updater /etc/swift/container-server/container-server.conf"
init_config_overrides: "{{ swift_container_updater_init_overrides }}"
start_order: 15
swift-object-auditor:
group: swift_obj
service_name: "swift-object-auditor"
execstarts: >-
{{ swift_bin }}/swift-object-auditor {{ swift_dedicated_replication | ternary(
'/etc/swift/object-server/object-server-replicator.conf', '/etc/swift/object-server/object-server.conf'
) }}
init_config_overrides: "{{ swift_object_auditor_init_overrides }}"
start_order: 16
swift-object-expirer:
group: swift_obj
service_name: "swift-object-expirer"
execstarts: "{{ swift_bin }}/swift-object-expirer /etc/swift/object-server/object-expirer.conf"
init_config_overrides: "{{ swift_object_expirer_init_overrides }}"
start_order: 17
swift-object-reconstructor:
group: swift_obj
service_name: "swift-object-reconstructor"
execstarts: >-
{{ swift_bin }}/swift-object-reconstructor {{ swift_dedicated_replication | ternary(
'/etc/swift/object-server/object-server-replicator.conf', '/etc/swift/object-server/object-server.conf'
) }}
init_config_overrides: "{{ swift_object_reconstructor_init_overrides }}"
start_order: 18
swift-object-replicator:
group: swift_obj
service_name: "swift-object-replicator"
execstarts: >-
{{ swift_bin }}/swift-object-replicator {{ swift_dedicated_replication | ternary(
'/etc/swift/object-server/object-server-replicator.conf', '/etc/swift/object-server/object-server.conf'
) }}
init_config_overrides: "{{ swift_object_replicator_init_overrides }}"
start_order: 19
swift-object-updater:
group: swift_obj
service_name: "swift-object-updater"
execstarts: "{{ swift_bin }}/swift-object-updater /etc/swift/object-server/object-server.conf"
init_config_overrides: "{{ swift_object_updater_init_overrides }}"
start_order: 20
# Set to True to reset the clock on the last time a rebalance happened,
# circumventing the min_part_hours check.
# USE WITH EXTREME CAUTION
# If you run the swift playbook with this option enabled, before a swift
# replication pass completes, you may introduce unavailability in your
# cluster. This has an end-user impact.
swift_pretend_min_part_hours_passed: false
# Set this option to enable or disable the pypy interpreter for swift
swift_pypy_enabled: false
swift_pypy_archive:
url: "https://bitbucket.org/pypy/pypy/downloads/pypy2-v5.9.0-linux64.tar.bz2"
checksum: "sha256:790febd4f09e22d6e2f81154efc7dc4b2feec72712aaf4f82aa91b550abb4b48"
swift_pypy_version: "{{ swift_pypy_archive['url'] | basename | replace('.tar.bz2', '') }}"
swift_pypy_env: "/opt/pypy-runtime/{{ swift_pypy_version }}/bin/pypy"
# Set the Garbage Collection (GC) options for pypy if you would like to tune these
# More info on pypy garbage collection can be found here:
# http://doc.pypy.org/en/latest/gc_info.html
swift_pypy_gc_min: "15M"
swift_pypy_gc_max: "1GB"
## Tunable overrides
swift_swift_conf_overrides: {}
swift_swift_dispersion_conf_overrides: {}
swift_proxy_server_conf_overrides: {}
swift_account_server_conf_overrides: {}
swift_account_server_replicator_conf_overrides: {}
swift_container_server_conf_overrides: {}
swift_container_reconciler_conf_overrides: {}
swift_container_server_replicator_conf_overrides: {}
swift_container_sync_realms_conf_overrides: {}
swift_drive_audit_conf_overrides: {}
swift_internal_client_conf_overrides: {}
swift_object_server_conf_overrides: {}
swift_object_expirer_conf_overrides: {}
swift_object_server_replicator_conf_overrides: {}
swift_memcache_conf_overrides: {}
###
### Backend TLS
###
# Define if communication between haproxy and service backends should be
# encrypted with TLS.
# `openstack_service_backend_ssl` is not taken into account
# because TLS in swift-proxy is only for testing purposes:
# https://opendev.org/openstack/swift/src/commit/c78a5962b5f6c9e75f154cac924a226815236e98/etc/proxy-server.conf-sample
swift_backend_ssl: false
# Storage location for SSL certificate authority
swift_pki_dir: "{{ openstack_pki_dir | default('/etc/openstack_deploy/pki') }}"
# Delegated host for operating the certificate authority
swift_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
# swift server certificate
swift_pki_keys_path: "{{ swift_pki_dir ~ '/certs/private/' }}"
swift_pki_certs_path: "{{ swift_pki_dir ~ '/certs/certs/' }}"
swift_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}"
swift_pki_regen_cert: ""
swift_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
swift_pki_certificates:
- name: "swift_{{ ansible_facts['hostname'] }}"
provider: ownca
cn: "{{ ansible_facts['hostname'] }}"
san: "{{ swift_pki_san }}"
signed_by: "{{ swift_pki_intermediate_cert_name }}"
# swift destination files for SSL certificates
swift_ssl_cert: /etc/swift/swift.pem
swift_ssl_key: /etc/swift/swift.key
# Installation details for SSL certificates
swift_pki_install_certificates:
- src: "{{ swift_user_ssl_cert | default(swift_pki_certs_path ~ 'swift_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
dest: "{{ swift_ssl_cert }}"
owner: "{{ swift_system_user_name }}"
group: "{{ swift_system_user_name }}"
mode: "0644"
- src: "{{ swift_user_ssl_key | default(swift_pki_keys_path ~ 'swift_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ swift_ssl_key }}"
owner: "{{ swift_system_user_name }}"
group: "{{ swift_system_user_name }}"
mode: "0600"
# Define user-provided SSL certificates
# swift_user_ssl_cert: <path to cert on ansible deployment host>
# swift_user_ssl_key: <path to cert on ansible deployment host>
swift_sysctl_file: "{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}"
View Git Blame Copy Permalink