Allow mgr bootstrap keyring to be defined

In environments where we wish to have manual/greater control over how the bootstrap keyrings are used, we need to able to externally define what the mgr keyring secret will be and have ceph-ansible use it, instead of it being autogenerated Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1610213 Signed-off-by: Graeme Gillies <ggillies@akamai.com>
2018-07-31 09:24:21 +10:00 · 2018-07-31 09:24:21 +10:00 · a46025820d
parent 19518656a7
commit a46025820d
3 changed files with 3 additions and 0 deletions
--- a/group_vars/mons.yml.sample
+++ b/group_vars/mons.yml.sample
@ -17,6 +17,7 @@ dummy:
 # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT
 #monitor_secret: "{{ monitor_keyring.stdout }}"
 #admin_secret: 'admin_secret'
+#mgr_secret: 'mgr_secret'

 # Secure your cluster
 # This will set the following flags on all the pools:
--- a/roles/ceph-mon/defaults/main.yml
+++ b/roles/ceph-mon/defaults/main.yml
@ -9,6 +9,7 @@ mon_group_name: mons
 # ACTIVATE BOTH FSID AND MONITOR_SECRET VARIABLES FOR NON-VAGRANT DEPLOYMENT
 monitor_secret: "{{ monitor_keyring.stdout }}"
 admin_secret: 'admin_secret'
+mgr_secret: 'mgr_secret'

 # Secure your cluster
 # This will set the following flags on all the pools:
--- a/roles/ceph-mon/tasks/ceph_keys.yml
+++ b/roles/ceph-mon/tasks/ceph_keys.yml
@ -76,6 +76,7 @@
      osd: allow *
      mds: allow *
    cluster: "{{ cluster }}"
+    secret: "{{ (mgr_secret != 'mgr_secret') | ternary(mgr_secret, omit) }}"
  when:
    - cephx
    - groups.get(mgr_group_name, []) | length > 0