Define libvirt secrets from keyring files in ceph_extra_confs
Previously this required always access to the mon_host of the Ceph
cluster to fetch the key for volume access. Now this key can be defined
through Ceph keyring files.
Change-Id: Ib2c755d38038b14ca3803de1bb9cbcec122eaa83
(cherry picked from commit e7ebbeb5da
)
This commit is contained in:
parent
2df01f8e8d
commit
0ad905fe96
|
@ -31,7 +31,7 @@
|
||||||
- item.mon_host is defined
|
- item.mon_host is defined
|
||||||
- item.client_name is defined
|
- item.client_name is defined
|
||||||
|
|
||||||
- name: Distribute extra key files
|
- name: Distribute extra key files from monitor host
|
||||||
copy:
|
copy:
|
||||||
src: "/tmp/{{ item.mon_host }}{{ item.client_name }}.key.tmp"
|
src: "/tmp/{{ item.mon_host }}{{ item.client_name }}.key.tmp"
|
||||||
dest: "/tmp/{{ item.mon_host }}{{ item.client_name }}.key.tmp"
|
dest: "/tmp/{{ item.mon_host }}{{ item.client_name }}.key.tmp"
|
||||||
|
@ -40,6 +40,16 @@
|
||||||
- item.mon_host is defined
|
- item.mon_host is defined
|
||||||
- item.client_name is defined
|
- item.client_name is defined
|
||||||
|
|
||||||
|
- name: Create extra key files from keyring files
|
||||||
|
copy:
|
||||||
|
src: "{{ item.keyring_src }}"
|
||||||
|
dest: "/tmp/{{ item.secret_uuid }}{{ item.client_name }}.key.tmp"
|
||||||
|
with_items: "{{ ceph_extra_confs }}"
|
||||||
|
when:
|
||||||
|
- item.keyring_src is defined
|
||||||
|
- item.client_name is defined
|
||||||
|
- item.secret_uuid is defined
|
||||||
|
|
||||||
- name: Remove temp extra key files
|
- name: Remove temp extra key files
|
||||||
file:
|
file:
|
||||||
path: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item.client_name }}.key.tmp"
|
path: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item.client_name }}.key.tmp"
|
||||||
|
@ -54,12 +64,11 @@
|
||||||
- name: Provide extra xml files to create the secrets
|
- name: Provide extra xml files to create the secrets
|
||||||
template:
|
template:
|
||||||
src: secret.xml.j2
|
src: secret.xml.j2
|
||||||
dest: /tmp/{{ item.mon_host }}{{ item.client_name }}-secret.xml
|
dest: /tmp/{{ item.secret_uuid }}{{ item.client_name }}-secret.xml
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
with_items: "{{ ceph_extra_confs }}"
|
with_items: "{{ ceph_extra_confs }}"
|
||||||
when:
|
when:
|
||||||
- item.client_name is defined
|
- item.client_name is defined
|
||||||
- item.mon_host is defined
|
|
||||||
- item.secret_uuid is defined
|
- item.secret_uuid is defined
|
||||||
|
|
||||||
- name: Check if extra secret(s) are defined in libvirt pt1
|
- name: Check if extra secret(s) are defined in libvirt pt1
|
||||||
|
@ -84,14 +93,13 @@
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- name: Define libvirt nova extra secret(s)
|
- name: Define libvirt nova extra secret(s)
|
||||||
command: "virsh secret-define --file /tmp/{{ item.mon_host }}{{ item.client_name }}-secret.xml"
|
command: "virsh secret-define --file /tmp/{{ item.secret_uuid }}{{ item.client_name }}-secret.xml"
|
||||||
changed_when: false
|
changed_when: false
|
||||||
loop: "{{ ceph_extra_confs }}"
|
loop: "{{ ceph_extra_confs }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
index_var: index
|
index_var: index
|
||||||
when:
|
when:
|
||||||
- "'client_name' in item"
|
- "'client_name' in item"
|
||||||
- "'mon_host' in item"
|
|
||||||
- "'secret_uuid' in item"
|
- "'secret_uuid' in item"
|
||||||
- item.secret_uuid not in libvirt_secret_exists.results[index].stdout_lines
|
- item.secret_uuid not in libvirt_secret_exists.results[index].stdout_lines
|
||||||
notify:
|
notify:
|
||||||
|
@ -117,7 +125,7 @@
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- name: Set extra secret value(s) in libvirt
|
- name: Set extra secret value(s) in libvirt from monitor host
|
||||||
shell: "virsh secret-set-value --secret {{ item.secret_uuid }} --base64 $(cat /tmp/{{ item.mon_host }}{{ item.client_name }}.key.tmp)"
|
shell: "virsh secret-set-value --secret {{ item.secret_uuid }} --base64 $(cat /tmp/{{ item.mon_host }}{{ item.client_name }}.key.tmp)"
|
||||||
loop: "{{ ceph_extra_confs }}"
|
loop: "{{ ceph_extra_confs }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
|
@ -130,6 +138,19 @@
|
||||||
notify:
|
notify:
|
||||||
- Restart os services
|
- Restart os services
|
||||||
|
|
||||||
|
- name: Set extra secret value(s) in libvirt from keyring
|
||||||
|
shell: "virsh secret-set-value --secret {{ item.secret_uuid }} --base64 $(awk '/key = /{print $3}' /tmp/{{ item.secret_uuid }}{{ item.client_name }}.key.tmp)"
|
||||||
|
loop: "{{ ceph_extra_confs }}"
|
||||||
|
loop_control:
|
||||||
|
index_var: index
|
||||||
|
when:
|
||||||
|
- "'client_name' in item"
|
||||||
|
- "'keyring_src' in item"
|
||||||
|
- "'secret_uuid' in item"
|
||||||
|
- item.secret_uuid not in libvirt_secret_value_exists.results[index].stdout_lines
|
||||||
|
notify:
|
||||||
|
- Restart os services
|
||||||
|
|
||||||
# Cleanup temp files
|
# Cleanup temp files
|
||||||
- name: Remove libvirt nova secret detection file
|
- name: Remove libvirt nova secret detection file
|
||||||
file:
|
file:
|
||||||
|
@ -153,7 +174,18 @@
|
||||||
|
|
||||||
- name: Remove libvirt nova secret file
|
- name: Remove libvirt nova secret file
|
||||||
file:
|
file:
|
||||||
path: "/tmp/{{ item.mon_host }}{{ item.client_name }}-secret.xml"
|
path: "/tmp/{{ item.secret_uuid }}{{ item.client_name }}-secret.xml"
|
||||||
|
state: "absent"
|
||||||
|
with_items: "{{ ceph_extra_confs }}"
|
||||||
|
when:
|
||||||
|
- item.secret_uuid is defined
|
||||||
|
- item.client_name is defined
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
|
- name: Remove libvirt key file from monitor host
|
||||||
|
file:
|
||||||
|
path: "/tmp/{{ item.mon_host }}{{ item.client_name }}.key.tmp"
|
||||||
state: "absent"
|
state: "absent"
|
||||||
with_items: "{{ ceph_extra_confs }}"
|
with_items: "{{ ceph_extra_confs }}"
|
||||||
when:
|
when:
|
||||||
|
@ -162,13 +194,13 @@
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- name: Remove libvirt key file
|
- name: Remove libvirt key file from keyring
|
||||||
file:
|
file:
|
||||||
path: "/tmp/{{ item.mon_host }}{{ item.client_name }}.key.tmp"
|
path: "/tmp/{{ item.secret_uuid }}{{ item.client_name }}.key.tmp"
|
||||||
state: "absent"
|
state: "absent"
|
||||||
with_items: "{{ ceph_extra_confs }}"
|
with_items: "{{ ceph_extra_confs }}"
|
||||||
when:
|
when:
|
||||||
- item.mon_host is defined
|
- item.secret_uuid is defined
|
||||||
- item.client_name is defined
|
- item.client_name is defined
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
Loading…
Reference in New Issue