Restructure Ceph/Puppet params to reflect changes in puppet-ceph

A change [1] in puppet-ceph offers more flexibility but breaks
backwards so we had to update our composition layer as well; we gain
control of the cephx keyring in the template though.

1. Ie6adbd601388ab52c37037004bd0ceef9fc41942

Change-Id: Ia8196849afce2969daa608828cec81ebe3ac96e1

puppet/ceph-cluster-config.yaml

@@ -35,11 +35,33 @@ resources:
                   - ','
                   - {get_param: ceph_mon_ips}
                 ceph::profile::params::fsid: {get_param: ceph_fsid}
-                ceph::profile::params::admin_key: {get_param: ceph_admin_key}
                 ceph::profile::params::mon_key: {get_param: ceph_mon_key}
-                # We would need a dedicated key for OSD
-                ceph::profile::params::bootstrap_osd_key: {get_param: ceph_mon_key}
-                ceph::profile::params::osds: '{"/srv/data": {}}'
+                ceph::profile::params::osds: "{/srv/data: {}}"
+                # We should use a separated key for the non-admin clients
+                ceph::profile::params::client_keys:
+                  str_replace:
+                    template: "{
+                      client.admin: {
+                        secret: 'ADMIN_KEY',
+                        mode: '0600',
+                        cap_mon: 'allow *',
+                        cap_osd: 'allow *',
+                        cap_mds: 'allow *'
+                      },
+                      client.bootstrap-osd: {
+                        secret: 'ADMIN_KEY',
+                        keyring_path: '/var/lib/ceph/bootstrap-osd/ceph.keyring',
+                        cap_mon: 'allow profile bootstrap-osd'
+                      },
+                      client.openstack: {
+                        secret: 'ADMIN_KEY',
+                        mode: '0644',
+                        cap_mon: 'allow r',
+                        cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms'
+                      }
+                    }"
+                    params:
+                      ADMIN_KEY: {get_param: ceph_admin_key}
 
 outputs:
   config_id:

puppet/hieradata/ceph.yaml

@@ -6,8 +6,6 @@ ceph::profile::params::osd_pool_default_min_size: 1
 ceph::profile::params::manage_repo: false
 ceph::profile::params::authentication_type: cephx
 
-ceph_openstack_default_cap_mon: 'allow r'
-ceph_openstack_default_cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=volumes, allow rwx pool=vms'
 ceph_pools:
   - volumes
   - vms

puppet/manifests/overcloud_cephstorage.pp

@@ -28,8 +28,5 @@ if count(hiera('ntp::servers')) > 0 {
   include ::ntp
 }
 
-class { 'ceph::profile::params':
-  mon_initial_members => downcase(hiera('ceph_mon_initial_members'))
-}
 include ::ceph::profile::client
 include ::ceph::profile::osd

puppet/manifests/overcloud_compute.pp

@@ -46,12 +46,6 @@ $nova_enable_rbd_backend = hiera('nova_enable_rbd_backend', false)
 if $nova_enable_rbd_backend {
   include ::ceph::profile::client
   include ::nova::compute::rbd
-  ceph::key { 'client.openstack' :
-    secret  => hiera('ceph::profile::params::mon_key'),
-    cap_mon => hiera('ceph_openstack_default_cap_mon'),
-    cap_osd => hiera('ceph_openstack_default_cap_osd'),
-    user    => 'nova',
-  }
 }
 
 include ::nova::compute::libvirt

puppet/manifests/overcloud_controller.pp

@@ -166,16 +166,6 @@ if hiera('step') >= 2 {
     include ::ceph::profile::mon
   }
 
-  if $cinder_enable_rbd_backend {
-    ceph::key { 'client.openstack' :
-      secret  => hiera('ceph::profile::params::mon_key'),
-      cap_mon => hiera('ceph_openstack_default_cap_mon'),
-      cap_osd => hiera('ceph_openstack_default_cap_osd'),
-      user    => 'cinder',
-      inject  => 'true',
-    }
-  }
-
 } #END STEP 2
 
 if hiera('step') >= 3 {