ceph-ansible/roles/ceph-client/tasks/create_users_keys.yml

103 lines
3.2 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

---
- name: set docker_exec_client_cmd_binary to ceph-authtool
set_fact:
docker_exec_client_cmd_binary: ceph-authtool
when: containerized_deployment
- name: set docker_exec_client_cmd for containers
set_fact:
docker_exec_client_cmd: docker run --rm -v /etc/ceph:/etc/ceph --entrypoint /usr/bin/{{ docker_exec_client_cmd_binary }} {{ ceph_docker_registry}}/{{ ceph_docker_image }}:{{ ceph_docker_image_tag }}
when: containerized_deployment
- name: set docker_exec_client_cmd for non-containers
set_fact:
docker_exec_client_cmd: ceph-authtool
when: not containerized_deployment
- name: create key(s)
shell: "{{ docker_exec_client_cmd }} -C /etc/ceph/{{ cluster }}.{{ item.name }}.keyring --name {{ item.name }} --add-key {{ item.key }} --cap mon \"{{ item.mon_cap|default('') }}\" --cap osd \"{{ item.osd_cap|default('') }}\" --cap mds \"{{ item.mds_cap|default('') }}\""
args:
creates: /etc/ceph/{{ cluster }}.{{ item.name }}.keyring
with_items: "{{ keys }}"
changed_when: false
when:
- cephx
- keys | length > 0
- name: set docker_exec_client_cmd_binary to ceph
set_fact:
docker_exec_client_cmd_binary: ceph
when: containerized_deployment
- name: replace docker_exec_client_cmd by ceph
set_fact:
docker_exec_client_cmd: ceph
when:
- not containerized_deployment
- docker_exec_client_cmd == 'ceph-authtool'
- name: check if key(s) already exist(s)
command: "{{ docker_exec_client_cmd }} --cluster {{ cluster }} auth get {{ item.name }}"
changed_when: false
failed_when: false
with_items: "{{ keys }}"
register: keys_exist
when:
- copy_admin_key
- name: create pool(s)
command: >
{{ docker_exec_client_cmd }} --cluster {{ cluster }}
osd pool create {{ item.name }}
{{ item.get('pg_num', hostvars[groups[mon_group_name][0]]['osd_pool_default_pg_num']) }}
{{ item.pgp_num | default(item.pg_num) }}
{{ item.rule_name | default("replicated_rule") }}
{{ item.type | default("replicated") }}
{%- if item.type | default("replicated") == 'erasure' and item.erasure_profile != '' %}
{{ item.erasure_profile }}
{%- endif %}
{{ item.size | default('') }}
with_items: "{{ pools }}"
changed_when: false
when:
- pools | length > 0
- copy_admin_key
- name: add key(s) to ceph
command: "{{ docker_exec_client_cmd }} --cluster {{ cluster }} auth import -i /etc/ceph/{{ cluster }}.{{ item.0.name }}.keyring"
changed_when: false
with_together:
- "{{ keys }}"
- "{{ keys_exist.results | default([]) }}"
when:
- not item.1.get("skipped")
- copy_admin_key
- item.1.rc != 0
- name: put docker_exec_client_cmd back to normal with a none value
set_fact:
docker_exec_client_cmd:
when: docker_exec_client_cmd == 'ceph'
- name: chmod key(s)
file:
path: "/etc/ceph/{{ cluster }}.{{ item.name }}.keyring"
mode: "{{ item.mode|default(omit) }}" # if mode not in list, uses mode from ps umask
with_items: "{{ keys }}"
when:
- cephx
- keys | length > 0
- name: setfacl for key(s)
acl:
path: "/etc/ceph/{{ cluster }}.{{ item.0.name }}.keyring"
entry: "{{ item.1 }}"
state: present
with_subelements:
- "{{ keys }}"
- acls
- skip_missing: true
when:
- cephx
- keys | length > 0