#iscsi_pool_name: rbd
#iscsi_pool_size: "{{ osd_pool_default_size }}"
+#copy_admin_key: True
+
##################
# RBD-TARGET-API #
##################
# SETUP #
#########
-#fetch_directory: fetch/
-
# Even though rbd-mirror nodes should not have the admin key
# at their disposal, some people might want to have it
# distributed on rbd-mirror nodes. Setting 'copy_admin_key' to 'true'
iscsi_pool_name: rbd
iscsi_pool_size: "{{ osd_pool_default_size }}"
+copy_admin_key: True
+
##################
# RBD-TARGET-API #
##################
---
-- name: copy admin key
+- name: get keys from monitors
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _iscsi_keys
+ with_items:
+ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ when:
+ - cephx | bool
+ - item.copy_key | bool
+
+- name: copy ceph key(s) if needed
copy:
- src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring"
- dest: "/etc/ceph/{{ cluster }}.client.admin.keyring"
- owner: "root"
- group: "root"
+ dest: "{{ item.item.path }}"
+ content: "{{ item.stdout + '\n' }}"
+ owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
mode: "{{ ceph_keyring_permissions }}"
- when: cephx | bool
+ with_items: "{{ _iscsi_keys.results }}"
+ when:
+ - cephx | bool
+ - item.item.copy_key | bool
- name: deploy gateway settings, used by the ceph_iscsi_config modules
config_template:
---
+- name: create a temporary directory
+ tempfile:
+ state: directory
+ register: iscsi_ssl_tmp_dir
+ delegate_to: localhost
+ run_once: true
+
- name: set_fact crt_files
set_fact:
crt_files:
- "iscsi-gateway.pem"
- "iscsi-gateway-pub.key"
-- name: stat for crt file(s)
- stat:
- path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"
- delegate_to: localhost
+- name: check for existing crt file(s) in monitor key/value store
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config get iscsi/ssl/{{ item }}"
with_items: "{{ crt_files }}"
changed_when: false
failed_when: false
- check_mode: no
+ run_once: true
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
register: crt_files_exist
-- name: create ssl crt/key files
- command: >
- openssl req -newkey rsa:2048 -nodes -keyout {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key
- -x509 -days 365 -out {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt
- -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}"
- delegate_to: localhost
- become: False
- run_once: True
- with_items: "{{ crt_files_exist.results }}"
- when: not item.stat.exists
-
-- name: create pem
- shell: >
- cat {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt
- {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem
- delegate_to: localhost
- become: False
- run_once: True
- register: pem
- with_items: "{{ crt_files_exist.results }}"
- when: not item.stat.exists
-
-- name: create public key from pem
- shell: >
- openssl x509 -inform pem -in {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem
- -pubkey -noout > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway-pub.key
- delegate_to: localhost
- become: False
- run_once: True
- when: pem.changed
- tags: skip_ansible_lint
+- name: set_fact crt_files_missing
+ set_fact:
+ crt_files_missing: "{{ crt_files_exist.results | selectattr('rc', 'equalto', 0) | map(attribute='rc') | list | length != crt_files | length }}"
+
+- name: generate ssl crt/key files
+ block:
+ - name: create ssl crt/key files
+ command: >
+ openssl req -newkey rsa:2048 -nodes -keyout {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.key
+ -x509 -days 365 -out {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.crt
+ -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}"
+ delegate_to: localhost
+ run_once: True
+ with_items: "{{ crt_files_exist.results }}"
+
+ - name: create pem
+ shell: >
+ cat {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.crt
+ {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.key > {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.pem
+ delegate_to: localhost
+ run_once: True
+ register: pem
+ with_items: "{{ crt_files_exist.results }}"
+
+ - name: create public key from pem
+ shell: >
+ openssl x509 -inform pem -in {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.pem
+ -pubkey -noout > {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway-pub.key
+ delegate_to: localhost
+ run_once: True
+ when: pem.changed
+ tags: skip_ansible_lint
+
+ - name: slurp ssl crt/key files
+ slurp:
+ src: "{{ iscsi_ssl_tmp_dir.path }}/{{ item }}"
+ register: iscsi_ssl_files_content
+ with_items: "{{ crt_files }}"
+ run_once: true
+ delegate_to: localhost
+
+ - name: store ssl crt/key files
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config-key put iscsi/ssl/{{ item.item }} {{ item.content }}"
+ run_once: true
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ with_items: "{{ iscsi_ssl_files_content.results }}"
+ when: crt_files_missing
- name: copy crt file(s) to gateway nodes
copy:
- src: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"
- dest: "/etc/ceph/{{ item }}"
+ content: "{{ item.stdout | b64decode }}"
+ dest: "/etc/ceph/{{ item.item }}"
owner: root
group: root
mode: 0400
changed_when: false
- with_items: "{{ crt_files }}"
+ with_items: "{{ crt_files_exist.results if not crt_files_missing else iscsi_ssl_files_content.results }}"
+ when: not crt_files_missing
+
+- name: clean temporary directory
+ file:
+ path: "{{ iscsi_ssl_tmp_dir.path }}"
+ state: absent
\ No newline at end of file
- /var/lib/ceph/bootstrap-mds/
- /var/lib/ceph/mds/{{ cluster }}-{{ mds_name }}
-- name: copy ceph keyring(s) if needed
+- name: get keys from monitors
+ command: "{{ hostvars[groups.get(mon_group_name)[0]]['container_exec_cmd'] | default('') }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _mds_keys
+ with_items:
+ - { name: "client.bootstrap-mds", path: "/var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring", copy_key: true }
+ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ when:
+ - cephx | bool
+ - item.copy_key | bool
+
+- name: copy ceph key(s) if needed
copy:
- src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}"
- dest: "{{ item.name }}"
+ dest: "{{ item.item.path }}"
+ content: "{{ item.stdout + '\n' }}"
owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
mode: "{{ ceph_keyring_permissions }}"
- with_items:
- - { name: "/var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring", copy_key: true }
- - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ with_items: "{{ _mds_keys.results }}"
when:
- - cephx
- - item.copy_key|bool
+ - cephx | bool
+ - item.item.copy_key | bool
\ No newline at end of file
set_fact:
container_exec_cmd: "{{ container_binary }} exec ceph-mds-{{ ansible_hostname }}"
-- name: set_fact admin_keyring
- set_fact:
- admin_keyring:
- - "/etc/ceph/{{ cluster }}.client.admin.keyring"
- when: copy_admin_key
-
-- name: set_fact ceph_config_keys
- set_fact:
- ceph_config_keys:
- - /var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring
-
-- name: merge ceph_config_keys and admin_keyring
- set_fact:
- ceph_config_keys: "{{ ceph_config_keys + admin_keyring }}"
- when: copy_admin_key
-
-- name: stat for ceph config and keys
- stat:
- path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"
- delegate_to: localhost
- with_items: "{{ ceph_config_keys }}"
- changed_when: false
- become: false
- failed_when: false
- check_mode: no
- register: statconfig
-
-- name: try to fetch ceph config and keys
- copy:
- src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
- dest: "{{ item.0 }}"
- owner: root
- group: root
- mode: 0644
- changed_when: false
- with_together:
- - "{{ ceph_config_keys }}"
- - "{{ statconfig.results }}"
- when: item.1.stat.exists
-
- name: generate systemd unit file
become: true
template:
run_once: True
delegate_to: "{{ groups[mon_group_name][0] }}"
- - name: copy ceph mgr key(s) from mon node to the ansible server
- fetch:
- src: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
- dest: "{{ fetch_directory }}/{{ fsid }}/{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring"
- flat: yes
+ - name: set_fact _mgr_keys
+ set_fact:
+ _mgr_keys: "{{ _mgr_keys | default([{ 'name': 'client.admin', 'path': '/etc/ceph/' + cluster + '.client.admin.keyring', 'copy_key': copy_admin_key, 'hostname': hostvars[item]['ansible_hostname'] }]) + [{ 'name': 'mgr.' + hostvars[item]['ansible_hostname'], 'path': '/var/lib/ceph/mgr/' + cluster + '-' + hostvars[item]['ansible_hostname'] + '/keyring', 'copy_key': true, 'hostname': hostvars[item]['ansible_hostname'] }] }}"
with_items: "{{ groups.get(mgr_group_name, []) }}"
- delegate_to: "{{ groups[mon_group_name][0] }}"
- - name: copy ceph keyring(s) to mgr node
+ - name: get keys from monitors
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _mgr_keys
+ with_items: "{{ _mgr_keys }}"
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ when:
+ - cephx | bool
+ - item.copy_key | bool
+
+ - name: copy ceph key(s) if needed
copy:
- src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring"
- dest: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring"
+ dest: "{{ item.item.path }}"
+ content: "{{ item.stdout + '\n' }}"
owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
mode: "{{ ceph_keyring_permissions }}"
- when: cephx | bool
-
-- name: copy ceph keyring(s) if needed
- copy:
- src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring"
- dest: "/etc/ceph/{{ cluster }}.client.admin.keyring"
- owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
- group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
- mode: "{{ ceph_keyring_permissions }}"
- when:
- - cephx | bool
- - groups.get(mgr_group_name, []) | length > 0
- - copy_admin_key | bool
+ with_items: "{{ _mgr_keys.results }}"
+ delegate_to: "{{ item.item.hostname }}"
+ run_once: true
+ when:
+ - cephx | bool
+ - item.item.copy_key | bool
- name: set mgr key permissions
file:
delay: "{{ handler_health_mon_check_delay }}"
changed_when: false
-- name: tasks for MONs when cephx is enabled
- when: cephx | bool
- block:
- - name: fetch ceph initial keys
- ceph_key:
- state: fetch_initial_keys
- cluster: "{{ cluster }}"
- owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
- group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
- mode: "0400"
- environment:
- CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
- CEPH_CONTAINER_BINARY: "{{ container_binary }}"
- CEPH_ROLLING_UPDATE: "{{ rolling_update }}"
-
- - name: copy keys to the ansible server
- fetch:
- src: "{{ item }}"
- dest: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"
- flat: yes
- with_items:
- - /var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring
- - /var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring
- - /var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring
- - /var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring
- - /var/lib/ceph/bootstrap-rbd-mirror/{{ cluster }}.keyring
- - /etc/ceph/{{ cluster }}.client.admin.keyring
- when: inventory_hostname == groups[mon_group_name] | last
+- name: fetch ceph initial keys
+ ceph_key:
+ state: fetch_initial_keys
+ cluster: "{{ cluster }}"
+ owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ mode: "0400"
+ environment:
+ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
+ CEPH_CONTAINER_BINARY: "{{ container_binary }}"
+ CEPH_ROLLING_UPDATE: "{{ rolling_update }}"
+ when:
+ - cephx | bool
---
- name: keyring related tasks
block:
- - name: set_fact admin_keyring
- set_fact:
- admin_keyring:
- - "/etc/ceph/{{ cluster }}.client.admin.keyring"
- when: copy_admin_key | bool
+ - name: get keys from monitors
+ command: "{{ hostvars[groups.get(mon_group_name)[0]]['container_exec_cmd'] | default('') }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _rgw_keys
+ with_items:
+ - { name: "client.bootstrap-rgw", path: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true }
+ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ when:
+ - cephx | bool
+ - item.copy_key | bool
- - name: set_fact ceph_config_keys
- set_fact:
- ceph_config_keys:
- - /var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring
-
- - name: merge ceph_config_keys and admin_keyring
- set_fact:
- ceph_config_keys: "{{ ceph_config_keys + admin_keyring }}"
- when: copy_admin_key | bool
-
- - name: stat for config and keys
- stat:
- path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"
- delegate_to: localhost
- with_items: "{{ ceph_config_keys }}"
- changed_when: false
- become: false
- failed_when: false
- check_mode: no
- register: statconfig
-
- - name: try to fetch config and keys
+ - name: copy ceph key(s) if needed
copy:
- src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}"
- dest: "{{ item.0 }}"
- owner: "64045"
- group: "64045"
- mode: 0644
- changed_when: false
- with_together:
- - "{{ ceph_config_keys }}"
- - "{{ statconfig.results }}"
- when: item.1.stat.exists
+ dest: "{{ item.item.path }}"
+ content: "{{ item.stdout + '\n' }}"
+ owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ mode: "{{ ceph_keyring_permissions }}"
+ with_items: "{{ _rgw_keys.results }}"
+ when:
+ - cephx | bool
+ - item.item.copy_key | bool
when: groups.get(mon_group_name, []) | length > 0
- name: dbus related tasks
- cephx | bool
- groups.get(mon_group_name, []) | length > 0
block:
- - name: copy bootstrap cephx keys
- copy:
- src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}"
- dest: "{{ item.name }}"
- owner: "ceph"
- group: "ceph"
- mode: "0600"
+ - name: get keys from monitors
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _rgw_keys
with_items:
- - { name: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: "{{ nfs_obj_gw }}" }
- - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
- when: item.copy_key | bool
+ - { name: "client.bootstrap-rgw", path: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true }
+ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ when:
+ - cephx | bool
+ - item.copy_key | bool
+
+ - name: copy ceph key(s) if needed
+ copy:
+ dest: "{{ item.item.path }}"
+ content: "{{ item.stdout + '\n' }}"
+ owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ mode: "{{ ceph_keyring_permissions }}"
+ with_items: "{{ _rgw_keys.results }}"
+ when:
+ - cephx | bool
+ - item.item.copy_key | bool
- name: nfs object gateway related tasks
when: nfs_obj_gw | bool
- /var/lib/ceph/bootstrap-osd/
- /var/lib/ceph/osd/
+- name: get keys from monitors
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _osd_keys
+ with_items:
+ - { name: "client.bootstrap-osd", path: "/var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring", copy_key: true }
+ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ when:
+ - cephx | bool
+ - item.copy_key | bool
+
- name: copy ceph key(s) if needed
copy:
- src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}"
- dest: "{{ item.name }}"
+ dest: "{{ item.item.path }}"
+ content: "{{ item.stdout + '\n' }}"
owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
mode: "{{ ceph_keyring_permissions }}"
- with_items:
- - { name: "/var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring", copy_key: true }
- - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ with_items: "{{ _osd_keys.results }}"
when:
- cephx | bool
- - item.copy_key | bool
+ - item.item.copy_key | bool
when: item.application is defined
- name: create openstack cephx key(s)
- ceph_key:
- state: present
- name: "{{ item.name }}"
- caps: "{{ item.caps }}"
- secret: "{{ item.key | default('') }}"
- cluster: "{{ cluster }}"
- mode: "{{ item.mode|default(omit) }}"
- environment:
- CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
- CEPH_CONTAINER_BINARY: "{{ container_binary }}"
- with_items: "{{ openstack_keys }}"
- delegate_to: "{{ groups[mon_group_name][0] }}"
- when: cephx | bool
+ block:
+ - name: generate keys
+ ceph_key:
+ state: present
+ name: "{{ item.name }}"
+ caps: "{{ item.caps }}"
+ secret: "{{ item.key | default('') }}"
+ cluster: "{{ cluster }}"
+ mode: "{{ item.mode|default(omit) }}"
+ environment:
+ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
+ CEPH_CONTAINER_BINARY: "{{ container_binary }}"
+ with_items: "{{ openstack_keys }}"
+ delegate_to: "{{ groups[mon_group_name][0] }}"
-- name: fetch openstack cephx key(s)
- fetch:
- src: "/etc/ceph/{{ cluster }}.{{ item.name }}.keyring"
- dest: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.{{ item.name }}.keyring"
- flat: yes
- delegate_to: "{{ groups[mon_group_name][0] }}"
- with_items: "{{ openstack_keys }}"
+ - name: get keys from monitors
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _osp_keys
+ with_items: "{{ openstack_keys }}"
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
-- name: copy to other mons the openstack cephx key(s)
- copy:
- src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring"
- dest: "/etc/ceph/{{ cluster }}.{{ item.1.name }}.keyring"
- owner: "{{ ceph_uid }}"
- group: "{{ ceph_uid }}"
- mode: "{{ item.1.mode|default(omit) }}"
- with_nested:
- - "{{ groups[mon_group_name] }}"
- - "{{ openstack_keys }}"
- delegate_to: "{{ item.0 }}"
+ - name: copy ceph key(s) if needed
+ copy:
+ dest: "/etc/ceph/{{ cluster }}.{{ item.0.item.name }}.keyring"
+ content: "{{ item.0.stdout + '\n' }}"
+ owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
+ mode: "{{ item.0.item.mode }}"
+ with_nested:
+ - "{{ _osp_keys.results }}"
+ - "{{ groups[mon_group_name] }}"
+ delegate_to: "{{ item.1 }}"
when:
- cephx | bool
- openstack_config | bool
- - item.0 != groups[mon_group_name]
# SETUP #
#########
-fetch_directory: fetch/
-
# Even though rbd-mirror nodes should not have the admin key
# at their disposal, some people might want to have it
# distributed on rbd-mirror nodes. Setting 'copy_admin_key' to 'true'
---
-- name: copy rbd-mirror bootstrap key
- copy:
- src: "{{ fetch_directory }}/{{ fsid }}/var/lib/ceph/bootstrap-rbd-mirror/{{ cluster }}.keyring"
- dest: "/var/lib/ceph/bootstrap-rbd-mirror/{{ cluster }}.keyring"
- owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
- group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
- mode: "{{ ceph_keyring_permissions }}"
+- name: get keys from monitors
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _rbd_mirror_keys
+ with_items:
+ - { name: "client.bootstrap-rbd-mirror", path: "/var/lib/ceph/bootstrap-rbd-mirror/{{ cluster }}.keyring", copy_key: true }
+ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ when:
+ - cephx | bool
+ - item.copy_key | bool
-- name: copy ceph admin keyring if needed
+- name: copy ceph key(s) if needed
copy:
- src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring"
- dest: "/etc/ceph/{{ cluster }}.client.admin.keyring"
+ dest: "{{ item.item.path }}"
+ content: "{{ item.stdout + '\n' }}"
owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
mode: "{{ ceph_keyring_permissions }}"
- when: copy_admin_key | bool
+ with_items: "{{ _rbd_mirror_keys.results }}"
+ when:
+ - cephx | bool
+ - item.item.copy_key | bool
- name: create rbd-mirror keyring
command: >
with_items: "{{ rgw_instances }}"
when: rgw_instances is defined
-- name: copy ceph keyring(s) if needed
+- name: get keys from monitors
+ command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
+ register: _rgw_keys
+ with_items:
+ - { name: "client.bootstrap-rgw", path: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true }
+ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ delegate_to: "{{ groups.get(mon_group_name)[0] }}"
+ when:
+ - cephx | bool
+ - item.copy_key | bool
+
+- name: copy ceph key(s) if needed
copy:
- src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}"
- dest: "{{ item.name }}"
+ dest: "{{ item.item.path }}"
+ content: "{{ item.stdout + '\n' }}"
owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
mode: "{{ ceph_keyring_permissions }}"
- with_items:
- - { name: "/var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring", copy_key: true }
- - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
+ with_items: "{{ _rgw_keys.results }}"
when:
- cephx | bool
- - item.copy_key | bool
+ - item.item.copy_key | bool
projects / ceph-ansible.git / commitdiff