From: Sergio de Carvalho <scarvalhojr@users.noreply.github.com>
Date: Tue, 19 May 2015 14:05:48 +0000 (+0100)
Subject: Add OSD secret when using encrypted data bags
X-Git-Tag: v0.8.1~11^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=807f0880f8c4ed9b6b1f77715108c660e9c123ab;p=ceph-cookbooks.git

Add OSD secret when using encrypted data bags

When encrypted_data_bags is enabled, it is necessary to inject the OSD
secret into the monitor keyring used to create the cluster. If that
isn't done, by the time the OSD recipe tries to use the OSD secret as
client.bootstrap-osd, Ceph will have generated a random key (and it
won't match the key from the encrypted data bag).
---

diff --git a/recipes/mon.rb b/recipes/mon.rb
index 72569f1..aa70924 100644
--- a/recipes/mon.rb
+++ b/recipes/mon.rb
@@ -44,17 +44,22 @@ keyring = "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.
 
 execute 'format mon-secret as keyring' do
   command lazy { "ceph-authtool '#{keyring}' --create-keyring --name=mon. --add-key='#{mon_secret}' --cap mon 'allow *'" }
-  creates "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring"
+  creates keyring
   only_if { mon_secret }
 end
 
 execute 'generate mon-secret as keyring' do
   command "ceph-authtool '#{keyring}' --create-keyring --name=mon. --gen-key --cap mon 'allow *'"
-  creates "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring"
+  creates keyring
   not_if { mon_secret }
   notifies :create, 'ruby_block[save mon_secret]', :immediately
 end
 
+execute 'add bootstrap-osd key to keyring' do
+  command lazy { "ceph-authtool '#{keyring}' --name=client.bootstrap-osd --add-key='#{osd_secret}' --cap mon 'allow profile bootstrap-osd'  --cap osd 'allow profile bootstrap-osd'" }
+  only_if { osd_secret }
+end
+
 ruby_block 'save mon_secret' do
   block do
     fetch = Mixlib::ShellOut.new("ceph-authtool '#{keyring}' --print-key --name=mon.")