Merge "Migrate ceph keyring creation to kolla_ceph_keyring module"

ansible/roles/ceph/defaults/main.yml

@@ -46,6 +46,16 @@ ceph_client_admin_keyring_caps:
   osd: "allow *"
   mgr: "allow *"
 
+ceph_client_mgr_keyring_caps:
+  mon: 'allow profile mgr'
+  osd: 'allow *'
+  mds: 'allow *'
+
+ceph_client_mds_keyring_caps:
+  mds: 'allow '
+  osd: 'allow *'
+  mon: 'allow rwx'
+
 partition_name_osd_bootstrap: "{{ 'KOLLA_CEPH_OSD_BOOTSTRAP_BS' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_OSD_BOOTSTRAP' }}"
 partition_name_cache_bootstrap: "{{ 'KOLLA_CEPH_OSD_CACHE_BOOTSTRAP_BS' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_OSD_CACHE_BOOTSTRAP' }}"
 partition_name_osd_data: "{{ 'KOLLA_CEPH_BSDATA' if ceph_osd_store_type == 'bluestore' else 'KOLLA_CEPH_DATA' }}"

ansible/roles/ceph/tasks/start_mdss.yml

@@ -20,17 +20,20 @@
       pool_pgp_num: "{{ cephfs_metadata_pool_pgp_num }}"
 
 - name: Geting ceph mds keyring
-  command: docker exec ceph_mon ceph auth get-or-create mds.{{ hostvars[item]['inventory_hostname'] }} mds 'allow ' osd 'allow *' mon 'allow rwx'
+  kolla_ceph_keyring:
+    name: "mds.{{ hostvars[item]['inventory_hostname'] }}"
+    caps: "{{ ceph_client_mds_keyring_caps }}"
   register: ceph_mds_auth
   run_once: true
   delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: false
   with_items: "{{ groups['ceph-mds'] }}"
 
 - name: Pushing ceph mds keyring to ceph-mds
   become: true
   copy:
-    content: "{{ item.stdout }}\n"
+    content: |
+      [mds.{{ item.item }}]
+          key = {{ item.keyring.key }}
     dest: "{{ node_config_directory }}/ceph-mds/ceph.mds.{{ inventory_hostname }}.keyring"
     mode: 0600
   when:

ansible/roles/ceph/tasks/start_mgrs.yml

 ---
 - name: Getting ceph mgr keyring
-  command: docker exec ceph_mon ceph auth get-or-create mgr.{{ item }} mon 'allow profile mgr' osd 'allow *' mds 'allow *'
+  kolla_ceph_keyring:
+    name: "mgr.{{ item }}"
+    caps: "{{ ceph_client_mgr_keyring_caps }}"
   register: ceph_mgr_keyring
   run_once: true
   delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: false
   with_items: "{{ groups['ceph-mgr'] }}"
 
 - name: Pushing ceph mgr keyring to ceph-mgr
   become: true
   copy:
-    content: "{{ item.stdout }}\n"
+    content: |
+      [mgr.{{ item.item }}]
+          key = {{ item.keyring.key }}
     dest: "{{ node_config_directory }}/ceph-mgr/ceph.mgr.{{ inventory_hostname }}.keyring"
     mode: 0600
   when:

ansible/roles/cinder/defaults/main.yml

@@ -77,6 +77,24 @@ cinder_backup_cache_mode: "{{ ceph_cinder_backup_cache_mode }}"
 cinder_backup_pool_pg_num: "{{ ceph_pool_pg_num }}"
 cinder_backup_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 
+ceph_client_cinder_keyring_caps:
+  mon: 'allow r'
+  osd: >-
+    allow class-read object_prefix rbd_children,
+    allow rwx pool={{ ceph_cinder_pool_name }},
+    allow rwx pool={{ ceph_cinder_pool_name }}-cache,
+    allow rwx pool={{ ceph_nova_pool_name }},
+    allow rwx pool={{ ceph_nova_pool_name }}-cache,
+    allow rx pool={{ ceph_glance_pool_name }},
+    allow rx pool={{ ceph_glance_pool_name }}-cache
+
+ceph_client_cinder_backup_keyring_caps:
+  mon: 'allow r'
+  osd: >-
+    allow class-read object_prefix rbd_children,
+    allow rwx pool={{ ceph_cinder_backup_pool_name }},
+    allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache
+
 
 ####################
 # Database

ansible/roles/cinder/tasks/ceph.yml

@@ -54,32 +54,34 @@
     pool_pgp_num: "{{ cinder_backup_pool_pgp_num }}"
     pool_application: "rbd"
 
-# TODO(SamYaple): Improve changed_when tests
 - name: Pulling cephx keyring for cinder
-  command: docker exec ceph_mon ceph auth get-or-create client.cinder mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_pool_name }}, allow rwx pool={{ ceph_cinder_pool_name }}-cache, allow rwx pool={{ ceph_nova_pool_name }}, allow rwx pool={{ ceph_nova_pool_name }}-cache, allow rx pool={{ ceph_glance_pool_name }}, allow rx pool={{ ceph_glance_pool_name }}-cache'
+  kolla_ceph_keyring:
+    name: client.cinder
+    caps: "{{ ceph_client_cinder_keyring_caps }}"
   register: cephx_key_cinder
   delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: False
   run_once: True
 
-# TODO(SamYaple): Improve changed_when tests
 - name: Pulling cephx keyring for cinder-backup
-  command: docker exec ceph_mon ceph auth get-or-create client.cinder-backup mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_backup_pool_name }}, allow rwx pool={{ ceph_cinder_backup_pool_name }}-cache'
+  kolla_ceph_keyring:
+    name: client.cinder-backup
+    caps: "{{ ceph_client_cinder_backup_keyring_caps }}"
   register: cephx_key_cinder_backup
   delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: False
   run_once: True
 
 - name: Pushing cephx keyring
   copy:
-    content: "{{ item.content }}\n\r"
+    content: |
+      [client.{{ item.key_name }}]
+          key = {{ item.key }}
     dest: "{{ node_config_directory }}/{{ item.service_name }}/ceph.client.{{ item.key_name }}.keyring"
     mode: "0600"
   become: true
   with_items:
-    - { service_name: "cinder-volume", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" }
-    - { service_name: "cinder-backup", key_name: "cinder", content: "{{ cephx_key_cinder.stdout }}" }
-    - { service_name: "cinder-backup", key_name: "cinder-backup", content: "{{ cephx_key_cinder_backup.stdout }}" }
+    - { service_name: "cinder-volume", key_name: "cinder", key: "{{ cephx_key_cinder.keyring.key }}" }
+    - { service_name: "cinder-backup", key_name: "cinder", key: "{{ cephx_key_cinder.keyring.key }}" }
+    - { service_name: "cinder-backup", key_name: "cinder-backup", key: "{{ cephx_key_cinder_backup.keyring.key }}" }
   when:
     - inventory_hostname in groups[item.service_name]
     - cinder_services[item.service_name].enabled | bool

ansible/roles/glance/defaults/main.yml

@@ -48,6 +48,13 @@ glance_cache_mode: "{{ ceph_glance_cache_mode }}"
 glance_pool_pg_num: "{{ ceph_pool_pg_num }}"
 glance_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 
+ceph_client_glance_keyring_caps:
+  mon: 'allow r'
+  osd: >-
+    allow class-read object_prefix rbd_children,
+    allow rwx pool={{ ceph_glance_pool_name }},
+    allow rwx pool={{ ceph_glance_pool_name }}-cache
+
 
 ####################
 # Database

ansible/roles/glance/tasks/ceph.yml

@@ -25,17 +25,19 @@
     pool_pgp_num: "{{ glance_pool_pgp_num }}"
     pool_application: "rbd"
 
-# TODO(SamYaple): Improve changed_when tests
 - name: Pulling cephx keyring
-  command: docker exec ceph_mon ceph auth get-or-create client.glance mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_glance_pool_name }}, allow rwx pool={{ ceph_glance_pool_name }}-cache'
+  kolla_ceph_keyring:
+    name: client.glance
+    caps: "{{ ceph_client_glance_keyring_caps }}"
   register: cephx_key
   delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: False
   run_once: True
 
 - name: Pushing cephx keyring
   copy:
-    content: "{{ cephx_key.stdout }}\n\r"
+    content: |
+      [client.glance]
+          key = {{ cephx_key.keyring.key }}
     dest: "{{ node_config_directory }}/glance-api/ceph.client.glance.keyring"
     mode: "0600"
   when: inventory_hostname in groups['glance-api']

ansible/roles/gnocchi/defaults/main.yml

@@ -48,6 +48,13 @@ gnocchi_cache_mode: "{{ ceph_gnocchi_cache_mode }}"
 gnocchi_pool_pg_num: "{{ ceph_pool_pg_num }}"
 gnocchi_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 
+ceph_client_gnocchi_keyring_caps:
+  mon: 'allow r'
+  osd: >-
+    allow class-read object_prefix rbd_children,
+    allow rwx pool={{ ceph_gnocchi_pool_name }},
+    allow rwx pool={{ ceph_gnocchi_pool_name }}-cache
+
 
 ####################
 # Database

ansible/roles/gnocchi/tasks/ceph.yml

@@ -31,17 +31,19 @@
     pool_pgp_num: "{{ gnocchi_pool_pgp_num }}"
     pool_application: "rgw"
 
-# TODO(SamYaple): Improve changed_when tests
 - name: Pulling cephx keyring
-  command: docker exec ceph_mon ceph auth get-or-create client.gnocchi mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_gnocchi_pool_name }}, allow rwx pool={{ ceph_gnocchi_pool_name }}-cache'
+  kolla_ceph_keyring:
+    name: client.gnocchi
+    caps: "{{ ceph_client_gnocchi_keyring_caps }}"
   register: cephx_key
   delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: False
   run_once: True
 
 - name: Pushing cephx keyring
   copy:
-    content: "{{ cephx_key.stdout }}\n\r"
+    content: |
+      [client.gnocchi]
+          key = {{ cephx_key.keyring.key }}
     dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring"
     mode: "0600"
   when: inventory_hostname in groups[item]

ansible/roles/manila/defaults/main.yml

@@ -44,6 +44,21 @@ manila_services:
       - "kolla_logs:/var/log/kolla/"
 
 
+#####################
+## Ceph
+#####################
+
+ceph_client_manila_keyring_caps:
+  mon: >-
+    allow r,
+    allow command "auth del",
+    allow command "auth caps",
+    allow command "auth get",
+    allow command "auth get-or-create"
+  osd: 'allow rw'
+  mds: 'allow *'
+
+
 #####################
 ## Database
 #####################

ansible/roles/manila/tasks/ceph.yml

@@ -15,15 +15,18 @@
   become: true
 
 - name: Pulling cephx keyring for manila
-  command: docker exec ceph_mon ceph auth get-or-create client.manila mon 'allow r, allow command "auth del", allow command "auth caps", allow command "auth get", allow command "auth get-or-create"' osd 'allow rw' mds 'allow *'
+  kolla_ceph_keyring:
+    name: client.manila
+    caps: "{{ ceph_client_manila_keyring_caps }}"
   register: cephx_key_manila
   delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: False
   run_once: True
 
 - name: Pushing cephx keyring
   copy:
-    content: "{{ cephx_key_manila.stdout }}\n\r"
+    content: |
+      [client.manila]
+          key = {{ cephx_key_manila.keyring.key }}
     dest: "{{ node_config_directory }}/manila-share/ceph.client.manila.keyring"
     mode: "0600"
   become: true

ansible/roles/nova/defaults/main.yml

@@ -154,6 +154,17 @@ nova_pool_pgp_num: "{{ ceph_pool_pgp_num }}"
 # qemu (1, 6, 0) or later. Set to "" to disable.
 nova_hw_disk_discard: "unmap"
 
+ceph_client_nova_keyring_caps:
+  mon: 'allow r'
+  osd: >-
+    allow class-read object_prefix rbd_children,
+    allow rwx pool={{ ceph_cinder_pool_name }},
+    allow rwx pool={{ ceph_cinder_pool_name }}-cache,
+    allow rwx pool={{ ceph_nova_pool_name }},
+    allow rwx pool={{ ceph_nova_pool_name }}-cache,
+    allow rwx pool={{ ceph_glance_pool_name }},
+    allow rwx pool={{ ceph_glance_pool_name }}-cache
+
 
 ####################
 # Database

ansible/roles/nova/tasks/ceph.yml

@@ -33,20 +33,12 @@
     pool_pgp_num: "{{ nova_pool_pgp_num }}"
     pool_application: "rbd"
 
-# TODO(SamYaple): Improve changed_when tests
 - name: Pulling cephx keyring for nova
-  command: docker exec ceph_mon ceph auth get-or-create client.nova mon 'allow r' osd 'allow class-read object_prefix rbd_children, allow rwx pool={{ ceph_cinder_pool_name }}, allow rwx pool={{ ceph_cinder_pool_name }}-cache, allow rwx pool={{ ceph_nova_pool_name }}, allow rwx pool={{ ceph_nova_pool_name }}-cache, allow rwx pool={{ ceph_glance_pool_name }}, allow rwx pool={{ ceph_glance_pool_name }}-cache'
-  register: cephx_key
+  kolla_ceph_keyring:
+    name: client.nova
+    caps: "{{ ceph_client_nova_keyring_caps }}"
+  register: nova_cephx_key
   delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: False
-  run_once: True
-
-# TODO(SamYaple): Improve failed_when and changed_when tests
-- name: Pulling nova cephx keyring for libvirt
-  command: docker exec ceph_mon ceph auth get-key client.nova
-  register: nova_cephx_raw_key
-  delegate_to: "{{ groups['ceph-mon'][0] }}"
-  changed_when: False
   run_once: True
 
 - name: Pulling cinder cephx keyring for libvirt
@@ -61,7 +53,9 @@
 
 - name: Pushing cephx keyring for nova
   copy:
-    content: "{{ cephx_key.stdout }}\n\r"
+    content: |
+      [client.nova]
+          key = {{ nova_cephx_key.keyring.key }}
     dest: "{{ node_config_directory }}/nova-compute/ceph.client.nova.keyring"
     mode: "0600"
   when: inventory_hostname in groups['compute']
@@ -92,7 +86,7 @@
     - item.enabled | bool
   with_items:
     - uuid: "{{ rbd_secret_uuid }}"
-      content: "{{ nova_cephx_raw_key.stdout }}"
+      content: "{{ nova_cephx_key.keyring.key }}"
       enabled: true
     - uuid: "{{ cinder_rbd_secret_uuid }}"
       content: "{{ cinder_cephx_raw_key.stdout|default('') }}"