From b286d8900fc8396f914c4d7f8f18e577be57e097 Mon Sep 17 00:00:00 2001 From: Luigi Toscano Date: Thu, 8 Jan 2026 15:19:26 +0100 Subject: [PATCH] [cifmw_cephadm] rework container registry credentials As default, use the already known set of variables which are meant to be used to store the URL and the credentials of the container registry. Also, do not pass the credentials to the cephadm command line, but hide them inside a configuration file, so that the credentials are not exposed in the ansible logs. The configuration file is also removed when not needed anymore. The --registry-json argument has the same behavior of the combination of --registry-url/--registry-username/--registry-password which need to be passed at the same time anyway. Signed-off-by: Luigi Toscano --- roles/cifmw_cephadm/tasks/bootstrap.yml | 29 +++++++++++++++++-- .../templates/cephadm_registry_file.json.j2 | 5 ++++ 2 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 roles/cifmw_cephadm/templates/cephadm_registry_file.json.j2 diff --git a/roles/cifmw_cephadm/tasks/bootstrap.yml b/roles/cifmw_cephadm/tasks/bootstrap.yml index 9ac56bfffe..1fb47b4039 100644 --- a/roles/cifmw_cephadm/tasks/bootstrap.yml +++ b/roles/cifmw_cephadm/tasks/bootstrap.yml @@ -46,7 +46,26 @@ - cephadm_ls.stdout == '[]' tags: - cephadm_bootstrap + vars: + cephadm_registry_file: "/tmp/cephadm_registry.json" block: + - name: Prepare the registry credential file + when: cephadm_container_registry_url|length > 0 + vars: + cephadm_container_registry_url: "{{ cifmw_cephadm_registry_url|default(cifmw_registry_token_registry_url|default(''), True) }}" + cephadm_container_registry_username: "{{ cifmw_cephadm_registry_username|default(cifmw_registry_token.credentials.username|default(''), True) }}" + cephadm_container_registry_password: "{{ cifmw_cephadm_registry_password|default(cifmw_registry_token.credentials.password|default(''), True) }}" + ansible.builtin.template: + src: templates/cephadm_registry_file.json.j2 + dest: "{{ cephadm_registry_file }}" + mode: '0644' + force: true + + - name: Find out if the container registry configuration file exists + ansible.builtin.stat: + path: "{{ cephadm_registry_file }}" + register: cephadm_container_registry_config_check + - name: Run cephadm bootstrap become: true register: cephadm_bootstrap @@ -65,9 +84,7 @@ --output-keyring {{ cifmw_cephadm_admin_keyring }} \ --output-config {{ cifmw_cephadm_conf }} \ --fsid {{ cifmw_cephadm_fsid }} \ - {% if cifmw_cephadm_registry_url|length > 0 %}--registry-url {{ cifmw_cephadm_registry_url }} \{% endif %} - {% if cifmw_cephadm_registry_username|length > 0 %}--registry-username {{ cifmw_cephadm_registry_username }} \{% endif %} - {% if cifmw_cephadm_registry_password|length > 0 %}--registry-password {{ cifmw_cephadm_registry_password }} \{% endif %} + {% if cephadm_container_registry_config_check.stat.exists %}--registry-json {{ cephadm_registry_file }} \{% endif %} {% if cifmw_cephadm_spec_on_bootstrap %}--apply-spec {{ cifmw_cephadm_spec }} \{% endif %} {% if cifmw_cephadm_assimilate_conf_stat.stat.exists %}--config {{ cifmw_cephadm_assimilate_conf }} \{% endif %} {% if cifmw_cephadm_single_host_defaults %}--single-host-defaults \{% endif %} @@ -80,6 +97,12 @@ ansible.builtin.debug: msg: "{{ cephadm_bootstrap }}" + - name: Remove the container registry credentials file which is not needed anymore + when: cephadm_container_registry_config_check.stat.exists + ansible.builtin.file: + path: "{{ cephadm_registry_file }}" + state: absent + - name: Ensure cifmw_cephadm_ceph_cli is set when: - cifmw_cephadm_ceph_cli is not defined diff --git a/roles/cifmw_cephadm/templates/cephadm_registry_file.json.j2 b/roles/cifmw_cephadm/templates/cephadm_registry_file.json.j2 new file mode 100644 index 0000000000..9e2dccc31c --- /dev/null +++ b/roles/cifmw_cephadm/templates/cephadm_registry_file.json.j2 @@ -0,0 +1,5 @@ +{ + "url":"{{ cephadm_container_registry_url }}", + "username":"{{ cephadm_container_registry_username }}", + "password":"{{ cephadm_container_registry_password }}" +}