Merge pull request #40 from shellycloud/master

Used encrypted data bags for storing secrets #34.

attributes/default.rb

@@ -1 +1,2 @@
 default['ceph']['install_debug'] = true
+default['ceph']['encrypted_data_bags'] = false

attributes/mon.rb

@@ -4,3 +4,4 @@ when 'ubuntu'
 else
   default["ceph"]["mon"]["init_style"] = "sysvinit"
 end
+default["ceph"]["mon"]["secret_file"] = "/etc/chef/secrets/ceph_mon"

attributes/osd.rb

@@ -4,3 +4,4 @@ when 'ubuntu'
 else
   default["ceph"]["osd"]["init_style"] = "sysvinit"
 end
+default["ceph"]["osd"]["secret_file"] = "/etc/chef/secrets/ceph_osd"

recipes/apt.rb

@@ -5,7 +5,7 @@ branch = node['ceph']['branch']
 apt_repository "ceph-#{branch}" do
   repo_name "ceph"
   uri node['ceph']['debian'][branch]['repository']
-  distribution node['lsb']['codename']
+  distribution node['lsb']['codename'] == "jessie" ? "sid" : node['lsb']['codename']
   components ['main']
   key node['ceph']['debian'][branch]['repository_key']
 end

recipes/mon.rb

@@ -41,8 +41,15 @@ cluster = 'ceph'
 unless File.exists?("/var/lib/ceph/mon/ceph-#{node["hostname"]}/done")
   keyring = "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring"
 
+  monitor_secret = if node['ceph']['encrypted_data_bags']
+    secret = Chef::EncryptedDataBagItem.load_secret(node["ceph"]["mon"]["secret_file"])
+    Chef::EncryptedDataBagItem.load("ceph", "mon", secret)["secret"]
+  else
+    node["ceph"]["monitor-secret"]
+  end
+
   execute "format as keyring" do
-    command "ceph-authtool '#{keyring}' --create-keyring --name=mon. --add-key='#{node["ceph"]["monitor-secret"]}' --cap mon 'allow *'"
+    command "ceph-authtool '#{keyring}' --create-keyring --name=mon. --add-key='#{monitor_secret}' --cap mon 'allow *'"
     creates "#{Chef::Config[:file_cache_path]}/#{cluster}-#{node['hostname']}.mon.keyring"
   end
 
@@ -93,15 +100,17 @@ end
 # The key is going to be automatically
 # created,
 # We store it when it is created
-ruby_block "get osd-bootstrap keyring" do
-  block do
-    run_out = ""
-    while run_out.empty?
-      run_out = Mixlib::ShellOut.new("ceph auth get-key client.bootstrap-osd").run_command.stdout.strip
-      sleep 2
+unless node['ceph']['encrypted_data_bags']
+  ruby_block "get osd-bootstrap keyring" do
+    block do
+      run_out = ""
+      while run_out.empty?
+        run_out = Mixlib::ShellOut.new("ceph auth get-key client.bootstrap-osd").run_command.stdout.strip
+        sleep 2
+      end
+      node.override['ceph']['bootstrap_osd_key'] = run_out
+      node.save
     end
-    node.override['ceph']['bootstrap_osd_key'] = run_out
-    node.save
+    not_if { node['ceph']['bootstrap_osd_key'] }
   end
-  not_if { node['ceph']['bootstrap_osd_key'] }
 end

recipes/osd.rb

@@ -45,7 +45,7 @@ if !search(:node,"hostname:#{node['hostname']} AND dmcrypt:true").empty?
 end
 
 service_type = node["ceph"]["osd"]["init_style"]
-mons = get_mon_nodes("ceph_bootstrap_osd_key:*")
+mons = node['ceph']['encrypted_data_bags'] ? get_mon_nodes : get_mon_nodes("ceph_bootstrap_osd_key:*")
 
 if mons.empty? then
   puts "No ceph-mon found."
@@ -60,8 +60,15 @@ else
   # TODO cluster name
   cluster = 'ceph'
 
+  osd_secret = if node['ceph']['encrypted_data_bags']
+    secret = Chef::EncryptedDataBagItem.load_secret(node["ceph"]["osd"]["secret_file"])
+    Chef::EncryptedDataBagItem.load("ceph", "osd", secret)["secret"]
+  else
+    mons[0]["ceph"]["bootstrap_osd_key"]
+  end
+
   execute "format as keyring" do
-    command "ceph-authtool '/var/lib/ceph/bootstrap-osd/#{cluster}.keyring' --create-keyring --name=client.bootstrap-osd --add-key='#{mons[0]["ceph"]["bootstrap_osd_key"]}'"
+    command "ceph-authtool '/var/lib/ceph/bootstrap-osd/#{cluster}.keyring' --create-keyring --name=client.bootstrap-osd --add-key='#{osd_secret}'"
     creates "/var/lib/ceph/bootstrap-osd/#{cluster}.keyring"
   end