Implement key rotation for ceph-fs (Quincy)
This patchset implements key rotation for the ceph-fs charm by receiving the new pending key from the ceph-mon charm and manually rotating it via Ceph's authtool. It makes use of the 'ceph-mds-relation-changed' hook for this. Change-Id: Ie0a431235fa6d2c74709f9b6c52ce16557990067
This commit is contained in:
parent
968255572d
commit
c2bdac4cbb
|
@ -2,10 +2,12 @@ type: charm
|
||||||
|
|
||||||
parts:
|
parts:
|
||||||
charm:
|
charm:
|
||||||
|
charm-entrypoint: "hooks/install"
|
||||||
build-packages:
|
build-packages:
|
||||||
- tox
|
- tox
|
||||||
- git
|
- git
|
||||||
- python3-dev
|
- python3-dev
|
||||||
|
- libffi-dev
|
||||||
override-build: |
|
override-build: |
|
||||||
apt-get install ca-certificates -y
|
apt-get install ca-certificates -y
|
||||||
tox -e build-reactive
|
tox -e build-reactive
|
||||||
|
@ -31,9 +33,9 @@ bases:
|
||||||
- name: ubuntu
|
- name: ubuntu
|
||||||
channel: "22.04"
|
channel: "22.04"
|
||||||
architectures: [amd64, s390x, ppc64el, arm64]
|
architectures: [amd64, s390x, ppc64el, arm64]
|
||||||
- name: ubuntu
|
|
||||||
channel: "22.10"
|
|
||||||
architectures: [amd64, s390x, ppc64el, arm64]
|
|
||||||
- name: ubuntu
|
- name: ubuntu
|
||||||
channel: "23.04"
|
channel: "23.04"
|
||||||
architectures: [amd64, s390x, ppc64el, arm64]
|
architectures: [amd64, s390x, ppc64el, arm64]
|
||||||
|
- name: ubuntu
|
||||||
|
channel: "23.10"
|
||||||
|
architectures: [amd64, s390x, ppc64el, arm64]
|
||||||
|
|
|
@ -8,16 +8,13 @@
|
||||||
# requirements.txt
|
# requirements.txt
|
||||||
setuptools<50.0.0 # https://github.com/pypa/setuptools/commit/04e3df22df840c6bb244e9b27bc56750c44b7c85
|
setuptools<50.0.0 # https://github.com/pypa/setuptools/commit/04e3df22df840c6bb244e9b27bc56750c44b7c85
|
||||||
|
|
||||||
# Build requirements
|
# NOTE: newer versions of cryptography require a Rust compiler to build,
|
||||||
cffi==1.14.6; python_version < '3.6' # cffi 1.15.0 drops support for py35.
|
# see
|
||||||
charm-tools==2.8.4
|
# * https://github.com/openstack-charmers/zaza/issues/421
|
||||||
|
# * https://mail.python.org/pipermail/cryptography-dev/2021-January/001003.html
|
||||||
|
#
|
||||||
|
cryptography<3.4
|
||||||
|
|
||||||
|
git+https://github.com/juju/charm-tools.git
|
||||||
|
|
||||||
simplejson
|
simplejson
|
||||||
|
|
||||||
# Newer versions use keywords that didn't exist in python 3.5 yet (e.g.
|
|
||||||
# "ModuleNotFoundError")
|
|
||||||
# NOTE(lourot): This might look like a duplication of test-requirements.txt but
|
|
||||||
# some tox targets use only test-requirements.txt whereas charm-build uses only
|
|
||||||
# requirements.txt
|
|
||||||
importlib-metadata<3.0.0; python_version < '3.6'
|
|
||||||
importlib-resources<3.0.0; python_version < '3.6'
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Copyright 2016 Canonical Ltd
|
# Copyright 2024 Canonical Ltd
|
||||||
#
|
#
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
# you may not use this file except in compliance with the License.
|
# you may not use this file except in compliance with the License.
|
||||||
|
@ -23,6 +23,9 @@ from charmhelpers.core.hookenv import (
|
||||||
import charms_openstack.bus
|
import charms_openstack.bus
|
||||||
import charms_openstack.charm as charm
|
import charms_openstack.charm as charm
|
||||||
|
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
|
|
||||||
|
|
||||||
charms_openstack.bus.discover()
|
charms_openstack.bus.discover()
|
||||||
|
|
||||||
|
@ -41,6 +44,9 @@ charm.use_defaults(
|
||||||
def config_changed():
|
def config_changed():
|
||||||
ceph_mds = reactive.endpoint_from_flag('ceph-mds.pools.available')
|
ceph_mds = reactive.endpoint_from_flag('ceph-mds.pools.available')
|
||||||
with charm.provide_charm_instance() as cephfs_charm:
|
with charm.provide_charm_instance() as cephfs_charm:
|
||||||
|
host = cephfs_charm.hostname
|
||||||
|
exists = os.path.exists('/var/lib/ceph/mds/ceph-%s/keyring' % host)
|
||||||
|
|
||||||
cephfs_charm.configure_ceph_keyring(ceph_mds.mds_key())
|
cephfs_charm.configure_ceph_keyring(ceph_mds.mds_key())
|
||||||
cephfs_charm.render_with_interfaces([ceph_mds])
|
cephfs_charm.render_with_interfaces([ceph_mds])
|
||||||
if reactive.is_flag_set('config.changed.source'):
|
if reactive.is_flag_set('config.changed.source'):
|
||||||
|
@ -52,6 +58,22 @@ def config_changed():
|
||||||
reactive.set_flag('config.rendered')
|
reactive.set_flag('config.rendered')
|
||||||
cephfs_charm.assess_status()
|
cephfs_charm.assess_status()
|
||||||
|
|
||||||
|
# If the keyring file existed before this call, then the new
|
||||||
|
# provided key implies a rotation.
|
||||||
|
if exists:
|
||||||
|
svc = 'ceph-mds@%s.service' % host
|
||||||
|
try:
|
||||||
|
# Reset the failure count first, as the service may fail
|
||||||
|
# to come up due to the way the restart-map is handled.
|
||||||
|
subprocess.check_call(['sudo', 'systemctl',
|
||||||
|
'reset-failed', svc])
|
||||||
|
subprocess.check_call(['sudo', 'systemctl', 'restart', svc])
|
||||||
|
except subprocess.CalledProcessError as exc:
|
||||||
|
# The service can be temporarily masked when booting, so
|
||||||
|
# skip that class of errors.
|
||||||
|
ch_core.hookenv.log('Failed to restart MDS service: %s' %
|
||||||
|
str(exc))
|
||||||
|
|
||||||
|
|
||||||
@reactive.when('ceph-mds.connected')
|
@reactive.when('ceph-mds.connected')
|
||||||
def storage_ceph_connected(ceph):
|
def storage_ceph_connected(ceph):
|
||||||
|
|
Loading…
Reference in New Issue