Use ssh_keypairs role to generate keys for repo sync

This uses ssh signed certificates so there is no longer the need to distribute the repo_server public key from each repo_server to all other repo_servers. The legacy scripts and authorized key files are removed as a migration step. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/836377 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292 Change-Id: I27770f3a781bdf62d2a37659e087b12db2fb459e
2022-01-31 08:49:55 -05:00 · 2022-01-31 08:49:55 -05:00 · 8bdf307151
parent ee0a6d5b37
commit 8bdf307151
5 changed files with 51 additions and 79 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -43,10 +43,6 @@ repo_service_home_folder: /var/www
 repo_service_user_name: nginx
 repo_service_group_name: www-data

-# If you want to regenerate the repo users SSH keys, on each run, set this var to True
-# Otherwise keys will be generated on the first run and not regenerated each run.
-repo_recreate_keys: False
-
 # Main web server port
 repo_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
 repo_server_port: 8181
@ -60,3 +56,33 @@ repo_build_global_links_dirname: links
 # directory placed by the deployer will also be transferred
 repo_upper_constraints_path: "/etc/openstack_deploy/upper-constraints"

+# Delegated host for operating the ssh certificate authority
+repo_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
+
+# directory on the setup host to create and store SSH keypairs
+repo_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}"
+
+#Each repo host needs a signed ssh certificate to log into the others
+repo_ssh_keypairs:
+  - name: "repo-{{ inventory_hostname }}"
+    cert:
+      signed_by: "{{ openstack_ssh_signing_key }}"
+      principals: "{{ repo_ssh_key_principals | default('repo') }}"
+      valid_from: "{{ repo_ssh_key_valid_from | default('always') }}"
+      valid_to: "{{ repo_ssh_key_valid_to | default('forever') }}"
+
+#Each repo host needs the signed ssh certificate installing to the repo_server user
+repo_ssh_keypairs_install_keys:
+  owner: "{{ repo_service_user_name }}"
+  group: "{{ repo_service_group_name }}"
+  keys:
+    - cert: "repo-{{ inventory_hostname }}"
+      dest: "{{ repo_service_home_folder }}/.ssh/id_rsa"
+
+#Each repo host must trust the SSHD certificate authoritiy in the sshd configuration
+repo_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
+
+#Each repo host must allow SSH certificates with the appropriate principal to log into the repo_server user
+repo_ssh_keypairs_principals:
+  - user: "{{ repo_service_user_name }}"
+    principals: "{{ repo_ssh_key_principals | default(['repo']) }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -36,14 +36,29 @@
  tags:
    - repo_server-config

- include: repo_key_populate.yml
+- name: Create ssh keys for synchronising repo contents
+  include_role:
+    name: openstack.osa.ssh_keypairs
+  args:
+    apply:
+      tags:
+        - repo-key
+        - repo_server-config
+  vars:
+      ssh_keypairs_setup_hosst: "{{ repo_ssh_keypairs_setup_host }}"
+      ssh_keypairs_dir: "{{ repo_ssh_keypairs_dir }}"
+      ssh_keypairs: "{{ repo_ssh_keypairs }}"
+      ssh_keypairs_install_keys: "{{ repo_ssh_keypairs_install_keys }}"
+      ssh_keypairs_install_ca: "{{ repo_ssh_keypairs_install_ca }}"
+      ssh_keypairs_principals: "{{ repo_ssh_keypairs_principals }}"
  tags:
-    - repo_server-config
+    - always

- include: repo_key_distribute.yml
-  when: groups.repo_all|length > 1
-  tags:
-    - repo_server-config
+# TODO (jrosser) Remove this task for the Z release
+- name: Remove legacy authorized keys file
+  file:
+    path: "{{ repo_service_home_folder }}/.ssh/authorized_keys"
+    state: absent

 - include: repo_sync_manager.yml
  when: inventory_hostname == groups['repo_all'][0]
--- a/tasks/repo_key_distribute.yml
+++ b/tasks/repo_key_distribute.yml
@ -1,24 +0,0 @@
---
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Create authorized keys file from host vars
-  authorized_key:
-    user: "{{ repo_service_user_name }}"
-    key: "{{ hostvars[item]['repo_pubkey'] | b64decode }}"
-  with_items: "{{ groups['repo_all'] }}"
-  when: hostvars[item]['repo_pubkey'] is defined
-  tags:
-    - repo-key
-    - repo-key-store
--- a/tasks/repo_key_populate.yml
+++ b/tasks/repo_key_populate.yml
@ -1,30 +0,0 @@
---
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Get public key contents and store as var
-  slurp:
-    src: "{{ repo_service_home_folder }}/.ssh/id_rsa.pub"
-  register: repo_pub
-  changed_when: false
-  tags:
-    - repo-key
-    - repo-key-create
-
- name: Register a fact for the repo user pub key
-  set_fact:
-     repo_pubkey: "{{ repo_pub.content }}"
-  tags:
-    - repo-key
-    - repo-key-create
--- a/tasks/repo_post_install.yml
+++ b/tasks/repo_post_install.yml
@ -19,21 +19,6 @@
    name: pack.threads
    value: '0'

- name: Remove old key file(s) if found
-  file:
-    path: "{{ item }}"
-    state: "absent"
-  with_items:
-    - "{{ repo_service_home_folder }}/.ssh/authorized_keys"
-    - "{{ repo_service_home_folder }}/.ssh/id_rsa"
-    - "{{ repo_service_home_folder }}/.ssh/id_rsa.pub"
-  when: repo_recreate_keys | bool
-
- name: Generate the nginx system user ssh key
-  user:
-    name: "{{ repo_service_user_name }}"
-    generate_ssh_key: "yes"
-
 - name: Enable SSHD
  systemd:
    name: "{{ repo_server_sshd }}"