Add OSD secret when using encrypted data bags

When encrypted_data_bags is enabled, it is necessary to inject the OSD
secret into the monitor keyring used to create the cluster. If that
isn't done, by the time the OSD recipe tries to use the OSD secret as
client.bootstrap-osd, Ceph will have generated a random key (and it
won't match the key from the encrypted data bag).

diff --git a/recipes/mon.rb b/recipes/mon.rb
index 72569f1cff85a45ef8b9380c31d23a714ada4772..aa70924941079defa19676982f97ce77cb10abb9 100644 (file)
--- a/recipes/mon.rb
+++ b/recipes/mon.rb
@@ -44,17 +44,22 @@ keyring = "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.
 
 execute 'format mon-secret as keyring' do
   command lazy { "ceph-authtool '#{keyring}' --create-keyring --name=mon. --add-key='#{mon_secret}' --cap mon 'allow *'" }
-  creates "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring"
+  creates keyring
   only_if { mon_secret }
 end
 
 execute 'generate mon-secret as keyring' do
   command "ceph-authtool '#{keyring}' --create-keyring --name=mon. --gen-key --cap mon 'allow *'"
-  creates "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring"
+  creates keyring
   not_if { mon_secret }
   notifies :create, 'ruby_block[save mon_secret]', :immediately
 end
 
+execute 'add bootstrap-osd key to keyring' do
+  command lazy { "ceph-authtool '#{keyring}' --name=client.bootstrap-osd --add-key='#{osd_secret}' --cap mon 'allow profile bootstrap-osd'  --cap osd 'allow profile bootstrap-osd'" }
+  only_if { osd_secret }
+end
+
 ruby_block 'save mon_secret' do
   block do
     fetch = Mixlib::ShellOut.new("ceph-authtool '#{keyring}' --print-key --name=mon.")