diff --git a/attributes/default.rb b/attributes/default.rb index 29aa1c4..8d9a48e 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1 +1,2 @@ default['ceph']['install_debug'] = true +default['ceph']['encrypted_data_bags'] = false diff --git a/attributes/mon.rb b/attributes/mon.rb index 9120c78..629ccbd 100644 --- a/attributes/mon.rb +++ b/attributes/mon.rb @@ -4,3 +4,4 @@ when 'ubuntu' else default["ceph"]["mon"]["init_style"] = "sysvinit" end +default["ceph"]["mon"]["secret_file"] = "/etc/chef/secrets/ceph_mon" diff --git a/attributes/osd.rb b/attributes/osd.rb index a005afc..f331963 100644 --- a/attributes/osd.rb +++ b/attributes/osd.rb @@ -4,3 +4,4 @@ when 'ubuntu' else default["ceph"]["osd"]["init_style"] = "sysvinit" end +default["ceph"]["osd"]["secret_file"] = "/etc/chef/secrets/ceph_osd" diff --git a/recipes/apt.rb b/recipes/apt.rb index c11d3c3..8278047 100644 --- a/recipes/apt.rb +++ b/recipes/apt.rb @@ -5,7 +5,7 @@ branch = node['ceph']['branch'] apt_repository "ceph-#{branch}" do repo_name "ceph" uri node['ceph']['debian'][branch]['repository'] - distribution node['lsb']['codename'] + distribution node['lsb']['codename'] == "jessie" ? "sid" : node['lsb']['codename'] components ['main'] key node['ceph']['debian'][branch]['repository_key'] end diff --git a/recipes/mon.rb b/recipes/mon.rb index 197cd72..bbf1cbc 100644 --- a/recipes/mon.rb +++ b/recipes/mon.rb @@ -41,8 +41,15 @@ cluster = 'ceph' unless File.exists?("/var/lib/ceph/mon/ceph-#{node["hostname"]}/done") keyring = "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring" + monitor_secret = if node['ceph']['encrypted_data_bags'] + secret = Chef::EncryptedDataBagItem.load_secret(node["ceph"]["mon"]["secret_file"]) + Chef::EncryptedDataBagItem.load("ceph", "mon", secret)["secret"] + else + node["ceph"]["monitor-secret"] + end + execute "format as keyring" do - command "ceph-authtool '#{keyring}' --create-keyring --name=mon. --add-key='#{node["ceph"]["monitor-secret"]}' --cap mon 'allow *'" + command "ceph-authtool '#{keyring}' --create-keyring --name=mon. --add-key='#{monitor_secret}' --cap mon 'allow *'" creates "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring" end @@ -93,15 +100,17 @@ end # The key is going to be automatically # created, # We store it when it is created -ruby_block "get osd-bootstrap keyring" do - block do - run_out = "" - while run_out.empty? - run_out = Mixlib::ShellOut.new("ceph auth get-key client.bootstrap-osd").run_command.stdout.strip - sleep 2 +unless node['ceph']['encrypted_data_bags'] + ruby_block "get osd-bootstrap keyring" do + block do + run_out = "" + while run_out.empty? + run_out = Mixlib::ShellOut.new("ceph auth get-key client.bootstrap-osd").run_command.stdout.strip + sleep 2 + end + node.override['ceph']['bootstrap_osd_key'] = run_out + node.save end - node.override['ceph']['bootstrap_osd_key'] = run_out - node.save + not_if { node['ceph']['bootstrap_osd_key'] } end - not_if { node['ceph']['bootstrap_osd_key'] } end diff --git a/recipes/osd.rb b/recipes/osd.rb index 92d6154..e3b56b4 100644 --- a/recipes/osd.rb +++ b/recipes/osd.rb @@ -45,7 +45,7 @@ if !search(:node,"hostname:#{node['hostname']} AND dmcrypt:true").empty? end service_type = node["ceph"]["osd"]["init_style"] -mons = get_mon_nodes("ceph_bootstrap_osd_key:*") +mons = node['ceph']['encrypted_data_bags'] ? get_mon_nodes : get_mon_nodes("ceph_bootstrap_osd_key:*") if mons.empty? then puts "No ceph-mon found." @@ -60,8 +60,15 @@ else # TODO cluster name cluster = 'ceph' + osd_secret = if node['ceph']['encrypted_data_bags'] + secret = Chef::EncryptedDataBagItem.load_secret(node["ceph"]["osd"]["secret_file"]) + Chef::EncryptedDataBagItem.load("ceph", "osd", secret)["secret"] + else + mons[0]["ceph"]["bootstrap_osd_key"] + end + execute "format as keyring" do - command "ceph-authtool '/var/lib/ceph/bootstrap-osd/#{cluster}.keyring' --create-keyring --name=client.bootstrap-osd --add-key='#{mons[0]["ceph"]["bootstrap_osd_key"]}'" + command "ceph-authtool '/var/lib/ceph/bootstrap-osd/#{cluster}.keyring' --create-keyring --name=client.bootstrap-osd --add-key='#{osd_secret}'" creates "/var/lib/ceph/bootstrap-osd/#{cluster}.keyring" end