Use ssh_keypairs role to generate keys for repo sync
This uses ssh signed certificates so there is no longer the need to distribute the repo_server public key from each repo_server to all other repo_servers. The legacy scripts and authorized key files are removed as a migration step. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/836377 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292 Change-Id: I27770f3a781bdf62d2a37659e087b12db2fb459e
This commit is contained in:
parent
ee0a6d5b37
commit
8bdf307151
|
@ -43,10 +43,6 @@ repo_service_home_folder: /var/www
|
||||||
repo_service_user_name: nginx
|
repo_service_user_name: nginx
|
||||||
repo_service_group_name: www-data
|
repo_service_group_name: www-data
|
||||||
|
|
||||||
# If you want to regenerate the repo users SSH keys, on each run, set this var to True
|
|
||||||
# Otherwise keys will be generated on the first run and not regenerated each run.
|
|
||||||
repo_recreate_keys: False
|
|
||||||
|
|
||||||
# Main web server port
|
# Main web server port
|
||||||
repo_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
|
repo_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
|
||||||
repo_server_port: 8181
|
repo_server_port: 8181
|
||||||
|
@ -60,3 +56,33 @@ repo_build_global_links_dirname: links
|
||||||
# directory placed by the deployer will also be transferred
|
# directory placed by the deployer will also be transferred
|
||||||
repo_upper_constraints_path: "/etc/openstack_deploy/upper-constraints"
|
repo_upper_constraints_path: "/etc/openstack_deploy/upper-constraints"
|
||||||
|
|
||||||
|
# Delegated host for operating the ssh certificate authority
|
||||||
|
repo_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
|
||||||
|
|
||||||
|
# directory on the setup host to create and store SSH keypairs
|
||||||
|
repo_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}"
|
||||||
|
|
||||||
|
#Each repo host needs a signed ssh certificate to log into the others
|
||||||
|
repo_ssh_keypairs:
|
||||||
|
- name: "repo-{{ inventory_hostname }}"
|
||||||
|
cert:
|
||||||
|
signed_by: "{{ openstack_ssh_signing_key }}"
|
||||||
|
principals: "{{ repo_ssh_key_principals | default('repo') }}"
|
||||||
|
valid_from: "{{ repo_ssh_key_valid_from | default('always') }}"
|
||||||
|
valid_to: "{{ repo_ssh_key_valid_to | default('forever') }}"
|
||||||
|
|
||||||
|
#Each repo host needs the signed ssh certificate installing to the repo_server user
|
||||||
|
repo_ssh_keypairs_install_keys:
|
||||||
|
owner: "{{ repo_service_user_name }}"
|
||||||
|
group: "{{ repo_service_group_name }}"
|
||||||
|
keys:
|
||||||
|
- cert: "repo-{{ inventory_hostname }}"
|
||||||
|
dest: "{{ repo_service_home_folder }}/.ssh/id_rsa"
|
||||||
|
|
||||||
|
#Each repo host must trust the SSHD certificate authoritiy in the sshd configuration
|
||||||
|
repo_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
|
||||||
|
|
||||||
|
#Each repo host must allow SSH certificates with the appropriate principal to log into the repo_server user
|
||||||
|
repo_ssh_keypairs_principals:
|
||||||
|
- user: "{{ repo_service_user_name }}"
|
||||||
|
principals: "{{ repo_ssh_key_principals | default(['repo']) }}"
|
||||||
|
|
|
@ -36,14 +36,29 @@
|
||||||
tags:
|
tags:
|
||||||
- repo_server-config
|
- repo_server-config
|
||||||
|
|
||||||
- include: repo_key_populate.yml
|
- name: Create ssh keys for synchronising repo contents
|
||||||
|
include_role:
|
||||||
|
name: openstack.osa.ssh_keypairs
|
||||||
|
args:
|
||||||
|
apply:
|
||||||
|
tags:
|
||||||
|
- repo-key
|
||||||
|
- repo_server-config
|
||||||
|
vars:
|
||||||
|
ssh_keypairs_setup_hosst: "{{ repo_ssh_keypairs_setup_host }}"
|
||||||
|
ssh_keypairs_dir: "{{ repo_ssh_keypairs_dir }}"
|
||||||
|
ssh_keypairs: "{{ repo_ssh_keypairs }}"
|
||||||
|
ssh_keypairs_install_keys: "{{ repo_ssh_keypairs_install_keys }}"
|
||||||
|
ssh_keypairs_install_ca: "{{ repo_ssh_keypairs_install_ca }}"
|
||||||
|
ssh_keypairs_principals: "{{ repo_ssh_keypairs_principals }}"
|
||||||
tags:
|
tags:
|
||||||
- repo_server-config
|
- always
|
||||||
|
|
||||||
- include: repo_key_distribute.yml
|
# TODO (jrosser) Remove this task for the Z release
|
||||||
when: groups.repo_all|length > 1
|
- name: Remove legacy authorized keys file
|
||||||
tags:
|
file:
|
||||||
- repo_server-config
|
path: "{{ repo_service_home_folder }}/.ssh/authorized_keys"
|
||||||
|
state: absent
|
||||||
|
|
||||||
- include: repo_sync_manager.yml
|
- include: repo_sync_manager.yml
|
||||||
when: inventory_hostname == groups['repo_all'][0]
|
when: inventory_hostname == groups['repo_all'][0]
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Create authorized keys file from host vars
|
|
||||||
authorized_key:
|
|
||||||
user: "{{ repo_service_user_name }}"
|
|
||||||
key: "{{ hostvars[item]['repo_pubkey'] | b64decode }}"
|
|
||||||
with_items: "{{ groups['repo_all'] }}"
|
|
||||||
when: hostvars[item]['repo_pubkey'] is defined
|
|
||||||
tags:
|
|
||||||
- repo-key
|
|
||||||
- repo-key-store
|
|
|
@ -1,30 +0,0 @@
|
||||||
---
|
|
||||||
# Copyright 2014, Rackspace US, Inc.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
- name: Get public key contents and store as var
|
|
||||||
slurp:
|
|
||||||
src: "{{ repo_service_home_folder }}/.ssh/id_rsa.pub"
|
|
||||||
register: repo_pub
|
|
||||||
changed_when: false
|
|
||||||
tags:
|
|
||||||
- repo-key
|
|
||||||
- repo-key-create
|
|
||||||
|
|
||||||
- name: Register a fact for the repo user pub key
|
|
||||||
set_fact:
|
|
||||||
repo_pubkey: "{{ repo_pub.content }}"
|
|
||||||
tags:
|
|
||||||
- repo-key
|
|
||||||
- repo-key-create
|
|
|
@ -19,21 +19,6 @@
|
||||||
name: pack.threads
|
name: pack.threads
|
||||||
value: '0'
|
value: '0'
|
||||||
|
|
||||||
- name: Remove old key file(s) if found
|
|
||||||
file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: "absent"
|
|
||||||
with_items:
|
|
||||||
- "{{ repo_service_home_folder }}/.ssh/authorized_keys"
|
|
||||||
- "{{ repo_service_home_folder }}/.ssh/id_rsa"
|
|
||||||
- "{{ repo_service_home_folder }}/.ssh/id_rsa.pub"
|
|
||||||
when: repo_recreate_keys | bool
|
|
||||||
|
|
||||||
- name: Generate the nginx system user ssh key
|
|
||||||
user:
|
|
||||||
name: "{{ repo_service_user_name }}"
|
|
||||||
generate_ssh_key: "yes"
|
|
||||||
|
|
||||||
- name: Enable SSHD
|
- name: Enable SSHD
|
||||||
systemd:
|
systemd:
|
||||||
name: "{{ repo_server_sshd }}"
|
name: "{{ repo_server_sshd }}"
|
||||||
|
|
Loading…
Reference in New Issue