|
|
|
@@ -17,34 +17,77 @@ data:
|
|
|
|
provision.sh: |-
|
|
|
|
provision.sh: |-
|
|
|
|
#!/bin/bash
|
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
|
|
|
|
echo "===================================="
|
|
|
|
set -x
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CRT_CONFIG_KEY="mgr/restful/crt"
|
|
|
|
|
|
|
|
KEY_CONFIG_KEY="mgr/restful/key"
|
|
|
|
|
|
|
|
RESTFUL_PORT="7999"
|
|
|
|
|
|
|
|
REQUIRES_CERT_GENERATION=false
|
|
|
|
|
|
|
|
REQUIRES_MODULE_RESTART=false
|
|
|
|
|
|
|
|
|
|
|
|
retries=60
|
|
|
|
retries=60
|
|
|
|
retry_count=1
|
|
|
|
retry_count=1
|
|
|
|
|
|
|
|
# Attempt to access Ceph up to the max number of retries
|
|
|
|
while [ $retry_count -le $retries ]; do
|
|
|
|
while [ $retry_count -le $retries ]; do
|
|
|
|
mgr_metadata=`ceph mgr metadata`
|
|
|
|
ceph -s --connect-timeout 30
|
|
|
|
[ $? -eq 0 ] && break
|
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
|
|
|
|
break
|
|
|
|
echo "Retry #" $retry_count
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo "Retry #$retry_count"
|
|
|
|
sleep 10
|
|
|
|
sleep 10
|
|
|
|
let retry_count++
|
|
|
|
((retry_count++))
|
|
|
|
done
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Check if retries exceeded the limit
|
|
|
|
if [ $retry_count -gt $retries ]; then
|
|
|
|
if [ $retry_count -gt $retries ]; then
|
|
|
|
echo "Error: Ceph MGR does not correctly initialized."
|
|
|
|
echo "Error: Ceph is not responding."
|
|
|
|
exit 1
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
mgr_hostnames=(`echo ${mgr_metadata} | jq -r '.[].hostname'`)
|
|
|
|
# Retrieve the hostnames
|
|
|
|
[[ $? -ne 0 || -z ${mgr_hostnames} ]] && echo "Error: Ceph MGR does not return the hostnames correctly." && exit 1
|
|
|
|
hostnames=$(kubectl get nodes --no-headers -o custom-columns=":metadata.name" | tr '\n' ' ')
|
|
|
|
|
|
|
|
if [[ $? -ne 0 || -z ${hostnames} ]]; then
|
|
|
|
|
|
|
|
echo "Error: Unable to get hostnames."
|
|
|
|
|
|
|
|
exit 1
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
mgr_names=(`echo ${mgr_metadata} | jq -r '.[].name'`)
|
|
|
|
# Check if certificate and key exist
|
|
|
|
[[ $? -ne 0 || -z ${mgr_names} ]] && echo "Error: Ceph MGR does not return the names correctly." && exit 1
|
|
|
|
if ceph config-key exists "$CRT_CONFIG_KEY" && ceph config-key exists "$KEY_CONFIG_KEY"; then
|
|
|
|
|
|
|
|
CURRENT_CERTIFICATE="/tmp/current.crt"
|
|
|
|
|
|
|
|
ceph config-key get "$CRT_CONFIG_KEY" -o "$CURRENT_CERTIFICATE"
|
|
|
|
|
|
|
|
|
|
|
|
# Creating config file to be used to create the ssl certificate
|
|
|
|
# Check the expiration date of the certificate
|
|
|
|
cat > /tmp/all_hosts.conf << EOF
|
|
|
|
expiry_date=$(openssl x509 -in "$CURRENT_CERTIFICATE" -noout -enddate | cut -d= -f2)
|
|
|
|
|
|
|
|
expiry_timestamp=$(date -d "$expiry_date" +%s)
|
|
|
|
|
|
|
|
current_timestamp=$(date +%s)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# If it has expired, a new certificate needs to be generated.
|
|
|
|
|
|
|
|
if [[ $expiry_timestamp -lt $current_timestamp ]]; then
|
|
|
|
|
|
|
|
REQUIRES_CERT_GENERATION=true
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Extract Subject Alternative Names (SANs) from the certificate
|
|
|
|
|
|
|
|
alts=$(openssl x509 -in "$CURRENT_CERTIFICATE" -noout -text | grep -A 1 "X509v3 Subject Alternative Name" | tail -n +2 | tr -d ' ' | tr ',' '\n')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Check if all hostnames are present in the SAN
|
|
|
|
|
|
|
|
for hostname in $hostnames; do
|
|
|
|
|
|
|
|
if ! echo "$alts" | grep -q "$hostname"; then
|
|
|
|
|
|
|
|
echo "$hostname is not present in the certificate."
|
|
|
|
|
|
|
|
REQUIRES_CERT_GENERATION=true
|
|
|
|
|
|
|
|
break
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
REQUIRES_CERT_GENERATION=true
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# If certificate needs to be generated
|
|
|
|
|
|
|
|
if [ "$REQUIRES_CERT_GENERATION" == "true" ]; then
|
|
|
|
|
|
|
|
echo "Creating SSL certificate..."
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Generate the OpenSSL config file
|
|
|
|
|
|
|
|
cat > /tmp/ssl.conf << EOF
|
|
|
|
[req]
|
|
|
|
[req]
|
|
|
|
req_extensions = v3_ca
|
|
|
|
req_extensions = v3_ca
|
|
|
|
distinguished_name = req_distinguished_name
|
|
|
|
distinguished_name = req_distinguished_name
|
|
|
|
@@ -60,39 +103,50 @@ data:
|
|
|
|
[alt_names]
|
|
|
|
[alt_names]
|
|
|
|
EOF
|
|
|
|
EOF
|
|
|
|
|
|
|
|
|
|
|
|
# Populating the config file including all hosts that there are MGRs
|
|
|
|
# Populate the config file with hostnames
|
|
|
|
counter=1
|
|
|
|
counter=1
|
|
|
|
for mgr in "${mgr_hostnames[@]}"; do
|
|
|
|
for hostname in $hostnames; do
|
|
|
|
echo "DNS.${counter} = ${mgr}" >> /tmp/all_hosts.conf
|
|
|
|
echo "DNS.${counter} = ${hostname}" >> /tmp/ssl.conf
|
|
|
|
counter=$((counter+1))
|
|
|
|
((counter++))
|
|
|
|
done
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
|
|
openssl req -new -nodes -x509 -subj /O=IT/CN=ceph-restful -days 3650 -config /tmp/all_hosts.conf -out /tmp/ceph-restful.crt -keyout /tmp/ceph-restful.key -extensions v3_ca
|
|
|
|
# Create the certificate and key
|
|
|
|
[ $? == 1 ] && echo "Error: The certificate generation failed. Failing pod..." && exit 1
|
|
|
|
openssl req -new -nodes -x509 -subj /O=IT/CN=ceph-restful -days 3650 -config /tmp/ssl.conf -out /tmp/ceph-restful.crt -keyout /tmp/ceph-restful.key -extensions v3_ca
|
|
|
|
echo "Create ssl certificate using the config file created before"
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
|
|
|
|
echo "Error: The certificate generation failed."
|
|
|
|
|
|
|
|
exit 1
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
for mgr in "${mgr_names[@]}"; do
|
|
|
|
echo "Setting the certificate and key..."
|
|
|
|
ceph config-key set config/mgr/mgr/restful/${mgr}/crt -i /tmp/ceph-restful.crt
|
|
|
|
ceph config-key set "$CRT_CONFIG_KEY" -i /tmp/ceph-restful.crt
|
|
|
|
ceph config-key set config/mgr/mgr/restful/${mgr}/key -i /tmp/ceph-restful.key
|
|
|
|
ceph config-key set "$KEY_CONFIG_KEY" -i /tmp/ceph-restful.key
|
|
|
|
|
|
|
|
|
|
|
|
ceph config-key set mgr/restful/${mgr}/crt -i /tmp/ceph-restful.crt
|
|
|
|
REQUIRES_MODULE_RESTART=true
|
|
|
|
ceph config-key set mgr/restful/${mgr}/key -i /tmp/ceph-restful.key
|
|
|
|
else
|
|
|
|
done
|
|
|
|
echo "The certificate already exists, there is no need to regenerate it."
|
|
|
|
echo "Set certificate and key for each MGR"
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
ceph config set mgr mgr/restful/server_port 7999
|
|
|
|
# Check and configure the restful module port
|
|
|
|
echo "Set server port"
|
|
|
|
restful_url=$(ceph mgr services --format=json | jq -r '.restful')
|
|
|
|
|
|
|
|
if [[ "$restful_url" != *":$RESTFUL_PORT"* ]]; then
|
|
|
|
|
|
|
|
echo "Setting the mgr restful module port..."
|
|
|
|
|
|
|
|
ceph config set mgr mgr/restful/server_port "$RESTFUL_PORT"
|
|
|
|
|
|
|
|
REQUIRES_MODULE_RESTART=true
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# If the module needs to be restarted
|
|
|
|
|
|
|
|
if [ "$REQUIRES_MODULE_RESTART" == "true" ]; then
|
|
|
|
|
|
|
|
echo "Restarting restful module..."
|
|
|
|
ceph mgr module disable restful
|
|
|
|
ceph mgr module disable restful
|
|
|
|
echo "Disable restful"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ceph mgr module enable restful
|
|
|
|
ceph mgr module enable restful
|
|
|
|
echo "Enable restful"
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Create the admin key. If it already exists, it will be kept.
|
|
|
|
|
|
|
|
echo "Creating admin key..."
|
|
|
|
ceph restful create-key admin
|
|
|
|
ceph restful create-key admin
|
|
|
|
echo "Ceph Mgr Provision Complete"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo "===================================="
|
|
|
|
echo "Ceph mgr provision completed."
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
---
|
|
|
|
---
|
|
|
|
apiVersion: batch/v1
|
|
|
|
apiVersion: batch/v1
|
|
|
|
kind: Job
|
|
|
|
kind: Job
|
|
|
|
|
Zuul