diff --git a/group_vars/mgrs.yml.sample b/group_vars/mgrs.yml.sample index 2112ade7e..ab0d11164 100644 --- a/group_vars/mgrs.yml.sample +++ b/group_vars/mgrs.yml.sample @@ -15,6 +15,7 @@ dummy: # distributed on MGR nodes. Setting 'copy_admin_key' to 'true' # will copy the admin key to the /etc/ceph/ directory #copy_admin_key: false +#mgr_secret: 'mgr_secret' ########### diff --git a/group_vars/mons.yml.sample b/group_vars/mons.yml.sample index 8e19b1037..5644dc7e1 100644 --- a/group_vars/mons.yml.sample +++ b/group_vars/mons.yml.sample @@ -17,7 +17,6 @@ dummy: # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT #monitor_secret: "{{ monitor_keyring.stdout }}" #admin_secret: 'admin_secret' -#mgr_secret: 'mgr_secret' # Secure your cluster # This will set the following flags on all the pools: diff --git a/roles/ceph-mgr/defaults/main.yml b/roles/ceph-mgr/defaults/main.yml index 68a62dbbe..053f623d7 100644 --- a/roles/ceph-mgr/defaults/main.yml +++ b/roles/ceph-mgr/defaults/main.yml @@ -7,6 +7,7 @@ # distributed on MGR nodes. Setting 'copy_admin_key' to 'true' # will copy the admin key to the /etc/ceph/ directory copy_admin_key: false +mgr_secret: 'mgr_secret' ########### diff --git a/roles/ceph-mgr/tasks/common.yml b/roles/ceph-mgr/tasks/common.yml index d933a3e3d..1accc900e 100644 --- a/roles/ceph-mgr/tasks/common.yml +++ b/roles/ceph-mgr/tasks/common.yml @@ -26,20 +26,57 @@ CEPH_CONTAINER_BINARY: "{{ container_binary }}" when: groups.get(mgr_group_name, []) | length == 0 # the key is present already since one of the mons created it in "create ceph mgr keyring(s)" +- name: create and copy keyrings + when: groups.get(mgr_group_name, []) | length > 0 + block: + - name: create ceph mgr keyring(s) on a mon node + ceph_key: + name: "mgr.{{ hostvars[item]['ansible_hostname'] }}" + state: present + caps: + mon: allow profile mgr + osd: allow * + mds: allow * + cluster: "{{ cluster }}" + secret: "{{ (mgr_secret != 'mgr_secret') | ternary(mgr_secret, omit) }}" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + mode: "0400" + environment: + CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" + CEPH_CONTAINER_BINARY: "{{ container_binary }}" + with_items: "{{ groups.get(mgr_group_name, []) }}" + run_once: True + delegate_to: "{{ groups[mon_group_name][0] }}" + + - name: copy ceph mgr key(s) from mon node to the ansible server + fetch: + src: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring" + dest: "{{ fetch_directory }}/{{ fsid }}/{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring" + flat: yes + with_items: "{{ groups.get(mgr_group_name, []) }}" + delegate_to: "{{ groups[mon_group_name][0] }}" + + - name: copy ceph keyring(s) to mgr node + copy: + src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring" + dest: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring" + owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" + mode: "{{ ceph_keyring_permissions }}" + when: cephx + - name: copy ceph keyring(s) if needed copy: - src: "{{ fetch_directory }}/{{ fsid }}/{{ item.name }}" - dest: "{{ item.dest }}" + src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring" + dest: "/etc/ceph/{{ cluster }}.client.admin.keyring" owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - with_items: - - { name: "/etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring", dest: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring", copy_key: "{{ True if groups.get(mgr_group_name, []) | length > 0 else False }}" } - - { name: "/etc/ceph/{{ cluster }}.client.admin.keyring", dest: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } when: - cephx - groups.get(mgr_group_name, []) | length > 0 - - item.copy_key|bool + - copy_admin_key | bool - name: set mgr key permissions file: diff --git a/roles/ceph-mon/defaults/main.yml b/roles/ceph-mon/defaults/main.yml index e0edb2bb8..f4460a708 100644 --- a/roles/ceph-mon/defaults/main.yml +++ b/roles/ceph-mon/defaults/main.yml @@ -9,7 +9,6 @@ mon_group_name: mons # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT monitor_secret: "{{ monitor_keyring.stdout }}" admin_secret: 'admin_secret' -mgr_secret: 'mgr_secret' # Secure your cluster # This will set the following flags on all the pools: diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml index 2bacbebf9..fd93c6024 100644 --- a/roles/ceph-mon/tasks/ceph_keys.yml +++ b/roles/ceph-mon/tasks/ceph_keys.yml @@ -31,34 +31,6 @@ CEPH_CONTAINER_BINARY: "{{ container_binary }}" CEPH_ROLLING_UPDATE: "{{ rolling_update }}" - - name: create ceph mgr keyring(s) - ceph_key: - name: "mgr.{{ hostvars[item]['ansible_hostname'] }}" - state: present - caps: - mon: allow profile mgr - osd: allow * - mds: allow * - cluster: "{{ cluster }}" - secret: "{{ (mgr_secret != 'mgr_secret') | ternary(mgr_secret, omit) }}" - owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" - mode: "0400" - environment: - CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" - CEPH_CONTAINER_BINARY: "{{ container_binary }}" - with_items: "{{ groups.get(mon_group_name) if groups.get(mgr_group_name, []) | length == 0 else groups.get(mgr_group_name, []) }}" - run_once: True - delegate_to: "{{ groups[mon_group_name][0] }}" - - - name: copy ceph mgr key(s) to the ansible server - fetch: - src: "{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring" - dest: "{{ fetch_directory }}/{{ fsid }}/{{ ceph_conf_key_directory }}/{{ cluster }}.mgr.{{ hostvars[item]['ansible_hostname'] }}.keyring" - flat: yes - with_items: "{{ groups.get(mon_group_name) if groups.get(mgr_group_name, []) | length == 0 else groups.get(mgr_group_name, []) }}" - delegate_to: "{{ groups[mon_group_name][0] }}" - - name: copy keys to the ansible server fetch: src: "{{ item }}"