From be690aa5a3cf83599fe6b32fa061d81f52f886bc Mon Sep 17 00:00:00 2001 From: "Huang, Sophie (sh879n)" Date: Tue, 8 Sep 2020 22:46:18 +0000 Subject: [PATCH] [Cinder] Configuration for external ceph backend In this patchset, comfigmap of ceph.conf and secret of cinder user keyring is created for externally managed ceph Cinder backend. Change-Id: Ie76bf207a7d42bd70a6be2648e060122f7daf5ad --- cinder/templates/bin/_ceph-keyring.sh.tpl | 13 +++----- cinder/templates/configmap-etc.yaml | 3 ++ cinder/templates/deployment-backup.yaml | 31 +++++++++++++++++++ cinder/templates/deployment-volume.yaml | 20 ++++++------ .../secret-external-ceph-keyring.yaml | 20 ++++++++++++ cinder/values.yaml | 14 ++++++--- 6 files changed, 80 insertions(+), 21 deletions(-) create mode 100644 cinder/templates/secret-external-ceph-keyring.yaml diff --git a/cinder/templates/bin/_ceph-keyring.sh.tpl b/cinder/templates/bin/_ceph-keyring.sh.tpl index e1bd624bca..521a74848c 100644 --- a/cinder/templates/bin/_ceph-keyring.sh.tpl +++ b/cinder/templates/bin/_ceph-keyring.sh.tpl @@ -22,14 +22,11 @@ cat < /etc/ceph/ceph.client.${RBD_USER}.keyring key = $(cat /tmp/client-keyring) EOF -if [ -f "/tmp/external-ceph-client-keyring" ]; then - RBD_USER=cinder2 - cat < /etc/ceph/ceph.client.${RBD_USER}.keyring -[client.${RBD_USER}] +{{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }} +cat < /etc/ceph/ceph.client.${EXTERNAL_RBD_USER}.keyring +[client.${EXTERNAL_RBD_USER}] key = $(cat /tmp/external-ceph-client-keyring) -EOF2 - -fi - +EOF +{{- end }} exit 0 diff --git a/cinder/templates/configmap-etc.yaml b/cinder/templates/configmap-etc.yaml index 077e6f20e7..13ebcacf3e 100644 --- a/cinder/templates/configmap-etc.yaml +++ b/cinder/templates/configmap-etc.yaml @@ -137,4 +137,7 @@ data: {{- if .Values.backup.external_ceph_rbd.enabled }} external-backup-ceph.conf: {{ include "helm-toolkit.utils.to_ini" .Values.backup.external_ceph_rbd.conf | b64enc }} {{- end }} +{{- if .Values.ceph_client.enable_external_ceph_backend }} + external-ceph.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.ceph_client.external_ceph.conf | b64enc }} +{{- end }} {{- end }} diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index 9b0c4b1386..62f3f20256 100755 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -15,6 +15,8 @@ limitations under the License. {{- if .Values.manifests.deployment_backup }} {{- $envAll := . }} +{{- $internal_ceph_backend := .Values.ceph_client.internal_ceph_backend }} + {{- $mounts_cinder_backup := .Values.pod.mounts.cinder_backup.cinder_backup }} {{- $mounts_cinder_backup_init := .Values.pod.mounts.cinder_backup.init_container }} @@ -78,6 +80,7 @@ spec: {{ end }} {{- range $name := rest (splitList "," (include "cinder.utils.ceph_backend_list" $envAll)) }} {{- $backend := index $envAll.Values.conf.backends $name }} + {{- if eq $internal_ceph_backend $name }} - name: ceph-keyring-placement-{{$name}} {{ tuple $envAll "cinder_backup" | include "helm-toolkit.snippets.image" | indent 10 }} {{ dict "envAll" $envAll "application" "cinder_backup" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} @@ -86,6 +89,10 @@ spec: env: - name: RBD_USER value: {{ $backend.rbd_user | quote }} +{{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }} + - name: EXTERNAL_RBD_USER + value: {{ $envAll.Values.ceph_client.external_ceph.rbd_user | quote }} +{{- end }} volumeMounts: - name: pod-tmp mountPath: /tmp @@ -99,6 +106,13 @@ spec: mountPath: /tmp/client-keyring subPath: key readOnly: true + {{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }} + - name: external-ceph-keyring + mountPath: /tmp/external-ceph-client-keyring + subPath: key + readOnly: true + {{- end }} + {{- end }} {{- end }} {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }} - name: ceph-backup-volume-perms @@ -181,6 +195,18 @@ spec: subPath: key readOnly: true {{- end }} + {{- if .Values.ceph_client.enable_external_ceph_backend }} + - name: cinder-etc + mountPath: /etc/ceph/external-ceph.conf + subPath: external-ceph.conf + readOnly: true + {{- if .Values.ceph_client.external_ceph.rbd_user }} + - name: external-ceph-keyring + mountPath: /tmp/external-ceph-client-keyring + subPath: key + readOnly: true + {{- end }} + {{- end }} {{- end }} {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }} - name: cinder-backup @@ -241,6 +267,11 @@ spec: - name: ceph-keyring secret: secretName: {{ .Values.secrets.rbd.volume | quote }} + {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }} + - name: external-ceph-keyring + secret: + secretName: {{ .Values.secrets.rbd.volume_external | quote }} + {{ end }} {{ end }} {{- if (contains "cinder.backup.drivers.posix" .Values.conf.cinder.DEFAULT.backup_driver) }} - name: cinder-backup diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index 8e96e0390c..ac51ac5b4d 100755 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -69,6 +69,10 @@ spec: env: - name: RBD_USER value: {{ $backend.rbd_user | quote }} +{{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }} + - name: EXTERNAL_RBD_USER + value: {{ $envAll.Values.ceph_client.external_ceph.rbd_user | quote }} +{{- end }} volumeMounts: - name: pod-tmp mountPath: /tmp @@ -82,7 +86,7 @@ spec: mountPath: /tmp/client-keyring subPath: key readOnly: true - {{- if $envAll.Values.ceph_client.enable_external_ceph_backend }} + {{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }} - name: external-ceph-keyring mountPath: /tmp/external-ceph-client-keyring subPath: key @@ -176,16 +180,18 @@ spec: subPath: key readOnly: true {{- if .Values.ceph_client.enable_external_ceph_backend }} - - name: external-ceph-etc + - name: cinder-etc mountPath: /etc/ceph/external-ceph.conf - subPath: ceph.conf + subPath: external-ceph.conf readOnly: true + {{- if .Values.ceph_client.external_ceph.rbd_user }} - name: external-ceph-keyring mountPath: /tmp/external-ceph-client-keyring subPath: key readOnly: true {{- end }} {{- end }} + {{- end }} {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }} - name: cinder-coordination mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }} @@ -259,14 +265,10 @@ spec: - name: ceph-keyring secret: secretName: {{ .Values.secrets.rbd.volume | quote }} - {{- if .Values.ceph_client.enable_external_ceph_backend }} - - name: external-ceph-etc - configMap: - name: {{ .Values.ceph_client.external_ceph.configmap }} - defaultMode: 0444 + {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }} - name: external-ceph-keyring secret: - secretName: {{ .Values.ceph_client.external_ceph.cinder_user_secret_name | quote }} + secretName: {{ .Values.secrets.rbd.volume_external | quote }} {{ end }} {{ end }} {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }} diff --git a/cinder/templates/secret-external-ceph-keyring.yaml b/cinder/templates/secret-external-ceph-keyring.yaml new file mode 100644 index 0000000000..9cdd4af81c --- /dev/null +++ b/cinder/templates/secret-external-ceph-keyring.yaml @@ -0,0 +1,20 @@ +{{/* +This manifest results a secret being created which has the keyring information +needed for cinder rbd user of external managed ceph backend +*/}} + +{{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }} + +{{- $envAll := . }} +{{- $userClass := "volume_external" }} +{{- $secretName := index $envAll.Values.secrets.rbd $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: + key: {{ $envAll.Values.ceph_client.external_ceph.rbd_user_keyring | b64enc }} +... +{{- end }} diff --git a/cinder/values.yaml b/cinder/values.yaml index e7c6b87078..ca4e26ee6e 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -385,9 +385,14 @@ ceph_client: configmap: ceph-etc user_secret_name: pvc-ceph-client-key external_ceph: - configmap: ceph-etc - cinder_user_secret_name: cinder-volume-rbd-keyring - + # Only when enable_external_ceph_backend is true and rbd_user is NOT null + # secret for external ceph keyring will be created. + rbd_user: null + rbd_user_keyring: null + conf: + global: + mon_host: null + osd: null conf: paste: composite:osapi_volume: @@ -1076,7 +1081,7 @@ backup: conf: global: mon_host: null - osd: + osd: null posix: volume: class_name: general @@ -1229,6 +1234,7 @@ secrets: rbd: backup: cinder-backup-rbd-keyring volume: cinder-volume-rbd-keyring + volume_external: cinder-volume-external-rbd-keyring oslo_messaging: admin: cinder-rabbitmq-admin cinder: cinder-rabbitmq-user