cifmw_ceph_client: Discover Ceph RGW and create Glance secrets

This patch enhances the cifmw_ceph_client role to:
- Automatically discover Ceph RGW (RADOS Gateway) endpoint and credentials
- Create Glance secrets using the discovered RGW settings

This integration allows Glance to leverage Ceph RGW for secret storage
when object store backends are enabled in the environment.

Changes:
- Add RGW discovery tasks to the role
- Add logic to create Glance secrets with RGW config

Author: Maxim Sava

roles/cifmw_ceph_client/defaults/main.yml

@@ -35,3 +35,5 @@ cifmw_ceph_client_k8s_secret_name: ceph-conf-files
 cifmw_ceph_client_k8s_namespace: openstack
 cifmw_ceph_client_values_post_ceph_path_dst: "{{ cifmw_ceph_client_fetch_dir }}/edpm_values_post_ceph.yaml"
 cifmw_ceph_client_service_values_post_ceph_path_dst: "{{ cifmw_ceph_client_fetch_dir }}/edpm_service_values_post_ceph.yaml"
+cifmw_ceph_client_rgw_bucket_name: "ceph-s3-bucket"
+cifmw_ceph_client_rgw_store_cacert: "/etc/pki/tls/certs/ca-bundle.crt"

roles/cifmw_ceph_client/tasks/main.yml

@@ -78,6 +78,36 @@
     mode: "0600"
     force: true
 
+- name: Get ceph RGW endpoint API endpoint
+  ansible.builtin.shell:
+    cmd: |
+      set -xe -o pipefail
+      oc rsh -n openstack openstackclient openstack endpoint list --interface internal --service swift -c URL -f value | cut -d "/" -f 1,2,3
+  register: reg_ceph_rgw_s3_endpoint
+  changed_when: "'stdout' in reg_ceph_rgw_s3_endpoint"
+  failed_when: (reg_ceph_rgw_s3_endpoint.rc | int) >= 1
+
+- name: Discover ceph RGW settings
+  ansible.builtin.set_fact:
+    ceph_s3_access_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits'], length=32) }}"
+    ceph_s3_secret_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits'], length=32) }}"
+    ceph_s3_bucket: "{{ cifmw_ceph_client_rgw_bucket_name }}"
+    ceph_s3_endpoint: "{{ reg_ceph_rgw_s3_endpoint }}"
+
+- name: Create glance secrets for ceph S3 backend
+  ansible.builtin.template:
+    src: templates/k8s_ceph_rgw_glance_secret.j2
+    dest: "{{ cifmw_ceph_client_fetch_dir }}/k8s_ceph_rgw_glance_secret.yaml"
+    mode: "0600"
+    force: true
+
+- name: Create glance secrets for ceph S3 backend
+  ansible.builtin.template:
+    src: templates/k8s_ceph_rgw_secret.j2
+    dest: "{{ cifmw_ceph_client_fetch_dir }}/k8s_ceph_rgw_glance_secret.yaml"
+    mode: "0600"
+    force: true
+
 - name: Create edpm-values-post-ceph ConfigMap if sample path provided
   ansible.builtin.include_tasks: edpm_values_post_ceph.yml
   when:

roles/cifmw_ceph_client/templates/k8s_ceph_rgw_glance_secret.j2

@@ -0,0 +1,14 @@
+---
+# Glance secrets used to configure glance with ceph S3 backend
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3glance
+stringData:
+  s3secret.conf : |
+    [default_backend]
+    s3_store_host = {{ ceph_s3_endpoint }}
+    s3_store_access_key = {{ ceph_s3_access_key }}
+    s3_store_secret_key = {{ ceph_s3_secret_key }}
+    s3_store_bucket = {{ ceph_s3_bucket }}
+    s3_store_cacert = {{ cifmw_ceph_client_rgw_store_cacert }}