Used encrypted data bags for storing secrets #34.

2013-07-04 16:50:21 +02:00
parent 488246fa04
commit cb36d37b40
5 changed files with 31 additions and 12 deletions
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -1 +1,2 @@
 default['ceph']['install_debug'] = true
+default['ceph']['encrypted_data_bags'] = false
--- a/attributes/mon.rb
+++ b/attributes/mon.rb
@@ -4,3 +4,4 @@ when 'ubuntu'
 else
  default["ceph"]["mon"]["init_style"] = "sysvinit"
 end
+default["ceph"]["mon"]["secret_file"] = "/etc/chef/secrets/ceph_mon"
--- a/attributes/osd.rb
+++ b/attributes/osd.rb
@@ -4,3 +4,4 @@ when 'ubuntu'
 else
  default["ceph"]["osd"]["init_style"] = "sysvinit"
 end
+default["ceph"]["osd"]["secret_file"] = "/etc/chef/secrets/ceph_osd"
--- a/recipes/mon.rb
+++ b/recipes/mon.rb
@@ -41,8 +41,15 @@ cluster = 'ceph'
 unless File.exists?("/var/lib/ceph/mon/ceph-#{node["hostname"]}/done")
  keyring = "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring"

+  monitor_secret = if node['ceph']['encrypted_data_bags']
+    secret = Chef::EncryptedDataBagItem.load_secret(node["ceph"]["mon"]["secret_file"])
+    Chef::EncryptedDataBagItem.load("ceph", "mon", secret)["secret"]
+  else
+    node["ceph"]["monitor-secret"]
+  end
+
  execute "format as keyring" do
-    command "ceph-authtool '#{keyring}' --create-keyring --name=mon. --add-key='#{node["ceph"]["monitor-secret"]}' --cap mon 'allow *'"
+    command "ceph-authtool '#{keyring}' --create-keyring --name=mon. --add-key='#{monitor_secret}' --cap mon 'allow *'"
    creates "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring"
  end

@@ -93,15 +100,17 @@ end
 # The key is going to be automatically
 # created,
 # We store it when it is created
-ruby_block "get osd-bootstrap keyring" do
-  block do
-    run_out = ""
-    while run_out.empty?
-      run_out = Mixlib::ShellOut.new("ceph auth get-key client.bootstrap-osd").run_command.stdout.strip
-      sleep 2
+unless node['ceph']['encrypted_data_bags']
+  ruby_block "get osd-bootstrap keyring" do
+    block do
+      run_out = ""
+      while run_out.empty?
+        run_out = Mixlib::ShellOut.new("ceph auth get-key client.bootstrap-osd").run_command.stdout.strip
+        sleep 2
+      end
+      node.override['ceph']['bootstrap_osd_key'] = run_out
+      node.save
    end
-    node.override['ceph']['bootstrap_osd_key'] = run_out
-    node.save
+    not_if { node['ceph']['bootstrap_osd_key'] }
  end
-  not_if { node['ceph']['bootstrap_osd_key'] }
 end
--- a/recipes/osd.rb
+++ b/recipes/osd.rb
@@ -45,7 +45,7 @@ if !search(:node,"hostname:#{node['hostname']} AND dmcrypt:true").empty?
 end

 service_type = node["ceph"]["osd"]["init_style"]
-mons = get_mon_nodes("ceph_bootstrap_osd_key:*")
+mons = node['ceph']['encrypted_data_bags'] ? get_mon_nodes : get_mon_nodes("ceph_bootstrap_osd_key:*")

 if mons.empty? then
  puts "No ceph-mon found."
@@ -60,8 +60,15 @@ else
  # TODO cluster name
  cluster = 'ceph'

+  osd_secret = if node['ceph']['encrypted_data_bags']
+    secret = Chef::EncryptedDataBagItem.load_secret(node["ceph"]["osd"]["secret_file"])
+    Chef::EncryptedDataBagItem.load("ceph", "osd", secret)["secret"]
+  else
+    mons[0]["ceph"]["bootstrap_osd_key"]
+  end
+
  execute "format as keyring" do
-    command "ceph-authtool '/var/lib/ceph/bootstrap-osd/#{cluster}.keyring' --create-keyring --name=client.bootstrap-osd --add-key='#{mons[0]["ceph"]["bootstrap_osd_key"]}'"
+    command "ceph-authtool '/var/lib/ceph/bootstrap-osd/#{cluster}.keyring' --create-keyring --name=client.bootstrap-osd --add-key='#{osd_secret}'"
    creates "/var/lib/ceph/bootstrap-osd/#{cluster}.keyring"
  end