openstack/puppet-ceph
Code Issues Proposed changes

Refresh keys if caps are changed

Browse Source 
Updates the local keyring if any of its param (including caps) are
changed.

Change-Id: I24abbf23cae4f3449c3f1d46df3b3b0a7422c839
Closes-Bug: 1606918
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
This commit is contained in:
Giulio Fidente 2016-07-27 16:09:49 +02:00
parent 4969e3cac4
commit d823bf6ac9
2 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
manifests/key.pp
View File

@ -113,13 +113,17 @@ define ceph::key (
} }
} }
# ceph-authtool --add-key is idempotent, will just update pre-existing keys
exec { "ceph-key-${name}": exec { "ceph-key-${name}":
command => "/bin/true # comment to satisfy puppet syntax requirements command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex set -ex
ceph-authtool ${keyring_path} --name '${name}' --add-key '${secret}' ${caps}", ceph-authtool ${keyring_path} --name '${name}' --add-key '${secret}' ${caps}",
unless => "/bin/true # comment to satisfy puppet syntax requirements onlyif => "/bin/true # comment to satisfy puppet syntax requirements
set -ex set -ex
sed -n 'N;\\%.*${name}.*\\n\\s*key = ${secret}%p' ${keyring_path} | grep ${name}", NEW_KEYRING=\$(mktemp)
ceph-authtool \$NEW_KEYRING --name '${name}' --add-key '${secret}' ${caps}
diff -N \$NEW_KEYRING ${keyring_path} | grep '<'
rm \$NEW_KEYRING",
require => [ Package['ceph'], File[$keyring_path], ], require => [ Package['ceph'], File[$keyring_path], ],
logoutput => true, logoutput => true,
} }
@ -136,13 +140,17 @@ sed -n 'N;\\%.*${name}.*\\n\\s*key = ${secret}%p' ${keyring_path} | grep ${name}
Ceph_config<||> -> Exec["ceph-injectkey-${name}"] Ceph_config<||> -> Exec["ceph-injectkey-${name}"]
Ceph::Mon<||> -> Exec["ceph-injectkey-${name}"] Ceph::Mon<||> -> Exec["ceph-injectkey-${name}"]
# ceph auth import is idempotent, will just update pre-existing keys
exec { "ceph-injectkey-${name}": exec { "ceph-injectkey-${name}":
command => "/bin/true # comment to satisfy puppet syntax requirements command => "/bin/true # comment to satisfy puppet syntax requirements
set -ex set -ex
ceph ${cluster_option} ${inject_id_option} ${inject_keyring_option} auth add ${name} --in-file=${keyring_path}", ceph ${cluster_option} ${inject_id_option} ${inject_keyring_option} auth import -i ${keyring_path}",
unless => "/bin/true # comment to satisfy puppet syntax requirements onlyif => "/bin/true # comment to satisfy puppet syntax requirements
set -ex set -ex
ceph ${cluster_option} ${inject_id_option} ${inject_keyring_option} auth get ${name} | grep ${secret}", OLD_KEYRING=\$(mktemp)
ceph ${cluster_option} ${inject_id_option} ${inject_keyring_option} auth get ${name} -o \$OLD_KEYRING || true
diff -N \$OLD_KEYRING ${keyring_path} | grep '>'
rm \$OLD_KEYRING",
require => [ Package['ceph'], Exec["ceph-key-${name}"], ], require => [ Package['ceph'], Exec["ceph-key-${name}"], ],
logoutput => true, logoutput => true,
} }

2
spec/defines/ceph_key_spec.rb
View File

@ -50,7 +50,7 @@ describe 'ceph::key' do
'selinux_ignore_defaults' => true, 'selinux_ignore_defaults' => true,
) )
is_expected.to contain_exec('ceph-injectkey-client.admin').with( is_expected.to contain_exec('ceph-injectkey-client.admin').with(
'command' => "/bin/true # comment to satisfy puppet syntax requirements\nset -ex\nceph auth add client.admin --in-file=/etc/ceph/ceph.client.admin.keyring" 'command' => "/bin/true # comment to satisfy puppet syntax requirements\nset -ex\nceph auth import -i /etc/ceph/ceph.client.admin.keyring"
) )
} }