Limit cephadm private key distribution to mons/mgrs

It is not necessary to distribute the ceph-admin user's private SSH key to every host of a Ceph service; only the hosts running the ceph_mgr and ceph_mon services need the private key. By default this is limited to the controller nodes only. The existing role calls the ceph-admin-user-playbook.yml. Split it into two calls which use --limit to target the necessary Ceph service hosts and set distribute_private_key to true only for mons/mgrs. Closes-Bug: #1928717 Change-Id: I8343c419c140670f01bdc94b4c8130004bac64e1
2021-05-17 20:04:43 +00:00 · 2021-05-17 20:04:43 +00:00 · 4d3144fce3
parent 79c6fa8e02
commit 4d3144fce3
2 changed files with 14 additions and 8 deletions
--- a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/enable_ceph_admin_user.yml
+++ b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/enable_ceph_admin_user.yml
@ -24,9 +24,20 @@
      - '{{ inventory_file }}'
      - '{% if ansible_python_interpreter is defined %}-e ansible_python_interpreter={{ ansible_python_interpreter }}{% endif %}'
      - '/usr/share/ansible/tripleo-playbooks/ceph-admin-user-playbook.yml'
-      - '-e @{{ playbook_dir}}/cephadm/ceph-admin.yml'
+      - '-e tripleo_admin_user=ceph-admin'
+    cephadm_public_private_ssh_list:
+      - '-e distribute_private_key=true'
+      - '--limit undercloud,ceph_mon,ceph_mgr'
+    cephadm_public_ssh_list:
+      - '-e distribute_private_key=false'
+      - '--limit undercloud,ceph_osd,ceph_rgw,ceph_mds,ceph_nfs,ceph_rbdmirror'

- name: Run ceph-admin-user-playbook
-  shell: "{{ cephadm_ssh_list|join(' ') }}"
+- name: Run ceph-admin-user-playbook for public and private keys
+  shell: "{{ (cephadm_ssh_list + cephadm_public_private_ssh_list)|join(' ') }}"
+  tags:
+    - run_cephadm
+
+- name: Run ceph-admin-user-playbook for public keys
+  shell: "{{ (cephadm_ssh_list + cephadm_public_ssh_list)|join(' ') }}"
  tags:
    - run_cephadm
--- a/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml
+++ b/tripleo_ansible/roles/tripleo_run_cephadm/tasks/prepare.yml
@ -32,11 +32,6 @@
  tags:
    - run_cephadm

- name: generate ceph-admin.yml extra vars for user creation
-  copy:
-    dest: "{{ playbook_dir }}/cephadm/ceph-admin.yml"
-    content: "{{ ceph_admin_extra_vars | to_nice_yaml }}"
-
 - name: get the list of enabled services on the overcloud
  set_fact:
    tripleo_enabled_services: "{{ enabled_services | default([]) }}"