ceph-ansible/roles/ceph-iscsi-gw/tasks/deploy_ssl_keys.yml

---
- name: set_fact crt_files
  set_fact:
    crt_files:
      - "iscsi-gateway.crt"
      - "iscsi-gateway.key"
      - "iscsi-gateway.pem"
      - "iscsi-gateway-pub.key"

- name: stat for crt file(s)
  stat:
    path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"
  delegate_to: localhost
  with_items: "{{ crt_files }}"
  changed_when: false
  failed_when: false
  check_mode: no
  register: crt_files_exist

- name: create ssl crt/key files
  command: >
    openssl req -newkey rsa:2048 -nodes -keyout {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key
     -x509 -days 365 -out {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt
     -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}"
  delegate_to: localhost
  run_once: True
  with_items: "{{ crt_files_exist.results }}"
  when:
    - not item.stat.exists

- name: create pem
  shell: >
    cat {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt
    {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem
  delegate_to: localhost
  run_once: True
  register: pem
  with_items: "{{ crt_files_exist.results }}"
  when:
    - not item.stat.exists

- name: create public key from pem
  shell: >
    openssl x509 -inform pem -in {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem
    -pubkey -noout > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway-pub.key
  delegate_to: localhost
  run_once: True
  when:
    - pem.changed
  tags:
    - skip_ansible_lint

- name: copy crt file(s) to gateway nodes
  copy:
    src: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"
    dest: "/etc/ceph/{{ item }}"
    owner: root
    group: root
    mode: 0400
  changed_when: false
  with_items: "{{ crt_files }}"
resync ceph-iscsi-gw with old upstream Taken from https://github.com/pcuzner/ceph-iscsi-ansible/tree/tcmu-fixes Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1454945 and https://bugzilla.redhat.com/show_bug.cgi?id=1484083 Signed-off-by: Sébastien Han <seb@redhat.com> 2017-08-05 02:18:11 +08:00			`---`
name includes and set_fact for clarity When Ansible is not run with verbose options it's difficult to see which include and/or set_fact does what. So adding a name for each clarifies. Signed-off-by: Sébastien Han <seb@redhat.com> 2017-09-15 06:48:53 +08:00			`- name: set_fact crt_files`
resync ceph-iscsi-gw with old upstream Taken from https://github.com/pcuzner/ceph-iscsi-ansible/tree/tcmu-fixes Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1454945 and https://bugzilla.redhat.com/show_bug.cgi?id=1484083 Signed-off-by: Sébastien Han <seb@redhat.com> 2017-08-05 02:18:11 +08:00			`set_fact:`
			`crt_files:`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00			`- "iscsi-gateway.crt"`
			`- "iscsi-gateway.key"`
			`- "iscsi-gateway.pem"`
			`- "iscsi-gateway-pub.key"`
resync ceph-iscsi-gw with old upstream Taken from https://github.com/pcuzner/ceph-iscsi-ansible/tree/tcmu-fixes Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1454945 and https://bugzilla.redhat.com/show_bug.cgi?id=1484083 Signed-off-by: Sébastien Han <seb@redhat.com> 2017-08-05 02:18:11 +08:00
			`- name: stat for crt file(s)`
lint: do not use local_action Use delegate_to: localhost instead. Signed-off-by: Sébastien Han <seb@redhat.com> 2018-11-01 19:50:31 +08:00			`stat:`
syntax: change local_action syntax Use a nicer syntax for `local_action` tasks. We used to have oneliner like this: ``` local_action: wait_for port=22 host={{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }} state=started delay=10 timeout=500 }} ``` The usual syntax: ``` local_action: module: wait_for port: 22 host: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" state: started delay: 10 timeout: 500 ``` is nicer and kind of way to keep consistency regarding the whole playbook. This also fix a potential issue about missing quotation : ``` Traceback (most recent call last): File "/tmp/ansible_wQtWsi/ansible_module_command.py", line 213, in <module> main() File "/tmp/ansible_wQtWsi/ansible_module_command.py", line 185, in main rc, out, err = module.run_command(args, executable=executable, use_unsafe_shell=shell, encoding=None, data=stdin) File "/tmp/ansible_wQtWsi/ansible_modlib.zip/ansible/module_utils/basic.py", line 2710, in run_command File "/usr/lib64/python2.7/shlex.py", line 279, in split return list(lex) File "/usr/lib64/python2.7/shlex.py", line 269, in next token = self.get_token() File "/usr/lib64/python2.7/shlex.py", line 96, in get_token raw = self.read_token() File "/usr/lib64/python2.7/shlex.py", line 172, in read_token raise ValueError, "No closing quotation" ValueError: No closing quotation ``` writing `local_action: shell echo {{ fsid }} \| tee {{ fetch_directory }}/ceph_cluster_uuid.conf` can cause trouble because it's complaining with missing quotes, this fix solves this issue. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1510555 Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com> 2018-01-31 16:23:28 +08:00			`path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"`
lint: do not use local_action Use delegate_to: localhost instead. Signed-off-by: Sébastien Han <seb@redhat.com> 2018-11-01 19:50:31 +08:00			`delegate_to: localhost`
resync ceph-iscsi-gw with old upstream Taken from https://github.com/pcuzner/ceph-iscsi-ansible/tree/tcmu-fixes Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1454945 and https://bugzilla.redhat.com/show_bug.cgi?id=1484083 Signed-off-by: Sébastien Han <seb@redhat.com> 2017-08-05 02:18:11 +08:00			`with_items: "{{ crt_files }}"`
			`changed_when: false`
			`failed_when: false`
Use check_mode instead of always_run This patch changes the `always_run: yes` task option to `check_mode: no` to avoid Ansible warnings. 2017-10-25 22:53:34 +08:00			`check_mode: no`
resync ceph-iscsi-gw with old upstream Taken from https://github.com/pcuzner/ceph-iscsi-ansible/tree/tcmu-fixes Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1454945 and https://bugzilla.redhat.com/show_bug.cgi?id=1484083 Signed-off-by: Sébastien Han <seb@redhat.com> 2017-08-05 02:18:11 +08:00			`register: crt_files_exist`

ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00			`- name: create ssl crt/key files`
lint: do not use local_action Use delegate_to: localhost instead. Signed-off-by: Sébastien Han <seb@redhat.com> 2018-11-01 19:50:31 +08:00			`command: >`
			`openssl req -newkey rsa:2048 -nodes -keyout {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key`
			`-x509 -days 365 -out {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt`
			`-subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}"`
			`delegate_to: localhost`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00			`run_once: True`
			`with_items: "{{ crt_files_exist.results }}"`
			`when:`
lint: Don't compare to literal True/False Use `when: var` rather than `when: var == True` Signed-off-by: Sébastien Han <seb@redhat.com> 2018-11-01 21:02:55 +08:00			`- not item.stat.exists`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00
			`- name: create pem`
lint: do not use local_action Use delegate_to: localhost instead. Signed-off-by: Sébastien Han <seb@redhat.com> 2018-11-01 19:50:31 +08:00			`shell: >`
			`cat {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.crt`
			`{{ fetch_directory }}/{{ fsid }}/iscsi-gateway.key > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem`
			`delegate_to: localhost`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00			`run_once: True`
			`register: pem`
			`with_items: "{{ crt_files_exist.results }}"`
			`when:`
lint: Don't compare to literal True/False Use `when: var` rather than `when: var == True` Signed-off-by: Sébastien Han <seb@redhat.com> 2018-11-01 21:02:55 +08:00			`- not item.stat.exists`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00
			`- name: create public key from pem`
lint: do not use local_action Use delegate_to: localhost instead. Signed-off-by: Sébastien Han <seb@redhat.com> 2018-11-01 19:50:31 +08:00			`shell: >`
			`openssl x509 -inform pem -in {{ fetch_directory }}/{{ fsid }}/iscsi-gateway.pem`
			`-pubkey -noout > {{ fetch_directory }}/{{ fsid }}/iscsi-gateway-pub.key`
			`delegate_to: localhost`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00			`run_once: True`
			`when:`
			`- pem.changed`
lint: skip the linter Do not run the linter for these 3: * we use latest for pip docker-py package * for ssl keys this is a false positive since the inital command is a 'shell' it'll always change * for keystone, we must use shell since the with_items contains pipes Signed-off-by: Sébastien Han <seb@redhat.com> 2018-10-31 00:13:20 +08:00			`tags:`
			`- skip_ansible_lint`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00
			`- name: copy crt file(s) to gateway nodes`
resync ceph-iscsi-gw with old upstream Taken from https://github.com/pcuzner/ceph-iscsi-ansible/tree/tcmu-fixes Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1454945 and https://bugzilla.redhat.com/show_bug.cgi?id=1484083 Signed-off-by: Sébastien Han <seb@redhat.com> 2017-08-05 02:18:11 +08:00			`copy:`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00			`src: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"`
			`dest: "/etc/ceph/{{ item }}"`
resync ceph-iscsi-gw with old upstream Taken from https://github.com/pcuzner/ceph-iscsi-ansible/tree/tcmu-fixes Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1454945 and https://bugzilla.redhat.com/show_bug.cgi?id=1484083 Signed-off-by: Sébastien Han <seb@redhat.com> 2017-08-05 02:18:11 +08:00			`owner: root`
			`group: root`
			`mode: 0400`
			`changed_when: false`
ceph-iscsi: fix certificates generation and distribution Prior to this patch, the certificates where being generated on a single node only (because of the run_once: true). Thus certificates were not distributed on all the gateway nodes. This would require a second ansible run to work. This patches fix the creation and keys's distribution on all the nodes. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1540845 Signed-off-by: Sébastien Han <seb@redhat.com> 2018-04-03 21:20:06 +08:00			`with_items: "{{ crt_files }}"`