Extract cephx keys from vault encrypted files

Cephx keys are not picked up by "local_action: shell cat [...]" when using ansible-vault encrypted keyrings. This commit changes the logic to use the file lookup plugin and extracts the key using jinja2 regex filters. The raw keys are then set as ansible facts. Closes-Bug: 1849127 Change-Id: Iacb1e42307c4de6a7a379e8cf279e073995fd5d3

Extract cephx keys from vault encrypted files
44709f41 · Jan Horstmann · 160af32c · 44709f41
Commit 44709f41 authored 5 years ago by Jan Horstmann
--- a/ansible/roles/nova-cell/tasks/external_ceph.yml
+++ b/ansible/roles/nova-cell/tasks/external_ceph.yml
@@ -79,26 +79,26 @@
    - Restart nova-libvirt container

 - name: Extract nova key from file
-  local_action: shell cat "{{ nova_cephx_keyring_file.stat.path }}" | grep -E 'key\s*=' | awk '{ print $3 }'
+  set_fact:
+    nova_cephx_raw_key: "{{ lookup('file', nova_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
  changed_when: false
  run_once: True
-  register: nova_cephx_raw_key
  when:
    - nova_backend == "rbd"
    - external_ceph_cephx_enabled | bool

 - name: Extract cinder key from file
-  local_action: shell cat "{{ cinder_cephx_keyring_file.stat.path }}" | grep -E 'key\s*=' | awk '{ print $3 }'
+  set_fact:
+    cinder_cephx_raw_key: "{{ lookup('file', cinder_cephx_keyring_file.stat.path) | regex_search('key\\s*=.*$', multiline=True) | regex_replace('key\\s*=\\s*(.*)\\s*', '\\1') }}"
  changed_when: false
  run_once: True
-  register: cinder_cephx_raw_key
  when:
    - cinder_backend_ceph | bool
    - external_ceph_cephx_enabled | bool

 - name: Pushing secrets key for libvirt
  copy:
-    content: "{{ item.result.stdout }}"
+    content: "{{ item.result }}"
    dest: "{{ node_config_directory }}/nova-libvirt/secrets/{{ item.uuid }}.base64"
    mode: "0600"
  become: true