Ceph secrets are not used when specified by encrypted data bags

[rdgold94]

There are several cases where Ceph commands require a secret as input. For example, when populating the monitor daemon with the monitor map and keyring in the mon recipe, it requires the FSID secret:

command lazy { "ceph-mon --mkfs -i #{node['hostname']} --fsid #{node['ceph']['fsid-secret']} --keyring #{keyring}" }

This is fine until you decide to not store secrets as override attributes. If you put secrets in encrypted data bags, these node attributes are not populated and the deployment fails.

[rdgold94]

Possible solution (1)

Change any Ceph commands that require a secret to use it's corresponding secret check method in ceph_chef_helper.rb. In the FSID case, this new command would look like:

command lazy { "ceph-mon --mkfs -i #{node['hostname']} --fsid #{ceph_chef_fsid_secret} --keyring #{keyring}" }

The advantage is that this reuses an existing method and provides a mostly-simple solution to this problem. The disadvantage is that, this method is obviously not necessarily intended for this purpose. If the user doesn't manually input their own secrets, this will fail, since that method will return nil. The README's user guide will have to be updated to make sure that users are made aware of this change, and by default, secrets cannot be created on the fly if they aren't specified beforehand.

Possible solution (2)

We could alter the secret check method to simply set the node attributes that are used in these commands, so node['ceph']['fsid-secret'] in this case, and then do a node.save. However, I'm still a bit new to Chef development and I'm not sure if this is really a proper use of node.save.

Any feedback/other possible solutions would be much appreciated.