External Ceph: keys as variables

Introduce user modifiable variables instead of fixed-names
of Ceph keyring files for external Ceph functionality.

Change-Id: I1a33b3f9d6eca5babf53b91187461e43aef865ce

ansible/group_vars/all.yml

@@ -1028,6 +1028,14 @@ ceph_mgr_host_type: "INVENTORY"
 ceph_osd_host_type: "IP"
 ceph_mds_host_type: "INVENTORY"
 
+# External Ceph keyrings
+ceph_cinder_keyring: "ceph.client.cinder.keyring"
+ceph_cinder_backup_keyring: "ceph.client.cinder-backup.keyring"
+ceph_glance_keyring: "ceph.client.glance.keyring"
+ceph_gnocchi_keyring: "ceph.client.gnocchi.keyring"
+ceph_manila_keyring: "ceph.client.manila.keyring"
+ceph_nova_keyring: "{% if enable_ceph | bool %}ceph.client.nova.keyring{% else %}{{ ceph_cinder_keyring }}{% endif %}"
+
 #####################
 # VMware support
 ######################

ansible/roles/cinder/tasks/external_ceph.yml

@@ -21,12 +21,10 @@
 
 - name: Copy over Ceph keyring files for cinder-volume
   copy:
-    src: "{{ item }}"
+    src: "{{ node_custom_config }}/cinder/cinder-volume/{{ ceph_cinder_keyring }}"
     dest: "{{ node_config_directory }}/cinder-volume/"
     mode: "0660"
   become: true
-  with_fileglob:
-    - "{{ node_custom_config }}/cinder/cinder-volume/ceph.client*"
   when:
     - external_ceph_cephx_enabled | bool
     - inventory_hostname in groups['cinder-volume']
@@ -36,13 +34,14 @@
 
 - name: Copy over Ceph keyring files for cinder-backup
   copy:
-    src: "{{ item }}"
+    src: "{{ node_custom_config }}/cinder/{{ item }}"
     dest: "{{ node_config_directory }}/cinder-backup/"
     mode: "0660"
   become: true
   register: cinder_backup_ceph_keyring
-  with_fileglob:
-    - "{{ node_custom_config }}/cinder/cinder-backup/ceph.client*"
+  with_items:
+    - "cinder-backup/{{ ceph_cinder_keyring }}"
+    - "cinder-backup/{{ ceph_cinder_backup_keyring }}"
   when:
     - external_ceph_cephx_enabled | bool
     - inventory_hostname in groups['cinder-backup']

ansible/roles/cinder/templates/cinder-backup.json.j2

@@ -14,10 +14,24 @@
             "perm": "0600"
         }{% endif %}{% if cinder_backend_ceph | bool %},
         {
-            "source": "{{ container_config_directory }}/ceph.*",
-            "dest": "/etc/ceph/",
+            "source": "{{ container_config_directory }}/ceph.conf",
+            "dest": "/etc/ceph/ceph.conf",
             "owner": "cinder",
-            "perm": "0700",
+            "perm": "0600",
+            "optional": {{ (not cinder_backend_ceph | bool) | string | lower }}
+        },
+        {
+            "source": "{{ container_config_directory }}/{{ ceph_cinder_keyring }}",
+            "dest": "/etc/ceph/{{ ceph_cinder_keyring }}",
+            "owner": "cinder",
+            "perm": "0600",
+            "optional": {{ (not cinder_backend_ceph | bool) | string | lower }}
+        },
+        {
+            "source": "{{ container_config_directory }}/{{ ceph_cinder_backup_keyring }}",
+            "dest": "/etc/ceph/{{ ceph_cinder_backup_keyring }}",
+            "owner": "cinder",
+            "perm": "0600",
             "optional": {{ (not cinder_backend_ceph | bool) | string | lower }}
         }{% endif %}
     ],

ansible/roles/cinder/templates/cinder-volume.json.j2

@@ -8,10 +8,10 @@
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/ceph.*",
-            "dest": "/etc/ceph/",
+            "source": "{{ container_config_directory }}/{{ ceph_cinder_keyring }}",
+            "dest": "/etc/ceph/{{ ceph_cinder_keyring }}",
             "owner": "cinder",
-            "perm": "0700",
+            "perm": "0600",
             "optional": {{ (not cinder_backend_ceph | bool) | string | lower }}
         },
         {

ansible/roles/glance/tasks/external_ceph.yml

@@ -1,27 +1,29 @@
 ---
-- name: Copy over ceph files
+- name: Copy over ceph.conf for Glance
+  template:
+    src: "{{ node_custom_config }}/glance/ceph.conf"
+    dest: "{{ node_config_directory }}/glance-api/ceph.conf"
+    mode: "0660"
+  become: true
+  when: inventory_hostname in groups['glance-api']
+  notify:
+    - Restart glance-api container
+
+- name: Copy over ceph Glance keyring
   copy:
-    src: "{{ item }}"
-    dest: "{{ node_config_directory }}/glance-api/"
+    src: "{{ node_custom_config }}/glance/{{ ceph_glance_keyring }}"
+    dest: "{{ node_config_directory }}/glance-api/{{ ceph_glance_keyring }}"
     mode: "0660"
   become: true
-  when:
-    - glance_services['glance-api'].host_in_groups | bool
-    - glance_services['glance-api'].enabled | bool
-  with_fileglob:
-    - "{{ node_custom_config }}/glance/ceph*"
+  when: inventory_hostname in groups['glance-api']
   notify:
     - Restart glance-api container
 
 - name: Ensuring config directory has correct owner and permission
   file:
-    path: "{{ node_config_directory }}/{{ item }}"
+    path: "{{ node_config_directory }}/glance-api"
     recurse: yes
     owner: "{{ config_owner_user }}"
     group: "{{ config_owner_group }}"
   become: true
-  when:
-    - glance_services[item].host_in_groups | bool
-    - glance_services[item].enabled | bool
-  with_items:
-    - "glance-api"
+  when: inventory_hostname in groups['glance-api']

ansible/roles/glance/templates/glance-api.json.j2

@@ -14,10 +14,16 @@
             "perm": "0600"
         }{% endif %}{% if glance_backend_ceph | bool %},
         {
-            "source": "{{ container_config_directory }}/ceph.*",
-            "dest": "/etc/ceph/",
+            "source": "{{ container_config_directory }}/{{ ceph_glance_keyring }}",
+            "dest": "/etc/ceph/{{ ceph_glance_keyring }}",
             "owner": "glance",
-            "perm": "0700"
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/ceph.conf",
+            "dest": "/etc/ceph/ceph.conf",
+            "owner": "glance",
+            "perm": "0600"
         }{% endif %}{% if glance_backend_swift | bool %},
         {
             "source": "{{ container_config_directory }}/glance-swift.conf",

ansible/roles/gnocchi/tasks/external_ceph.yml

@@ -15,8 +15,8 @@
 
 - name: Copy over ceph gnocchi keyring
   copy:
-    src: "{{ node_custom_config }}/gnocchi/ceph.client.gnocchi.keyring"
-    dest: "{{ node_config_directory }}/{{ item }}/ceph.client.gnocchi.keyring"
+    src: "{{ node_custom_config }}/gnocchi/{{ ceph_gnocchi_keyring }}"
+    dest: "{{ node_config_directory }}/{{ item }}/{{ ceph_gnocchi_keyring }}"
     mode: "0660"
   become: true
   when: inventory_hostname in groups[item]

ansible/roles/gnocchi/templates/gnocchi-api.json.j2

@@ -28,8 +28,8 @@
             "perm": "0600"
         },
         {
-            "source": "{{ container_config_directory }}/ceph.client.gnocchi.keyring",
-            "dest": "/etc/ceph/ceph.client.gnocchi.keyring",
+            "source": "{{ container_config_directory }}/{{ ceph_gnocchi_keyring }}",
+            "dest": "/etc/ceph/{{ ceph_gnocchi_keyring }}",
             "owner": "gnocchi",
             "perm": "0600"
         }{% endif %}

ansible/roles/manila/tasks/external_ceph.yml

@@ -12,12 +12,10 @@
 
 - name: Copy over Ceph keyring files for manila
   copy:
-    src: "{{ item }}"
-    dest: "{{ node_config_directory }}/manila-share/"
+    src: "{{ node_custom_config }}/manila/{{ ceph_manila_keyring }}"
+    dest: "{{ node_config_directory }}/manila-share/{{ ceph_manila_keyring }}"
     mode: "0600"
   become: true
-  with_fileglob:
-    - "{{ node_custom_config }}/manila/ceph.client*"
   when:
     - inventory_hostname in groups['manila-share']
   notify:

ansible/roles/manila/templates/manila-share.json.j2

@@ -8,8 +8,14 @@
             "perm": "0600"
         }{% if enable_manila_backend_cephfs_native | bool or enable_manila_backend_cephfs_nfs | bool %},
         {
-            "source": "{{ container_config_directory }}/ceph.*",
-            "dest": "/etc/ceph/",
+            "source": "{{ container_config_directory }}/ceph.conf",
+            "dest": "/etc/ceph/ceph.conf",
+            "owner": "manila",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/{{ ceph_manila_keyring }}",
+            "dest": "/etc/ceph/{{ ceph_manila_keyring }}",
             "owner": "manila",
             "perm": "0600"
         }{% endif %}{% if manila_policy_file is defined %},

ansible/roles/nova-cell/tasks/external_ceph.yml

@@ -11,7 +11,7 @@
 
 - name: Check nova keyring file
   stat:
-    path: "{{ node_custom_config }}/nova/ceph.client.nova.keyring"
+    path: "{{ node_custom_config }}/nova/{{ ceph_nova_keyring }}"
   delegate_to: localhost
   run_once: True
   register: nova_cephx_keyring_file
@@ -22,7 +22,7 @@
 
 - name: Check cinder keyring file
   stat:
-    path: "{{ node_custom_config }}/nova/ceph.client.cinder.keyring"
+    path: "{{ node_custom_config }}/nova/{{ ceph_cinder_keyring }}"
   delegate_to: localhost
   run_once: True
   register: cinder_cephx_keyring_file
@@ -39,7 +39,6 @@
   become: true
   with_items:
     - nova-compute
-    - nova-libvirt
   when:
     - inventory_hostname in groups[nova_cell_compute_group]
     - nova_backend == "rbd"

ansible/roles/nova-cell/templates/nova-compute.json.j2

@@ -14,10 +14,16 @@
             "perm": "0600"
         }{% endif %}{% if nova_backend == "rbd" %},
         {
-            "source": "{{ container_config_directory }}/ceph.*",
-            "dest": "/etc/ceph/",
+            "source": "{{ container_config_directory }}/{{ ceph_nova_keyring }}",
+            "dest": "/etc/ceph/{{ ceph_nova_keyring }}",
             "owner": "nova",
-            "perm": "0700"
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/ceph.conf",
+            "dest": "/etc/ceph/ceph.conf",
+            "owner": "nova",
+            "perm": "0600"
         }{% endif %}{% if nova_compute_virt_type == "vmware" and not vmware_vcenter_insecure | bool %},
         {
             "source": "{{ container_config_directory }}/vmware_ca",