Allow Zuul to log into bridge

Allow post-review jobs running under system-config and project-config
to ssh into bridge in order to run Ansible.

Change-Id: I841f87425349722ee69e2f4265b99b5ee0b5a2c8

playbooks/bridge.yaml

@@ -7,3 +7,12 @@
     - root-keys
     - ansible-cron
     - cloud-launcher-cron
+  tasks:
+    - name: Allow Zuul to trigger Ansible
+      authorized_key:
+        state: present
+        user: root
+        key: "{{ item }}"
+      loop:
+        - "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/system-config.pub"
+        - "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/project-config.pub"

playbooks/host_vars/bridge.openstack.org.yaml

@@ -1 +1,2 @@
 ansible_python_interpreter: python3
+bastion_key_exclusive: false

playbooks/roles/base-server/README.rst

@@ -2,4 +2,8 @@ Basic common server configuration
 
 **Role Variables**
 
-* None
+.. zuul:rolevar:: bastion_key_exclusive
+   :default: True
+
+   Whether the bastion ssh key is the only key allowed to ssh in as
+   root.

playbooks/roles/base-server/defaults/main.yaml

@@ -1,6 +1,7 @@
 bastion_ipv4: 23.253.245.198,23.253.234.219
 bastion_ipv6: 2001:4800:7818:101:3c21:a454:23ed:4072,2001:4800:7817:103:be76:4eff:fe04:5a1d
 bastion_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp puppet-remote-2014-09-15
+bastion_key_exclusive: true
 base_packages:
   - at
   - git

playbooks/roles/base-server/tasks/main.yaml

@@ -33,7 +33,7 @@
   authorized_key:
     state: present
     user: root
-    exclusive: yes
+    exclusive: "{{ bastion_key_exclusive }}"
     key: "{{ bastion_public_key }}"
     key_options: |
       from="{{ bastion_ipv4 }},{{ bastion_ipv6 }},localhost"

testinfra/test_bridge.py

@@ -49,3 +49,12 @@ def test_cloud_launcher_cron(host):
     with host.sudo():
         crontab = host.check_output('crontab -l')
         assert 'run_cloud_launcher.sh' in crontab
+
+
+def test_authorized_keys(host):
+    authorized_keys = host.file('/root/.ssh/authorized_keys')
+    assert authorized_keys.exists
+
+    content = authorized_keys.content.decode('utf8')
+    lines = content.split('\n')
+    assert len(lines) >= 3