[Libvirt] Add support for Cinder external ceph backend

This patchset adds a libvirt secret for the Cinder uuid of external
ceph backend when Cinder externally managed ceph backend is
enabled.

Change-Id: I3667c13c31e49f00d2be02efa6d791ce0a580a8d

libvirt/templates/bin/_libvirt.sh.tpl

@@ -107,8 +107,14 @@ if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
   cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen &
 
   tmpsecret=$(mktemp --suffix .xml)
+  if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+    tmpsecret2=$(mktemp --suffix .xml)
+  fi
   function cleanup {
-      rm -f "${tmpsecret}"
+    rm -f "${tmpsecret}"
+    if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+      rm -f "${tmpsecret2}"
+    fi
   }
   trap cleanup EXIT
 
@@ -137,21 +143,31 @@ if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
     fi
   done
 
-  if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
+  function create_virsh_libvirt_secret {
-    CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
+    sec_user=$1
-  fi
+    sec_uuid=$2
-
+    sec_ceph_keyring=$3
-  cat > ${tmpsecret} <<EOF
+    cat > ${tmpsecret} <<EOF
 <secret ephemeral='no' private='no'>
-  <uuid>${LIBVIRT_CEPH_CINDER_SECRET_UUID}</uuid>
+  <uuid>${sec_uuid}</uuid>
   <usage type='ceph'>
-    <name>client.${CEPH_CINDER_USER}. secret</name>
+    <name>client.${sec_user}. secret</name>
   </usage>
 </secret>
 EOF
+    virsh secret-define --file ${tmpsecret}
+    virsh secret-set-value --secret "${sec_uuid}" --base64 "${sec_ceph_keyring}"
+  }
 
-  virsh secret-define --file ${tmpsecret}
+  if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
-  virsh secret-set-value --secret "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" --base64 "${CEPH_CINDER_KEYRING}"
+    CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
+  fi
+  create_virsh_libvirt_secret ${CEPH_CINDER_USER} ${LIBVIRT_CEPH_CINDER_SECRET_UUID} ${CEPH_CINDER_KEYRING}
+
+  if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+    EXTERNAL_CEPH_CINDER_KEYRING=$(cat /tmp/external-ceph-client-keyring)
+    create_virsh_libvirt_secret ${EXTERNAL_CEPH_CINDER_USER} ${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID} ${EXTERNAL_CEPH_CINDER_KEYRING}
+  fi
 
   # rejoin libvirtd
   wait

libvirt/templates/daemonset-libvirt.yaml

@@ -123,6 +123,12 @@ spec:
             {{ end }}
             - name: LIBVIRT_CEPH_CINDER_SECRET_UUID
               value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
+            {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+            - name: EXTERNAL_CEPH_CINDER_USER
+              value: "{{ .Values.conf.ceph.cinder.external_ceph.user }}"
+            - name: LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID
+              value: "{{ .Values.conf.ceph.cinder.external_ceph.secret_uuid }}"
+            {{ end }}
           {{ end }}
           readinessProbe:
             exec:
@@ -199,6 +205,12 @@ spec:
               subPath: key
               readOnly: true
             {{- end }}
+            {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+            - name: external-ceph-keyring
+              mountPath: /tmp/external-ceph-client-keyring
+              subPath: key
+              readOnly: true
+            {{- end }}
             {{- end }}
 {{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -225,6 +237,11 @@ spec:
           secret:
             secretName: {{ .Values.ceph_client.user_secret_name }}
         {{ end }}
+        {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+        - name: external-ceph-keyring
+          secret:
+            secretName: {{ .Values.conf.ceph.cinder.external_ceph.user_secret_name }}
+        {{ end }}
         {{ end }}
         - name: libmodules
           hostPath:

libvirt/values.yaml

@@ -77,6 +77,12 @@ conf:
       user: "cinder"
       keyring: null
       secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+      # Cinder Ceph backend that is not configured by the k8s cluter
+      external_ceph:
+        enabled: false
+        user: null
+        secret_uuid: null
+        user_secret_name: null
   libvirt:
     listen_tcp: "1"
     listen_tls: "0"