From 44709f413246a05b891f250e88c43226e1f1b0c9 Mon Sep 17 00:00:00 2001
From: Jan Horstmann <j.horstmann@mittwald.de>
Date: Mon, 21 Oct 2019 15:40:31 +0200
Subject: [PATCH] Extract cephx keys from vault encrypted files

Cephx keys are not picked up by "local_action: shell cat [...]"
when using ansible-vault encrypted keyrings.
This commit changes the logic to use the file lookup plugin and
extracts the key using jinja2 regex filters. The raw keys are then
set as ansible facts.

Closes-Bug: 1849127

Change-Id: Iacb1e42307c4de6a7a379e8cf279e073995fd5d3
---
 ansible/roles/nova-cell/tasks/external_ceph.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ansible/roles/nova-cell/tasks/external_ceph.yml b/ansible/roles/nova-cell/tasks/external_ceph.yml
index e999d115b5..628910ea26 100644
--- a/ansible/roles/nova-cell/tasks/external_ceph.yml
+++ b/ansible/roles/nova-cell/tasks/external_ceph.yml
@@ -79,26 +79,26 @@
     - Restart nova-libvirt container
 
 - name: Extract nova key from file
-  local_action: shell cat "{{ nova_cephx_keyring_file.stat.path }}" | grep -E 'key\s*=' | awk '{ print $3 }'
+  set_fact:
+    nova_cephx_raw_key: "{{ lookup('file', nova_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
   changed_when: false
   run_once: True
-  register: nova_cephx_raw_key
   when:
     - nova_backend == "rbd"
     - external_ceph_cephx_enabled | bool
 
 - name: Extract cinder key from file
-  local_action: shell cat "{{ cinder_cephx_keyring_file.stat.path }}" | grep -E 'key\s*=' | awk '{ print $3 }'
+  set_fact:
+    cinder_cephx_raw_key: "{{ lookup('file', cinder_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
   changed_when: false
   run_once: True
-  register: cinder_cephx_raw_key
   when:
     - cinder_backend_ceph | bool
     - external_ceph_cephx_enabled | bool
 
 - name: Pushing secrets key for libvirt
   copy:
-    content: "{{ item.result.stdout }}"
+    content: "{{ item.result }}"
     dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.base64"
     mode: "0600"
   become: true