cifmw_ceph_client: Discover Ceph RGW and create Glance secrets

This patch enhances the cifmw_ceph_client role to:
- Automatically discover Ceph RGW (RADOS Gateway) endpoint and credentials
- Create Glance secrets using the discovered RGW settings

This integration allows Glance to leverage Ceph RGW for secret storage
when object store backends are enabled in the environment.

Changes:
- Add RGW discovery tasks to the role
- Add logic to create Glance secrets with RGW config

Author: Maxim Sava

roles/cifmw_ceph_client/defaults/main.yml

@@ -35,3 +35,5 @@ cifmw_ceph_client_k8s_secret_name: ceph-conf-files
 cifmw_ceph_client_k8s_namespace: openstack
 cifmw_ceph_client_values_post_ceph_path_dst: "{{ cifmw_ceph_client_fetch_dir }}/edpm_values_post_ceph.yaml"
 cifmw_ceph_client_service_values_post_ceph_path_dst: "{{ cifmw_ceph_client_fetch_dir }}/edpm_service_values_post_ceph.yaml"
+cifmw_ceph_client_rgw_bucket_name: "ceph-s3-bucket"
+cifmw_ceph_client_rgw_store_cacert: "/etc/pki/tls/certs/ca-bundle.crt"

roles/cifmw_ceph_client/tasks/main.yml

@@ -78,6 +78,42 @@
     mode: "0600"
     force: true
 
+- name: Get ceph RGW endpoint API endpoint
+  ansible.builtin.shell:
+    cmd: |
+      set -xe -o pipefail
+      oc rsh -n {{ namespace }} openstackclient openstack endpoint list --interface internal --service swift -c URL -f value | cut -d "/" -f 1,2,3
+  register: reg_ceph_rgw_s3_endpoint
+  changed_when: "'stdout' in reg_ceph_rgw_s3_endpoint"
+  failed_when: (reg_ceph_rgw_s3_endpoint.rc | int) >= 1
+
+- name: Discover ceph RGW settings
+  ansible.builtin.set_fact:
+    ceph_s3_access_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits'], length=32) }}"
+    ceph_s3_secret_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits'], length=32) }}"
+    ceph_s3_bucket: "{{ cifmw_ceph_client_rgw_bucket_name }}"
+    ceph_s3_endpoint: "{{ reg_ceph_rgw_s3_endpoint.stdout }}"
+
+- name: Create glance secrets for ceph S3 backend
+  ansible.builtin.template:
+    src: templates/k8s_ceph_rgw_glance_secret.j2
+    dest: "{{ cifmw_ceph_client_fetch_dir }}/k8s_ceph_rgw_glance_secret.yaml"
+    mode: "0640"
+    force: true
+
+- name: Create ec2 credentials
+  ansible.builtin.shell: |-
+    oc rsh -n {{ namespace }} openstackclient openstack credential create --type ec2 --project admin admin '{"access": "{{ ceph_s3_access_key }}", "secret": "{{ ceph_s3_secret_key }}"}'
+  changed_when: false
+
+- name: Apply the S3 backend secrets
+  ansible.builtin.shell: |
+    oc project {{ namespace }}
+    oc apply -f {{ cifmw_ceph_client_fetch_dir }}/k8s_ceph_rgw_glance_secret.yaml
+  register: s3_secrets_oc_apply_result
+  changed_when: ('stdout' in s3_secrets_oc_apply_result) and ('unchanged' not in s3_secrets_oc_apply_result.stdout)
+  failed_when: ( s3_secrets_oc_apply_result.rc | int ) >= 1
+
 - name: Create edpm-values-post-ceph ConfigMap if sample path provided
   ansible.builtin.include_tasks: edpm_values_post_ceph.yml
   when:

roles/cifmw_ceph_client/templates/k8s_ceph_rgw_glance_secret.j2

@@ -0,0 +1,5 @@
+s3_store_host = {{ ceph_s3_endpoint }}
+s3_store_access_key = {{ ceph_s3_access_key }}
+s3_store_secret_key = {{ ceph_s3_secret_key }}
+s3_store_bucket = {{ ceph_s3_bucket }}
+s3_store_cacert = {{ cifmw_ceph_client_rgw_store_cacert }}