From ed9f1d14a037ea98ae7acaf986785f21636433bd Mon Sep 17 00:00:00 2001 From: David Moreau Simard Date: Mon, 1 Apr 2019 09:56:47 -0400 Subject: [PATCH] Add parameter to upload-git-mirror to specify ssh host key If we attempt to push a mirror to a host we've never connected to before, it won't be in the SSH known hosts and the mirror will fail. This makes a new host_key parameter required and the role takes care of setting it up in the known_hosts for the duration of the job. Change-Id: I4bd40a289003fe3e88c9af4029576236c064fc3d Depends-On: https://review.openstack.org/#/c/649183/ --- roles/upload-git-mirror/README.rst | 7 ++++++- roles/upload-git-mirror/defaults/main.yaml | 3 ++- roles/upload-git-mirror/tasks/main.yaml | 15 ++++++++++++++- zuul.yaml | 7 ++++++- 4 files changed, 28 insertions(+), 4 deletions(-) diff --git a/roles/upload-git-mirror/README.rst b/roles/upload-git-mirror/README.rst index bc24cdf5e..2bb7f8ae1 100644 --- a/roles/upload-git-mirror/README.rst +++ b/roles/upload-git-mirror/README.rst @@ -20,11 +20,16 @@ superuser privileges to run. SSH host for the remote git repository - .. zuul:rolevar:: key + .. zuul:rolevar:: ssh_key Literal private key contents. Should start with something like ``-----BEGIN RSA PRIVATE KEY-----``. + .. zuul:rolevar:: host_key + + SSH host key of the remote git server. + Can be obtained with ``ssh-keyscan -H ``. + .. zuul:rolevar:: git_mirror_repository Path of the remote git repository diff --git a/roles/upload-git-mirror/defaults/main.yaml b/roles/upload-git-mirror/defaults/main.yaml index 84eb22142..145f0fd5b 100644 --- a/roles/upload-git-mirror/defaults/main.yaml +++ b/roles/upload-git-mirror/defaults/main.yaml @@ -3,7 +3,8 @@ # git_mirror_credentials: # user: # host: -# key: +# ssh_key: +# host_key: # Repository to replicate to # git_mirror_repository: diff --git a/roles/upload-git-mirror/tasks/main.yaml b/roles/upload-git-mirror/tasks/main.yaml index 06cbb00e8..4c3ee9203 100644 --- a/roles/upload-git-mirror/tasks/main.yaml +++ b/roles/upload-git-mirror/tasks/main.yaml @@ -6,7 +6,7 @@ - name: Set up private key copy: - content: "{{ git_mirror_credentials.key }}" + content: "{{ git_mirror_credentials.ssh_key }}" dest: "{{ ssh_private_key_tmp.path }}" mode: 0600 @@ -26,6 +26,12 @@ mode: 0600 block: "{{ ssh_config }}" + - name: Add host key to known hosts + known_hosts: + state: present + name: "{{ git_mirror_credentials.host }}" + key: "{{ git_mirror_credentials.host_key }}" + - name: Mirror the git repository command: git push --mirror {{ git_mirror_credentials.user }}@{{ git_mirror_credentials.host }}:{{ git_mirror_repository }} args: @@ -45,3 +51,10 @@ mode: 0600 block: "{{ ssh_config }}" register: git_mirror_ssh_config_removed + + - name: Remove host key from known hosts + known_hosts: + state: absent + name: "{{ git_mirror_credentials.host }}" + key: "{{ git_mirror_credentials.host_key }}" + register: git_mirror_host_key_removed diff --git a/zuul.yaml b/zuul.yaml index 4a6683e82..e40dc09d0 100644 --- a/zuul.yaml +++ b/zuul.yaml @@ -68,11 +68,16 @@ SSH host for the remote git repository - .. zuul:jobvar:: key + .. zuul:jobvar:: ssh_key Literal private key contents. Should start with something like ``-----BEGIN RSA PRIVATE KEY-----``. + .. zuul:jobvar:: host_key + + SSH host key of the remote git server. + Can be obtained with ``ssh-keyscan -H ``. + .. zuul:jobvar:: git_mirror_repository Path of the remote git repository