Allow mgr bootstrap keyring to be defined

In environments where we wish to have manual/greater control over
how the bootstrap keyrings are used, we need to able to externally
define what the mgr keyring secret will be and have ceph-ansible
use it, instead of it being autogenerated

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1610213
Signed-off-by: Graeme Gillies <ggillies@akamai.com>

diff --git a/group_vars/mons.yml.sample b/group_vars/mons.yml.sample
index 1fea4bf70afe556449a521354181f30e67d6959e..cddd45f70b8abebc9ead0e62174a1661fbad675d 100644 (file)
--- a/group_vars/mons.yml.sample
+++ b/group_vars/mons.yml.sample
@@ -17,6 +17,7 @@ dummy:
 # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT
 #monitor_secret: "{{ monitor_keyring.stdout }}"
 #admin_secret: 'admin_secret'
+#mgr_secret: 'mgr_secret'
 
 # Secure your cluster
 # This will set the following flags on all the pools:

diff --git a/roles/ceph-mon/defaults/main.yml b/roles/ceph-mon/defaults/main.yml
index 513f21d28ee7a7dd49a935219e0c11cdfd3fc3c3..a52422c11f5965b6296b944c3085f66e1db03442 100644 (file)
--- a/roles/ceph-mon/defaults/main.yml
+++ b/roles/ceph-mon/defaults/main.yml
@@ -9,6 +9,7 @@ mon_group_name: mons
 # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT
 monitor_secret: "{{ monitor_keyring.stdout }}"
 admin_secret: 'admin_secret'
+mgr_secret: 'mgr_secret'
 
 # Secure your cluster
 # This will set the following flags on all the pools:

diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml
index ca22db723190fdec6739aac65f177bf867da5dbc..23b12c6a8db3906523774ae52e5952a70247beb0 100644 (file)
--- a/roles/ceph-mon/tasks/ceph_keys.yml
+++ b/roles/ceph-mon/tasks/ceph_keys.yml
@@ -76,6 +76,7 @@
       osd: allow *
       mds: allow *
     cluster: "{{ cluster }}"
+    secret: "{{ (mgr_secret != 'mgr_secret') | ternary(mgr_secret, omit) }}"
   when:
     - cephx
     - groups.get(mgr_group_name, []) | length > 0