openstack/openstack-ansible-ceph_client
Code Issues Proposed changes
018139f0cd
openstack-ansible-ceph_client/tasks/ceph_get_keyrings_from_files.yml
Dmitriy Rabotyagov eb27ca0874 Allow to distribute custom key with the role 
Right now we have quite strong assumption that `nova_ceph_client` should be
present among clients to fetch. At the same time, in case the role is
included outside of the OSA context, ceph_client_filtered_clients might
not contain all users we expect to see.

With that we alter the logic to fetch nova key not only when role is launched
against compute host, but also when the client is present in the list.

Change-Id: I7810881a01b9d2f3d98a6c3ad590b9ea63358011
2023-10-02 15:10:43 +02:00

64 lines
2.3 KiB
YAML
Raw Blame History

---
# Copyright 2015, Serge van Ginderachter <serge@vanginderachter.be>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Ceph client keyrings
- name: From files | Retrieve keyrings for openstack clients
set_fact:
ceph_client_keys: |-
{% set _keys = {} %}
{% for client in ceph_client_filtered_clients %}
{% set _ = _keys.update({
client['name']: lookup('file', ceph_keyrings_dir ~ '/' ~ client['name'] ~ '.keyring')
})
%}
{% endfor %}
{{ _keys }}
changed_when: false
delegate_facts: False
delegate_to: localhost
tags:
- ceph-config
- always
- name: From files | Provision ceph client keyrings
copy:
dest: "/etc/ceph/{{ ceph_cluster_name }}.client.{{ item['name'] }}.keyring"
content: |
{{ ceph_client_keys[item['name']] }}
owner: "{{ client['owner'] | default('root') }}"
group: "{{ client['group'] | default(cephkeys_access_group) }}"
# ideally the permission will be: 0600 and the owner/group will be either
# glance , nova or cinder. For keys that require access by different users
# (the cinder one) we should probably create a group 'cephkeys' and add
# nova/cinder to it.
# If I'm correct, the use case for multiple users is on the computre nodes,
# access needed by users libvirt-qemu and nova
mode: "{{ client['mode'] | default('0640') }}"
with_items: "{{ ceph_client_filtered_clients }}"
notify:
- Restart os services
- name: From file | Retrieve nova secret
set_fact:
ceph_nova_secret:
stdout: "{{ (ceph_client_keys[nova_ceph_client] | regex_search('.*^\\s*key\\s*=\\s*(.*)$.*', '\\1', multiline=True))[0] }}"
when:
- inventory_hostname in groups.nova_compute
- nova_ceph_client in ceph_client_filtered_clients | map(attribute='name') | list
delegate_to: localhost
tags:
- always
View Git Blame Copy Permalink