From cd289c50caa108b567d390067627ab30b7eb8055 Mon Sep 17 00:00:00 2001 From: Matt Anson Date: Wed, 16 Apr 2025 18:04:19 +0100 Subject: [PATCH 1/2] Fix credential existence check for rgw usage exporter credential_check.stdout is a string representation of a list, and as such will never return true when compared to an empty Python list. Passing credential_check.stdout through the from_json filter casts the string to a list, and the equality can be properly evaluated. --- etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml b/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml index df8340419..2412ab448 100644 --- a/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml +++ b/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml @@ -66,7 +66,7 @@ vars: ansible_host: "{{ hostvars[groups['controllers'][0]].ansible_host }}" run_once: true - when: credential_check.stdout == [] + when: credential_check.stdout | from_json == [] - name: Query ec2 credential for ceph_rgw ansible.builtin.command: > From 9dfc157082d5030cd79e722810debcceb60e54fd Mon Sep 17 00:00:00 2001 From: Matt Anson Date: Wed, 16 Apr 2025 18:37:15 +0100 Subject: [PATCH 2/2] Use system trust store as REQUESTS_CA_BUNDLE By default Python requests uses its own CA bundle rather than the system trust store. As we optionally update the system trust store with our own CA, force Python requests to use the system trust store as its CA bundle. --- etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml | 1 + ...-usage-exporter-deployment-fixes-0196167326dbe456.yaml | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 releasenotes/notes/rgw-usage-exporter-deployment-fixes-0196167326dbe456.yaml diff --git a/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml b/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml index 2412ab448..c70e54194 100644 --- a/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml +++ b/etc/kayobe/ansible/deploy-radosgw-usage-exporter.yml @@ -115,6 +115,7 @@ ACCESS_KEY: "{{ ec2.Access }}" SECRET_KEY: "{{ ec2.Secret }}" VIRTUAL_PORT: "{{ stackhpc_radosgw_usage_exporter_port | string }}" + REQUESTS_CA_BUNDLE: "/etc/ssl/certs/ca-certificates.crt" entrypoint: "{{ ['python', '-u', './radosgw_usage_exporter.py', '--insecure'] if not stackhpc_radosgw_usage_exporter_verify else omit }}" vars: ec2: "{{ credential.stdout | from_json | first }}" diff --git a/releasenotes/notes/rgw-usage-exporter-deployment-fixes-0196167326dbe456.yaml b/releasenotes/notes/rgw-usage-exporter-deployment-fixes-0196167326dbe456.yaml new file mode 100644 index 000000000..46a591480 --- /dev/null +++ b/releasenotes/notes/rgw-usage-exporter-deployment-fixes-0196167326dbe456.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixed RADOS gateway usage exporter deployment failing + to generate ec2 credentials for the ceph_rgw user. + - | + Fixed RADOS gateway usage exporter not using the system + trust root as its CA bundle.