kolla-ansible/ansible/roles/nova-cell/tasks/external_ceph.yml

---
- name: Check nova keyring file
  vars:
    keyring: "{{ nova_ceph_cluster }}.{{ ceph_nova_keyring }}"
    paths:
      - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ keyring }}"
      - "{{ node_custom_config }}/nova/{{ keyring }}"
  stat:
    path: "{{ lookup('first_found', paths) }}"
  delegate_to: localhost
  register: nova_cephx_keyring_file
  failed_when: not nova_cephx_keyring_file.stat.exists
  when:
    - nova_backend == "rbd"
    - external_ceph_cephx_enabled | bool

- name: Check cinder keyring file
  vars:
    keyring: "{{ nova_ceph_cluster }}.{{ ceph_cinder_keyring }}"
    paths:
      - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ keyring }}"
      - "{{ node_custom_config }}/nova/{{ keyring }}"
  stat:
    path: "{{ lookup('first_found', paths) }}"
  delegate_to: localhost
  register: cinder_cephx_keyring_file
  failed_when: not cinder_cephx_keyring_file.stat.exists
  when:
    - cinder_backend_ceph | bool
    - external_ceph_cephx_enabled | bool

- name: Extract nova key from file
  set_fact:
    nova_cephx_raw_key:
      "{{ lookup('template', nova_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
  changed_when: false
  when:
    - nova_backend == "rbd"
    - external_ceph_cephx_enabled | bool

- name: Extract cinder key from file
  set_fact:
    cinder_cephx_raw_key:
      "{{ lookup('file', cinder_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
  changed_when: false
  when:
    - cinder_backend_ceph | bool
    - external_ceph_cephx_enabled | bool

- name: Copy over ceph nova keyring file
  template:
    src: "{{ nova_cephx_keyring_file.stat.path }}"
    dest: "{{ node_config_directory }}/{{ item }}/"
    owner: "{{ config_owner_user }}"
    group: "{{ config_owner_group }}"
    mode: "0660"
  become: true
  with_items:
    - nova-compute
  when:
    - inventory_hostname in groups[nova_cell_compute_group]
    - nova_backend == "rbd"
    - external_ceph_cephx_enabled | bool
  notify:
    - Restart {{ item }} container

- name: Copy over ceph cinder keyring file
  template:
    src: "{{ cinder_cephx_keyring_file.stat.path }}"
    dest: "{{ node_config_directory }}/{{ item }}/"
    owner: "{{ config_owner_user }}"
    group: "{{ config_owner_group }}"
    mode: "0660"
  become: true
  with_items:  # NOTE: nova-libvirt does not need it
    - nova-compute
  when:
    - inventory_hostname in groups[nova_cell_compute_group]
    - nova_backend == "rbd"
    - external_ceph_cephx_enabled | bool
  notify:
    - Restart {{ item }} container

- name: Copy over ceph.conf
  vars:
    service: "{{ nova_cell_services[item] }}"
    paths:
      - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ nova_ceph_cluster }}.conf"
      - "{{ node_custom_config }}/nova/{{ nova_ceph_cluster }}.conf"
  template:
    src: "{{ lookup('first_found', paths) }}"
    dest: "{{ node_config_directory }}/{{ item }}/"
    owner: "{{ config_owner_user }}"
    group: "{{ config_owner_group }}"
    mode: "0660"
  become: true
  with_items:
    - nova-compute
    - nova-libvirt
  when:
    - inventory_hostname in groups[service.group]
    - service.enabled | bool
    - nova_backend == "rbd"
  notify:
    - Restart {{ item }} container

- block:
    - name: Ensure /etc/ceph directory exists (host libvirt)
      vars:
        paths:
          - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ nova_ceph_cluster }}.conf"
          - "{{ node_custom_config }}/nova/{{ nova_ceph_cluster }}.conf"
      file:
        path: "/etc/ceph/"
        state: "directory"
        owner: "root"
        group: "root"
        mode: "0755"
      become: true

    - name: Copy over ceph.conf (host libvirt)
      vars:
        paths:
          - "{{ node_custom_config }}/nova/{{ inventory_hostname }}/{{ nova_ceph_cluster }}.conf"
          - "{{ node_custom_config }}/nova/{{ nova_ceph_cluster }}.conf"
      template:
        src: "{{ lookup('first_found', paths) }}"
        dest: "/etc/ceph/{{ nova_ceph_cluster }}.conf"
        owner: "root"
        group: "root"
        mode: "0644"
      become: true
  when:
    - not enable_nova_libvirt_container | bool
    - inventory_hostname in groups[nova_cell_compute_group]
    - nova_backend == "rbd"

- block:
    - name: Ensuring libvirt secrets directory exists
      vars:
        service: "{{ nova_cell_services['nova-libvirt'] }}"
      file:
        path: "{{ libvirt_secrets_dir }}"
        state: "directory"
        owner: "{{ config_owner_user }}"
        group: "{{ config_owner_group }}"
        mode: "0770"
      become: true
      when:
        - inventory_hostname in groups[service.group]

    - name: Pushing nova secret xml for libvirt
      vars:
        service: "{{ nova_cell_services['nova-libvirt'] }}"
      template:
        src: "secret.xml.j2"
        dest: "{{ libvirt_secrets_dir }}/{{ item.uuid }}.xml"
        owner: "{{ config_owner_user }}"
        group: "{{ config_owner_group }}"
        mode: "0600"
      become: true
      when:
        - inventory_hostname in groups[service.group]
        - item.enabled | bool
      with_items:
        - uuid: "{{ rbd_secret_uuid }}"
          name: "client.nova secret"
          enabled: "{{ nova_backend == 'rbd' }}"
        - uuid: "{{ cinder_rbd_secret_uuid }}"
          name: "client.cinder secret"
          enabled: "{{ cinder_backend_ceph }}"
      notify: "{{ libvirt_restart_handlers }}"

    - name: Pushing secrets key for libvirt
      vars:
        service: "{{ nova_cell_services['nova-libvirt'] }}"
      template:
        src: "libvirt-secret.j2"
        dest: "{{ libvirt_secrets_dir }}/{{ item.uuid }}.base64"
        owner: "{{ config_owner_user }}"
        group: "{{ config_owner_group }}"
        mode: "0600"
      become: true
      when:
        - inventory_hostname in groups[service.group]
        - item.enabled | bool
        - external_ceph_cephx_enabled | bool
      with_items:
        # NOTE(yoctozepto): 'default' filter required due to eager evaluation of item content
        # which will be undefined if the applicable condition is False
        - uuid: "{{ rbd_secret_uuid }}"
          result: "{{ nova_cephx_raw_key | default }}"
          enabled: "{{ nova_backend == 'rbd' }}"
        - uuid: "{{ cinder_rbd_secret_uuid }}"
          result: "{{ cinder_cephx_raw_key | default }}"
          enabled: "{{ cinder_backend_ceph }}"
      notify: "{{ libvirt_restart_handlers }}"
      no_log: True
  vars:
    libvirt_secrets_dir: >-
      {{ (node_config_directory ~ '/nova-libvirt/secrets')
         if enable_nova_libvirt_container | bool
         else '/etc/libvirt/secrets' }}      
    # NOTE(mgoddard): When running libvirt as a host daemon, on CentOS it
    # appears to pick up secrets automatically, while on Ubuntu it requires a
    # reload. This may be due to differences in tested versions of libvirt
    # (8.0.0 vs 6.0.0). Reload should be low overhead, so do it always.
    libvirt_restart_handlers: >-
      {{ ['Restart nova-libvirt container']
         if enable_nova_libvirt_container | bool else
         ['Reload libvirtd'] }}