mgr/cephadm: deploy pending_key when possible

Also, leave out the caps. Signed-off-by: Sage Weil <[email protected]> Signed-off-by: Radoslaw Zarzynski <[email protected]>
mitsu-ko · Sep 12, 2022 · 34ba1a5 · 34ba1a5
1 parent be9020a
commit 34ba1a5
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/src/pybind/mgr/cephadm/services/cephadmservice.py b/src/pybind/mgr/cephadm/services/cephadmservice.py
@@ -244,7 +244,22 @@ def get_keyring_with_caps(self, entity: AuthEntity, caps: List[str]) -> str:
                 'entity': entity,
             })
             if err:
-                self.mgr.log.warning(f"Unable to fetch keyring for {entity}")
+                raise OrchestratorError(f"Unable to fetch keyring for {entity}: {err}")
+
+        # strip down keyring
+        #  - don't include caps (auth get includes them; get-or-create does not)
+        #  - use pending key if present
+        key = None
+        for line in keyring.splitlines():
+            if ' = ' not in line:
+                continue
+            line = line.strip()
+            (ls, rs) = line.split(' = ', 1)
+            if ls == 'key' and not key:
+                key = rs
+            if ls == 'pending key':
+                key = rs
+        keyring = f'[{entity}]\nkey = {key}\n'
         return keyring
 
     def _inventory_get_fqdn(self, hostname: str) -> str:

diff --git a/src/pybind/mgr/cephadm/tests/test_services.py b/src/pybind/mgr/cephadm/tests/test_services.py
@@ -45,6 +45,8 @@ def _check_mon_command(self, cmd_dict, inbuf=None):
         if prefix == 'set-cmd':
             self.config = cmd_dict.get('value')
             return 0, 'value set', ''
+        if prefix in ['auth get']:
+            return 0, '[foo]\nkeyring = asdf\n', ''
         return -1, '', 'error'
 
     def get_minimal_ceph_conf(self) -> str:
@@ -185,9 +187,12 @@ def test_iscsi_client_caps(self):
         expected_call2 = call({'prefix': 'auth caps',
                                'entity': 'client.iscsi.a',
                                'caps': expected_caps})
+        expected_call3 = call({'prefix': 'auth get',
+                               'entity': 'client.iscsi.a'})
 
         assert expected_call in self.mgr.mon_command.mock_calls
         assert expected_call2 in self.mgr.mon_command.mock_calls
+        assert expected_call3 in self.mgr.mon_command.mock_calls
 
     @patch('cephadm.utils.resolve_ip')
     def test_iscsi_dashboard_config(self, mock_resolve_ip):