Extract cephx keys from vault encrypted files

Cephx keys are not picked up by "local_action: shell cat [...]" when using ansible-vault encrypted keyrings. This commit changes the logic to use the file lookup plugin and extracts the key using jinja2 regex filters. The raw keys are then set as ansible facts. Closes-Bug: 1849127 Change-Id: Iacb1e42307c4de6a7a379e8cf279e073995fd5d3
2019-10-21 15:40:31 +02:00 · 2019-10-21 15:40:31 +02:00 · 44709f4132
parent 160af32c2c
commit 44709f4132
1 changed files with 5 additions and 5 deletions
--- a/ansible/roles/nova-cell/tasks/external_ceph.yml
+++ b/ansible/roles/nova-cell/tasks/external_ceph.yml
@ -79,26 +79,26 @@
    - Restart nova-libvirt container

 - name: Extract nova key from file
-  local_action: shell cat "{{ nova_cephx_keyring_file.stat.path }}" | grep -E 'key\s*=' | awk '{ print $3 }'
+  set_fact:
+    nova_cephx_raw_key: "{{ lookup('file', nova_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
  changed_when: false
  run_once: True
-  register: nova_cephx_raw_key
  when:
    - nova_backend == "rbd"
    - external_ceph_cephx_enabled | bool

 - name: Extract cinder key from file
-  local_action: shell cat "{{ cinder_cephx_keyring_file.stat.path }}" | grep -E 'key\s*=' | awk '{ print $3 }'
+  set_fact:
+    cinder_cephx_raw_key: "{{ lookup('file', cinder_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
  changed_when: false
  run_once: True
-  register: cinder_cephx_raw_key
  when:
    - cinder_backend_ceph | bool
    - external_ceph_cephx_enabled | bool

 - name: Pushing secrets key for libvirt
  copy:
-    content: "{{ item.result.stdout }}"
+    content: "{{ item.result }}"
    dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.base64"
    mode: "0600"
  become: true