Passing the key explicitly into nova::compute::rbd means that Puppet
will not attempt to fetch the key using `ceph auth get-key <keyring>`,
having these effects:
* One reason for compute node to have access to the client.admin key is
gone (in current implementation it does have access to the key, but
this change is a step towards removing it).
* Ceph cluster doesn't have to be running at the time when Puppet runs
on compute node, meaning we don't have to serialize things more than
we do now.
Also adding the ComputeCephDeployment as a dependency of
ComputePostDeployment, otherwise the hiera file it creates might be
created *after* Puppet configuration happens on compute nodes, and the
values it provides would be missing during the Puppet run on the compute
nodes.
Change-Id: Id3166e6d5f01d18ec8a5033398bb511f4321a5e8
Depends-On: I70da06159c0d3c6fa204b5f7a468909ffab4d633
Partial-Bug: #
1439949
ComputeNodesPostDeployment:
type: OS::TripleO::ComputePostDeployment
- depends_on: ComputeAllNodesDeployment
+ depends_on: [ComputeAllNodesDeployment, ComputeCephDeployment]
properties:
servers: {get_attr: [Compute, attributes, nova_server_resource]}
$nova_enable_rbd_backend = hiera('nova_enable_rbd_backend', false)
if $nova_enable_rbd_backend {
include ::ceph::profile::client
- include ::nova::compute::rbd
+
+ $client_keys = hiera('ceph::profile::params::client_keys')
+ class { '::nova::compute::rbd':
+ libvirt_rbd_secret_key => $client_keys['client.openstack']['secret'],
+ }
}
include ::nova::compute::libvirt
Code Review / apex-tripleo-heat-templates.git / commitdiff