diff --git a/libvirt/templates/bin/_libvirt.sh.tpl b/libvirt/templates/bin/_libvirt.sh.tpl
index 850d8df45..c419997e1 100644
--- a/libvirt/templates/bin/_libvirt.sh.tpl
+++ b/libvirt/templates/bin/_libvirt.sh.tpl
@@ -107,8 +107,14 @@ if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
cgexec -g ${CGROUPS%,}:/osh-libvirt systemd-run --scope --slice=system libvirtd --listen &
tmpsecret=$(mktemp --suffix .xml)
+ if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+ tmpsecret2=$(mktemp --suffix .xml)
+ fi
function cleanup {
- rm -f "${tmpsecret}"
+ rm -f "${tmpsecret}"
+ if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+ rm -f "${tmpsecret2}"
+ fi
}
trap cleanup EXIT
@@ -137,21 +143,31 @@ if [ -n "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" ] ; then
fi
done
- if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
- CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
- fi
-
- cat > ${tmpsecret} <<EOF
+ function create_virsh_libvirt_secret {
+ sec_user=$1
+ sec_uuid=$2
+ sec_ceph_keyring=$3
+ cat > ${tmpsecret} <<EOF
<secret ephemeral='no' private='no'>
- <uuid>${LIBVIRT_CEPH_CINDER_SECRET_UUID}</uuid>
+ <uuid>${sec_uuid}</uuid>
<usage type='ceph'>
- <name>client.${CEPH_CINDER_USER}. secret</name>
+ <name>client.${sec_user}. secret</name>
</usage>
</secret>
EOF
+ virsh secret-define --file ${tmpsecret}
+ virsh secret-set-value --secret "${sec_uuid}" --base64 "${sec_ceph_keyring}"
+ }
- virsh secret-define --file ${tmpsecret}
- virsh secret-set-value --secret "${LIBVIRT_CEPH_CINDER_SECRET_UUID}" --base64 "${CEPH_CINDER_KEYRING}"
+ if [ -z "${CEPH_CINDER_KEYRING}" ] ; then
+ CEPH_CINDER_KEYRING=$(awk '/key/{print $3}' /etc/ceph/ceph.client.${CEPH_CINDER_USER}.keyring)
+ fi
+ create_virsh_libvirt_secret ${CEPH_CINDER_USER} ${LIBVIRT_CEPH_CINDER_SECRET_UUID} ${CEPH_CINDER_KEYRING}
+
+ if [ -n "${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID}" ] ; then
+ EXTERNAL_CEPH_CINDER_KEYRING=$(cat /tmp/external-ceph-client-keyring)
+ create_virsh_libvirt_secret ${EXTERNAL_CEPH_CINDER_USER} ${LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID} ${EXTERNAL_CEPH_CINDER_KEYRING}
+ fi
# rejoin libvirtd
wait
diff --git a/libvirt/templates/daemonset-libvirt.yaml b/libvirt/templates/daemonset-libvirt.yaml
index da8f01a85..749420e06 100644
--- a/libvirt/templates/daemonset-libvirt.yaml
+++ b/libvirt/templates/daemonset-libvirt.yaml
@@ -123,6 +123,12 @@ spec:
{{ end }}
- name: LIBVIRT_CEPH_CINDER_SECRET_UUID
value: "{{ .Values.conf.ceph.cinder.secret_uuid }}"
+ {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+ - name: EXTERNAL_CEPH_CINDER_USER
+ value: "{{ .Values.conf.ceph.cinder.external_ceph.user }}"
+ - name: LIBVIRT_EXTERNAL_CEPH_CINDER_SECRET_UUID
+ value: "{{ .Values.conf.ceph.cinder.external_ceph.secret_uuid }}"
+ {{ end }}
{{ end }}
readinessProbe:
exec:
@@ -199,6 +205,12 @@ spec:
subPath: key
readOnly: true
{{- end }}
+ {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+ - name: external-ceph-keyring
+ mountPath: /tmp/external-ceph-client-keyring
+ subPath: key
+ readOnly: true
+ {{- end }}
{{- end }}
{{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
volumes:
@@ -225,6 +237,11 @@ spec:
secret:
secretName: {{ .Values.ceph_client.user_secret_name }}
{{ end }}
+ {{- if .Values.conf.ceph.cinder.external_ceph.enabled }}
+ - name: external-ceph-keyring
+ secret:
+ secretName: {{ .Values.conf.ceph.cinder.external_ceph.user_secret_name }}
+ {{ end }}
{{ end }}
- name: libmodules
hostPath:
diff --git a/libvirt/values.yaml b/libvirt/values.yaml
index f5f3b9156..f4564c8c4 100644
--- a/libvirt/values.yaml
+++ b/libvirt/values.yaml
@@ -77,6 +77,12 @@ conf:
user: "cinder"
keyring: null
secret_uuid: 457eb676-33da-42ec-9a8c-9293d545c337
+ # Cinder Ceph backend that is not configured by the k8s cluter
+ external_ceph:
+ enabled: false
+ user: null
+ secret_uuid: null
+ user_secret_name: null
libvirt:
listen_tcp: "1"
listen_tls: "0"