Add OSD secret before monitor starts

Commit e1f084 introduced a regression when the bootstrap OSD secret is
stored in encrypted databags (EDB). The problem is that if the first
monitor is started without the bootstrap OSD key in the keyring, a
random OSD secret is generated, which will then not match the
pre-generated one.

The solution is to revert the resource that adds the bootstrap OSD key
to where it was (before monitor starts) but add a condition that ensures
this is only done if EDBs are enabled. When EDBs are not enabled, it is
not necessary to add the bootstrap OSD key to the keyring.

diff --git a/recipes/mon.rb b/recipes/mon.rb
index 7e0cc1d0594bf01581dbf96a223ec310af7a225d..9ca5e0da50cc7595ea2f473bfc40fd3d9173f7ba 100644 (file)
--- a/recipes/mon.rb
+++ b/recipes/mon.rb
@@ -55,6 +55,11 @@ execute 'generate mon-secret as keyring' do
   notifies :create, 'ruby_block[save mon_secret]', :immediately
 end
 
+execute 'add bootstrap-osd key to keyring' do
+  command lazy { "ceph-authtool '#{keyring}' --name=client.bootstrap-osd --add-key='#{osd_secret}' --cap mon 'allow profile bootstrap-osd'  --cap osd 'allow profile bootstrap-osd'" }
+  only_if { node['ceph']['encrypted_data_bags'] && osd_secret }
+end
+
 ruby_block 'save mon_secret' do
   block do
     fetch = Mixlib::ShellOut.new("ceph-authtool '#{keyring}' --print-key --name=mon.")
@@ -125,8 +130,3 @@ if use_cephx? && !node['ceph']['encrypted_data_bags']
     not_if { node['ceph']['bootstrap_osd_key'] }
   end
 end
-
-execute 'add bootstrap-osd key to keyring' do
-  command lazy { "ceph-authtool '#{keyring}' --name=client.bootstrap-osd --add-key='#{osd_secret}' --cap mon 'allow profile bootstrap-osd'  --cap osd 'allow profile bootstrap-osd'" }
-  only_if { osd_secret }
-end