overrides:
  ceph:
    conf:
      client:
        rgw crypt s3 kms backend: kmip
        rgw crypt kmip ca path: /etc/ceph/kmiproot.crt
        rgw crypt kmip client cert: /etc/ceph/kmip-client.crt
        rgw crypt kmip client key: /etc/ceph/kmip-client.key
        rgw crypt kmip kms key template: pykmip-$keyid
  rgw:
    client.0:
      use-pykmip-role: client.0

tasks:
- openssl_keys:
    kmiproot:
      client: client.0
      cn: kmiproot
      key-type: rsa:4096
    kmip-server:
      client: client.0
      ca: kmiproot
    kmip-client:
      client: client.0
      ca: kmiproot
      cn: rgw-client
- exec:
    client.0:
      - chmod 644 /home/ubuntu/cephtest/ca/kmip-client.key
- pykmip:
    client.0:
      clientca: kmiproot
      servercert: kmip-server
      clientcert: kmip-client
      secrets:
      - name: pykmip-my-key-1
      - name: pykmip-my-key-2