From 8bdf3071515f53125a1455f17a4863a524aad8dd Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Mon, 31 Jan 2022 08:49:55 -0500 Subject: [PATCH] Use ssh_keypairs role to generate keys for repo sync This uses ssh signed certificates so there is no longer the need to distribute the repo_server public key from each repo_server to all other repo_servers. The legacy scripts and authorized key files are removed as a migration step. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/836377 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292 Change-Id: I27770f3a781bdf62d2a37659e087b12db2fb459e --- defaults/main.yml | 34 ++++++++++++++++++++++++++++++---- tasks/main.yml | 27 +++++++++++++++++++++------ tasks/repo_key_distribute.yml | 24 ------------------------ tasks/repo_key_populate.yml | 30 ------------------------------ tasks/repo_post_install.yml | 15 --------------- 5 files changed, 51 insertions(+), 79 deletions(-) delete mode 100644 tasks/repo_key_distribute.yml delete mode 100644 tasks/repo_key_populate.yml diff --git a/defaults/main.yml b/defaults/main.yml index cfad59a..b42ab67 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,10 +43,6 @@ repo_service_home_folder: /var/www repo_service_user_name: nginx repo_service_group_name: www-data -# If you want to regenerate the repo users SSH keys, on each run, set this var to True -# Otherwise keys will be generated on the first run and not regenerated each run. -repo_recreate_keys: False - # Main web server port repo_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" repo_server_port: 8181 @@ -60,3 +56,33 @@ repo_build_global_links_dirname: links # directory placed by the deployer will also be transferred repo_upper_constraints_path: "/etc/openstack_deploy/upper-constraints" +# Delegated host for operating the ssh certificate authority +repo_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" + +# directory on the setup host to create and store SSH keypairs +repo_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}" + +#Each repo host needs a signed ssh certificate to log into the others +repo_ssh_keypairs: + - name: "repo-{{ inventory_hostname }}" + cert: + signed_by: "{{ openstack_ssh_signing_key }}" + principals: "{{ repo_ssh_key_principals | default('repo') }}" + valid_from: "{{ repo_ssh_key_valid_from | default('always') }}" + valid_to: "{{ repo_ssh_key_valid_to | default('forever') }}" + +#Each repo host needs the signed ssh certificate installing to the repo_server user +repo_ssh_keypairs_install_keys: + owner: "{{ repo_service_user_name }}" + group: "{{ repo_service_group_name }}" + keys: + - cert: "repo-{{ inventory_hostname }}" + dest: "{{ repo_service_home_folder }}/.ssh/id_rsa" + +#Each repo host must trust the SSHD certificate authoritiy in the sshd configuration +repo_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}" + +#Each repo host must allow SSH certificates with the appropriate principal to log into the repo_server user +repo_ssh_keypairs_principals: + - user: "{{ repo_service_user_name }}" + principals: "{{ repo_ssh_key_principals | default(['repo']) }}" diff --git a/tasks/main.yml b/tasks/main.yml index 4c5add8..b234858 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,14 +36,29 @@ tags: - repo_server-config -- include: repo_key_populate.yml +- name: Create ssh keys for synchronising repo contents + include_role: + name: openstack.osa.ssh_keypairs + args: + apply: + tags: + - repo-key + - repo_server-config + vars: + ssh_keypairs_setup_hosst: "{{ repo_ssh_keypairs_setup_host }}" + ssh_keypairs_dir: "{{ repo_ssh_keypairs_dir }}" + ssh_keypairs: "{{ repo_ssh_keypairs }}" + ssh_keypairs_install_keys: "{{ repo_ssh_keypairs_install_keys }}" + ssh_keypairs_install_ca: "{{ repo_ssh_keypairs_install_ca }}" + ssh_keypairs_principals: "{{ repo_ssh_keypairs_principals }}" tags: - - repo_server-config + - always -- include: repo_key_distribute.yml - when: groups.repo_all|length > 1 - tags: - - repo_server-config +# TODO (jrosser) Remove this task for the Z release +- name: Remove legacy authorized keys file + file: + path: "{{ repo_service_home_folder }}/.ssh/authorized_keys" + state: absent - include: repo_sync_manager.yml when: inventory_hostname == groups['repo_all'][0] diff --git a/tasks/repo_key_distribute.yml b/tasks/repo_key_distribute.yml deleted file mode 100644 index 2521555..0000000 --- a/tasks/repo_key_distribute.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Create authorized keys file from host vars - authorized_key: - user: "{{ repo_service_user_name }}" - key: "{{ hostvars[item]['repo_pubkey'] | b64decode }}" - with_items: "{{ groups['repo_all'] }}" - when: hostvars[item]['repo_pubkey'] is defined - tags: - - repo-key - - repo-key-store diff --git a/tasks/repo_key_populate.yml b/tasks/repo_key_populate.yml deleted file mode 100644 index 626f1ca..0000000 --- a/tasks/repo_key_populate.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Get public key contents and store as var - slurp: - src: "{{ repo_service_home_folder }}/.ssh/id_rsa.pub" - register: repo_pub - changed_when: false - tags: - - repo-key - - repo-key-create - -- name: Register a fact for the repo user pub key - set_fact: - repo_pubkey: "{{ repo_pub.content }}" - tags: - - repo-key - - repo-key-create diff --git a/tasks/repo_post_install.yml b/tasks/repo_post_install.yml index ec7085e..14321d9 100644 --- a/tasks/repo_post_install.yml +++ b/tasks/repo_post_install.yml @@ -19,21 +19,6 @@ name: pack.threads value: '0' -- name: Remove old key file(s) if found - file: - path: "{{ item }}" - state: "absent" - with_items: - - "{{ repo_service_home_folder }}/.ssh/authorized_keys" - - "{{ repo_service_home_folder }}/.ssh/id_rsa" - - "{{ repo_service_home_folder }}/.ssh/id_rsa.pub" - when: repo_recreate_keys | bool - -- name: Generate the nginx system user ssh key - user: - name: "{{ repo_service_user_name }}" - generate_ssh_key: "yes" - - name: Enable SSHD systemd: name: "{{ repo_server_sshd }}"