Migrate ceph keyring creation to kolla_ceph_keyring module
In this way, keyring caps is updatable. Change-Id: Idf7f222645b5073e2c72d59eecf3d47b3f1dc6ba
This commit is contained in:
parent
716a428c62
commit
3397668d10
@ -46,6 +46,16 @@ ceph_client_admin_keyring_caps:
|
||||
osd: "allow *"
|
||||
mgr: "allow *"
|
||||
|
||||
ceph_client_mgr_keyring_caps:
|
||||
mon: 'allow profile mgr'
|
||||
osd: 'allow *'
|
||||
mds: 'allow *'
|
||||
|
||||
ceph_client_mds_keyring_caps:
|
||||
mds: 'allow '
|
||||
osd: 'allow *'
|
||||
mon: 'allow rwx'
|
||||
|
||||
partition_name_osd_bootstrap: "{{ 'KOLLA_CEPH_OSD_BOOTSTRAP_BS' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_OSD_BOOTSTRAP' }}"
|
||||
partition_name_cache_bootstrap: "{{ 'KOLLA_CEPH_OSD_CACHE_BOOTSTRAP_BS' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_OSD_CACHE_BOOTSTRAP' }}"
|
||||
partition_name_osd_data: "{{ 'KOLLA_CEPH_BSDATA' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_DATA' }}"
|
||||
|
@ -20,17 +20,20 @@
|
||||
pool_pgp_num: "{{ cephfs_metadata_pool_pgp_num }}"
|
||||
|
||||
- name: Geting ceph mds keyring
|
||||
command: docker exec ceph_mon ceph auth get-or-create mds.{{ hostvars[item]['inventory_hostname'] }} mds 'allow ' osd 'allow *' mon 'allow rwx'
|
||||
kolla_ceph_keyring:
|
||||
name: "mds.{{ hostvars[item]['inventory_hostname'] }}"
|
||||
caps: "{{ ceph_client_mds_keyring_caps }}"
|
||||
register: ceph_mds_auth
|
||||
run_once: true
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: false
|
||||
with_items: "{{ groups['ceph-mds'] }}"
|
||||
|
||||
- name: Pushing ceph mds keyring to ceph-mds
|
||||
become: true
|
||||
copy:
|
||||
content: "{{ item.stdout }}\n"
|
||||
content: |
|
||||
[mds.{{ item.item }}]
|
||||
key = {{ item.keyring.key }}
|
||||
dest: "{{ node_config_directory }}/ceph-mds/ceph.mds.{{ inventory_hostname }}.keyring"
|
||||
mode: 0600
|
||||
when:
|
||||
|
@ -1,16 +1,19 @@
|
||||
---
|
||||
- name: Getting ceph mgr keyring
|
||||
command: docker exec ceph_mon ceph auth get-or-create mgr.{{ item }} mon 'allow profile mgr' osd 'allow *' mds 'allow *'
|
||||
kolla_ceph_keyring:
|
||||
name: "mgr.{{ item }}"
|
||||
caps: "{{ ceph_client_mgr_keyring_caps }}"
|
||||
register: ceph_mgr_keyring
|
||||
run_once: true
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: false
|
||||
with_items: "{{ groups['ceph-mgr'] }}"
|
||||
|
||||
- name: Pushing ceph mgr keyring to ceph-mgr
|
||||
become: true
|
||||
copy:
|
||||
content: "{{ item.stdout }}\n"
|
||||
content: |
|
||||
[mgr.{{ item.item }}]
|
||||
key = {{ item.keyring.key }}
|
||||
dest: "{{ node_config_directory }}/ceph-mgr/ceph.mgr.{{ inventory_hostname }}.keyring"
|
||||
mode: 0600
|
||||
when:
|
||||
|
@ -77,6 +77,24 @@ cinder_backup_cache_mode: "{{ ceph_cinder_backup_cache_mode }}"
|
||||
cinder_backup_pool_pg_num: "{{ ceph_pool_pg_num }}"
|
||||
cinder_backup_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
|
||||
|
||||
ceph_client_cinder_keyring_caps:
|
||||
mon: 'allow r'
|
||||
osd: >-
|
||||
allow class-read object_prefix rbd_children,
|
||||
allow rwx pool={{ ceph_cinder_pool_name }},
|
||||
allow rwx pool={{ ceph_cinder_pool_name }}-cache,
|
||||
allow rwx pool={{ ceph_nova_pool_name }},
|
||||
allow rwx pool={{ ceph_nova_pool_name }}-cache,
|
||||
allow rx pool={{ ceph_glance_pool_name }},
|
||||
allow rx pool={{ ceph_glance_pool_name }}-cache
|
||||
|
||||
ceph_client_cinder_backup_keyring_caps:
|
||||
mon: 'allow r'
|
||||
osd: >-
|
||||
allow class-read object_prefix rbd_children,
|
||||
allow rwx pool={{ ceph_cinder_backup_pool_name }},
|
||||
allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache
|
||||
|
||||
|
||||
####################
|
||||
# Database
|
||||
|
@ -54,32 +54,34 @@
|
||||
pool_pgp_num: "{{ cinder_backup_pool_pgp_num }}"
|
||||
pool_application: "rbd"
|
||||
|
||||
# TODO(SamYaple): Improve changed_when tests
|
||||
- name: Pulling cephx keyring for cinder
|
||||
command: docker exec ceph_mon ceph auth get-or-create client.cinder mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_pool_name }}, allow rwx pool={{ ceph_cinder_pool_name }}-cache, allow rwx pool={{ ceph_nova_pool_name }}, allow rwx pool={{ ceph_nova_pool_name }}-cache, allow rx pool={{ ceph_glance_pool_name }}, allow rx pool={{ ceph_glance_pool_name }}-cache'
|
||||
kolla_ceph_keyring:
|
||||
name: client.cinder
|
||||
caps: "{{ ceph_client_cinder_keyring_caps }}"
|
||||
register: cephx_key_cinder
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: False
|
||||
run_once: True
|
||||
|
||||
# TODO(SamYaple): Improve changed_when tests
|
||||
- name: Pulling cephx keyring for cinder-backup
|
||||
command: docker exec ceph_mon ceph auth get-or-create client.cinder-backup mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_backup_pool_name }}, allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache'
|
||||
kolla_ceph_keyring:
|
||||
name: client.cinder-backup
|
||||
caps: "{{ ceph_client_cinder_backup_keyring_caps }}"
|
||||
register: cephx_key_cinder_backup
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: False
|
||||
run_once: True
|
||||
|
||||
- name: Pushing cephx keyring
|
||||
copy:
|
||||
content: "{{ item.content }}\n\r"
|
||||
content: |
|
||||
[client.{{ item.key_name }}]
|
||||
key = {{ item.key }}
|
||||
dest: "{{ node_config_directory }}/{{ item.service_name }}/ceph.client.{{ item.key_name }}.keyring"
|
||||
mode: "0600"
|
||||
become: true
|
||||
with_items:
|
||||
- { service_name: "cinder-volume", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" }
|
||||
- { service_name: "cinder-backup", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" }
|
||||
- { service_name: "cinder-backup", key_name: "cinder-backup", content: "{{ cephx_key_cinder_backup.stdout }}" }
|
||||
- { service_name: "cinder-volume", key_name: "cinder", key: "{{ cephx_key_cinder.keyring.key }}" }
|
||||
- { service_name: "cinder-backup", key_name: "cinder", key: "{{ cephx_key_cinder.keyring.key }}" }
|
||||
- { service_name: "cinder-backup", key_name: "cinder-backup", key: "{{ cephx_key_cinder_backup.keyring.key }}" }
|
||||
when:
|
||||
- inventory_hostname in groups[item.service_name]
|
||||
- cinder_services[item.service_name].enabled | bool
|
||||
|
@ -47,6 +47,13 @@ glance_cache_mode: "{{ ceph_glance_cache_mode }}"
|
||||
glance_pool_pg_num: "{{ ceph_pool_pg_num }}"
|
||||
glance_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
|
||||
|
||||
ceph_client_glance_keyring_caps:
|
||||
mon: 'allow r'
|
||||
osd: >-
|
||||
allow class-read object_prefix rbd_children,
|
||||
allow rwx pool={{ ceph_glance_pool_name }},
|
||||
allow rwx pool={{ ceph_glance_pool_name }}-cache
|
||||
|
||||
|
||||
####################
|
||||
# Database
|
||||
|
@ -25,17 +25,19 @@
|
||||
pool_pgp_num: "{{ glance_pool_pgp_num }}"
|
||||
pool_application: "rbd"
|
||||
|
||||
# TODO(SamYaple): Improve changed_when tests
|
||||
- name: Pulling cephx keyring
|
||||
command: docker exec ceph_mon ceph auth get-or-create client.glance mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_glance_pool_name }}, allow rwx pool={{ ceph_glance_pool_name }}-cache'
|
||||
kolla_ceph_keyring:
|
||||
name: client.glance
|
||||
caps: "{{ ceph_client_glance_keyring_caps }}"
|
||||
register: cephx_key
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: False
|
||||
run_once: True
|
||||
|
||||
- name: Pushing cephx keyring
|
||||
copy:
|
||||
content: "{{ cephx_key.stdout }}\n\r"
|
||||
content: |
|
||||
[client.glance]
|
||||
key = {{ cephx_key.keyring.key }}
|
||||
dest: "{{ node_config_directory }}/glance-api/ceph.client.glance.keyring"
|
||||
mode: "0600"
|
||||
when: inventory_hostname in groups['glance-api']
|
||||
|
@ -48,6 +48,13 @@ gnocchi_cache_mode: "{{ ceph_gnocchi_cache_mode }}"
|
||||
gnocchi_pool_pg_num: "{{ ceph_pool_pg_num }}"
|
||||
gnocchi_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
|
||||
|
||||
ceph_client_gnocchi_keyring_caps:
|
||||
mon: 'allow r'
|
||||
osd: >-
|
||||
allow class-read object_prefix rbd_children,
|
||||
allow rwx pool={{ ceph_gnocchi_pool_name }},
|
||||
allow rwx pool={{ ceph_gnocchi_pool_name }}-cache
|
||||
|
||||
|
||||
####################
|
||||
# Database
|
||||
|
@ -31,17 +31,19 @@
|
||||
pool_pgp_num: "{{ gnocchi_pool_pgp_num }}"
|
||||
pool_application: "rgw"
|
||||
|
||||
# TODO(SamYaple): Improve changed_when tests
|
||||
- name: Pulling cephx keyring
|
||||
command: docker exec ceph_mon ceph auth get-or-create client.gnocchi mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_gnocchi_pool_name }}, allow rwx pool={{ ceph_gnocchi_pool_name }}-cache'
|
||||
kolla_ceph_keyring:
|
||||
name: client.gnocchi
|
||||
caps: "{{ ceph_client_gnocchi_keyring_caps }}"
|
||||
register: cephx_key
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: False
|
||||
run_once: True
|
||||
|
||||
- name: Pushing cephx keyring
|
||||
copy:
|
||||
content: "{{ cephx_key.stdout }}\n\r"
|
||||
content: |
|
||||
[client.gnocchi]
|
||||
key = {{ cephx_key.keyring.key }}
|
||||
dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring"
|
||||
mode: "0600"
|
||||
when: inventory_hostname in groups[item]
|
||||
|
@ -44,6 +44,21 @@ manila_services:
|
||||
- "kolla_logs:/var/log/kolla/"
|
||||
|
||||
|
||||
#####################
|
||||
## Ceph
|
||||
#####################
|
||||
|
||||
ceph_client_manila_keyring_caps:
|
||||
mon: >-
|
||||
allow r,
|
||||
allow command "auth del",
|
||||
allow command "auth caps",
|
||||
allow command "auth get",
|
||||
allow command "auth get-or-create"
|
||||
osd: 'allow rw'
|
||||
mds: 'allow *'
|
||||
|
||||
|
||||
#####################
|
||||
## Database
|
||||
#####################
|
||||
|
@ -15,15 +15,18 @@
|
||||
become: true
|
||||
|
||||
- name: Pulling cephx keyring for manila
|
||||
command: docker exec ceph_mon ceph auth get-or-create client.manila mon 'allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create"' osd 'allow rw' mds 'allow *'
|
||||
kolla_ceph_keyring:
|
||||
name: client.manila
|
||||
caps: "{{ ceph_client_manila_keyring_caps }}"
|
||||
register: cephx_key_manila
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: False
|
||||
run_once: True
|
||||
|
||||
- name: Pushing cephx keyring
|
||||
copy:
|
||||
content: "{{ cephx_key_manila.stdout }}\n\r"
|
||||
content: |
|
||||
[client.manila]
|
||||
key = {{ cephx_key_manila.keyring.key }}
|
||||
dest: "{{ node_config_directory }}/manila-share/ceph.client.manila.keyring"
|
||||
mode: "0600"
|
||||
become: true
|
||||
|
@ -154,6 +154,17 @@ nova_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
|
||||
# qemu (1, 6, 0) or later. Set to "" to disable.
|
||||
nova_hw_disk_discard: "unmap"
|
||||
|
||||
ceph_client_nova_keyring_caps:
|
||||
mon: 'allow r'
|
||||
osd: >-
|
||||
allow class-read object_prefix rbd_children,
|
||||
allow rwx pool={{ ceph_cinder_pool_name }},
|
||||
allow rwx pool={{ ceph_cinder_pool_name }}-cache,
|
||||
allow rwx pool={{ ceph_nova_pool_name }},
|
||||
allow rwx pool={{ ceph_nova_pool_name }}-cache,
|
||||
allow rwx pool={{ ceph_glance_pool_name }},
|
||||
allow rwx pool={{ ceph_glance_pool_name }}-cache
|
||||
|
||||
|
||||
####################
|
||||
# Database
|
||||
|
@ -33,20 +33,12 @@
|
||||
pool_pgp_num: "{{ nova_pool_pgp_num }}"
|
||||
pool_application: "rbd"
|
||||
|
||||
# TODO(SamYaple): Improve changed_when tests
|
||||
- name: Pulling cephx keyring for nova
|
||||
command: docker exec ceph_mon ceph auth get-or-create client.nova mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_pool_name }}, allow rwx pool={{ ceph_cinder_pool_name }}-cache, allow rwx pool={{ ceph_nova_pool_name }}, allow rwx pool={{ ceph_nova_pool_name }}-cache, allow rwx pool={{ ceph_glance_pool_name }}, allow rwx pool={{ ceph_glance_pool_name }}-cache'
|
||||
register: cephx_key
|
||||
kolla_ceph_keyring:
|
||||
name: client.nova
|
||||
caps: "{{ ceph_client_nova_keyring_caps }}"
|
||||
register: nova_cephx_key
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: False
|
||||
run_once: True
|
||||
|
||||
# TODO(SamYaple): Improve failed_when and changed_when tests
|
||||
- name: Pulling nova cephx keyring for libvirt
|
||||
command: docker exec ceph_mon ceph auth get-key client.nova
|
||||
register: nova_cephx_raw_key
|
||||
delegate_to: "{{ groups['ceph-mon'][0] }}"
|
||||
changed_when: False
|
||||
run_once: True
|
||||
|
||||
- name: Pulling cinder cephx keyring for libvirt
|
||||
@ -61,7 +53,9 @@
|
||||
|
||||
- name: Pushing cephx keyring for nova
|
||||
copy:
|
||||
content: "{{ cephx_key.stdout }}\n\r"
|
||||
content: |
|
||||
[client.nova]
|
||||
key = {{ nova_cephx_key.keyring.key }}
|
||||
dest: "{{ node_config_directory }}/nova-compute/ceph.client.nova.keyring"
|
||||
mode: "0600"
|
||||
when: inventory_hostname in groups['compute']
|
||||
@ -92,7 +86,7 @@
|
||||
- item.enabled | bool
|
||||
with_items:
|
||||
- uuid: "{{ rbd_secret_uuid }}"
|
||||
content: "{{ nova_cephx_raw_key.stdout }}"
|
||||
content: "{{ nova_cephx_key.keyring.key }}"
|
||||
enabled: true
|
||||
- uuid: "{{ cinder_rbd_secret_uuid }}"
|
||||
content: "{{ cinder_cephx_raw_key.stdout|default('') }}"
|
||||
|
Loading…
Reference in New Issue
Block a user