ceph-mgr: create keys for MGRs

Add code in ceph-mgr for creating a keyring for manager in so that
managers can be deployed on a separate node too.

Signed-off-by: Rishabh Dave <ridave@redhat.com>
(cherry picked from commit 56bfec7c58407e269f6e6fa7b4c8a5928953dc6f)

diff --git a/group_vars/mgrs.yml.sample b/group_vars/mgrs.yml.sample
index 2112ade7e1f290c720f408ac1c81e89de9f0b894..ab0d1116411b8a3549001b94a2e9ebf669eafc36 100644 (file)
--- a/group_vars/mgrs.yml.sample
+++ b/group_vars/mgrs.yml.sample
@@ -15,6 +15,7 @@ dummy:
 # distributed on MGR nodes. Setting 'copy_admin_key' to 'true'
 # will copy the admin key to the /etc/ceph/ directory
 #copy_admin_key: false
+#mgr_secret: 'mgr_secret'
 
 
 ###########

diff --git a/group_vars/mons.yml.sample b/group_vars/mons.yml.sample
index 8e19b10378030f30683efd97e11aff6fb4224fe1..5644dc7e1ea48626572f1a43709533868843273f 100644 (file)
--- a/group_vars/mons.yml.sample
+++ b/group_vars/mons.yml.sample
@@ -17,7 +17,6 @@ dummy:
 # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT
 #monitor_secret: "{{ monitor_keyring.stdout }}"
 #admin_secret: 'admin_secret'
-#mgr_secret: 'mgr_secret'
 
 # Secure your cluster
 # This will set the following flags on all the pools:

diff --git a/roles/ceph-mgr/defaults/main.yml b/roles/ceph-mgr/defaults/main.yml
index 68a62dbbec323fde2b2ca0f15372dd5ba263b837..053f623d7001a97bdaeabeb5095c856e2319c7e8 100644 (file)
--- a/roles/ceph-mgr/defaults/main.yml
+++ b/roles/ceph-mgr/defaults/main.yml
@@ -7,6 +7,7 @@
 # distributed on MGR nodes. Setting 'copy_admin_key' to 'true'
 # will copy the admin key to the /etc/ceph/ directory
 copy_admin_key: false
+mgr_secret: 'mgr_secret'
 
 
 ###########

diff --git a/roles/ceph-mgr/tasks/common.yml b/roles/ceph-mgr/tasks/common.yml
index d933a3e3d809d22a932bbb8fb5c81bc041a5adc7..1accc900e04a328ec56fbd43fef4467791e96e63 100644 (file)
--- a/roles/ceph-mgr/tasks/common.yml
+++ b/roles/ceph-mgr/tasks/common.yml
@@ -26,20 +26,57 @@
     CEPH_CONTAINER_BINARY: "{{ container_binary }}"
   when: groups.get(mgr_group_name, []) | length == 0 # the key is present already since one of the mons created it in "create ceph mgr keyring(s)"
 
+- name: create and copy keyrings
+  when: groups.get(mgr_group_name, []) | length > 0
+  block:
+    - name: create ceph mgr keyring(s) on a mon node
+      ceph_key:
+        name: "mgr.{{ hostvars[item]['ansible_hostname'] }}"
+        state: present
+        caps:
+          mon: allow profile mgr
+          osd: allow *
+          mds: allow *
+        cluster: "{{ cluster }}"
+        secret: "{{ (mgr_secret != 'mgr_secret') | ternary(mgr_secret, omit) }}"
+        owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+        group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+        mode: "0400"
+      environment:
+        CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
+        CEPH_CONTAINER_BINARY: "{{ container_binary }}"
+      with_items: "{{ groups.get(mgr_group_name, []) }}"
+      run_once: True
+      delegate_to: "{{ groups[mon_group_name][0] }}"
+
+    - name: copy ceph mgr key(s) from mon node to the ansible server
+      fetch:
+        src: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
+        dest: "{{ fetch_directory }}/{{ fsid }}/{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
+        flat: yes
+      with_items: "{{ groups.get(mgr_group_name, []) }}"
+      delegate_to: "{{ groups[mon_group_name][0] }}"
+
+    - name: copy ceph keyring(s) to mgr node
+      copy:
+        src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring"
+        dest: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring"
+        owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+        group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+        mode: "{{ ceph_keyring_permissions }}"
+      when: cephx
+
 - name: copy ceph keyring(s) if needed
   copy:
-    src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}"
-    dest: "{{ item.dest }}"
+    src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring"
+    dest: "/etc/ceph/{{ cluster }}.client.admin.keyring"
     owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
     mode: "{{ ceph_keyring_permissions }}"
-  with_items:
-    - { name: "/etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring", dest: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring", copy_key: "{{ True if groups.get(mgr_group_name, []) | length > 0 else False }}" }
-    - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", dest: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
   when:
     - cephx
     - groups.get(mgr_group_name, []) | length > 0
-    - item.copy_key|bool
+    - copy_admin_key | bool
 
 - name: set mgr key permissions
   file:

diff --git a/roles/ceph-mon/defaults/main.yml b/roles/ceph-mon/defaults/main.yml
index e0edb2bb8794bb67c2867c4e137a42fdbcc9ca5e..f4460a7089d20d15c898bd1069ab0518c53cef5d 100644 (file)
--- a/roles/ceph-mon/defaults/main.yml
+++ b/roles/ceph-mon/defaults/main.yml
@@ -9,7 +9,6 @@ mon_group_name: mons
 # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT
 monitor_secret: "{{ monitor_keyring.stdout }}"
 admin_secret: 'admin_secret'
-mgr_secret: 'mgr_secret'
 
 # Secure your cluster
 # This will set the following flags on all the pools:

diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml
index 2bacbebf94b3f9099d763eaf19140e5ce5ff6377..fd93c60248a595dc23bda91a7d9633c8f4012b22 100644 (file)
--- a/roles/ceph-mon/tasks/ceph_keys.yml
+++ b/roles/ceph-mon/tasks/ceph_keys.yml
@@ -31,34 +31,6 @@
       CEPH_CONTAINER_BINARY: "{{ container_binary }}"
       CEPH_ROLLING_UPDATE: "{{ rolling_update }}"
 
-  - name: create ceph mgr keyring(s)
-    ceph_key:
-      name: "mgr.{{ hostvars[item]['ansible_hostname'] }}"
-      state: present
-      caps:
-        mon: allow profile mgr
-        osd: allow *
-        mds: allow *
-      cluster: "{{ cluster }}"
-      secret: "{{ (mgr_secret != 'mgr_secret') | ternary(mgr_secret, omit) }}"
-      owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-      group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
-      mode: "0400"
-    environment:
-      CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
-      CEPH_CONTAINER_BINARY: "{{ container_binary }}"
-    with_items: "{{ groups.get(mon_group_name) if groups.get(mgr_group_name, []) | length == 0 else groups.get(mgr_group_name, []) }}"
-    run_once: True
-    delegate_to: "{{ groups[mon_group_name][0] }}"
-
-  - name: copy ceph mgr key(s) to the ansible server
-    fetch:
-      src: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
-      dest: "{{ fetch_directory }}/{{ fsid }}/{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
-      flat: yes
-    with_items: "{{ groups.get(mon_group_name) if groups.get(mgr_group_name, []) | length == 0 else groups.get(mgr_group_name, []) }}"
-    delegate_to: "{{ groups[mon_group_name][0] }}"
-
   - name: copy keys to the ansible server
     fetch:
       src: "{{ item }}"