bastion host: add global known_hosts values

Write out the ssh host keys from the inventory as part of the bastion host bootstrap. Change-Id: I0823c09165c445e9178c75ac5083f1988e8d3055
2022-10-27 11:35:39 +11:00 · 2022-10-27 11:35:39 +11:00 · d03f4b1f22
commit d03f4b1f22
parent 618708b42a
4 changed files with 50 additions and 0 deletions
--- a/playbooks/bootstrap-bridge.yaml
+++ b/playbooks/bootstrap-bridge.yaml
@ -97,3 +97,7 @@
        BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
        ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
      no_log: true
    - name: Setup global known_hosts
      include_role:
        name: add-inventory-known-hosts
--- a/playbooks/roles/add-inventory-known-hosts/README.rst
+++ b/playbooks/roles/add-inventory-known-hosts/README.rst
@ -0,0 +1 @@
 Add the host keys from inventory to global known_hosts
--- a/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
+++ b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
@ -0,0 +1,31 @@
 - name: Load the current inventory from bridge
  slurp:
    src: '/home/zuul/src/opendev.org/opendev/system-config/inventory/base/hosts.yaml'
  register: _bridge_inventory_encoded
 - name: Turn inventory into variable
  set_fact:
    _bridge_inventory: '{{ _bridge_inventory_encoded.content | b64decode | from_yaml }}'
 - name: Build known_hosts list
  set_fact:
    bastion_known_hosts: >-
        [
        {%- for host, values in _bridge_inventory['all']['hosts'].items() -%}
        {%   for key in values['host_keys'] %}
        '{{ host }},{{ values.public_v4 }}{{ "," + values.public_v6 if 'public_v6' in values}} {{ key }}',
        {%   endfor %}
        {%- endfor -%}
        ]
 - name: Write out values to /etc/ssh/ssh_known_hosts
  blockinfile:
    path: '/etc/ssh/ssh_known_hosts'
    block: |
      {% for entry in bastion_known_hosts %}
      {{ entry }}
      {% endfor %}
    owner: root
    group: root
    mode: 0644
    create: yes
--- a/testinfra/test_bridge.py
+++ b/testinfra/test_bridge.py
@ -102,3 +102,17 @@ def test_rax_dns_backup(host):
    output_dir = host.file('/var/lib/rax-dns-backup')
    assert output_dir.exists
 def test_ssh_known_hosts(host):
    f = host.file('/etc/ssh/ssh_known_hosts')
    assert f.exists
    assert f.is_file
    assert f.user == 'root'
    assert f.group == 'root'
    assert f.mode == 0o644
    # Nothing special about this host, just testing it has an entry we
    # expect.
    assert b'bridge01.opendev.org,104.130.253.34,2001:4800:7818:103:be76:4eff:fe04:48c1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGG6WTR3dkhn766C69IRcLNN1Oxx7WMrcNsN03r+uZbU' in f.content
		`@ -0,0 +1 @@`
							`Add the host keys from inventory to global known_hosts`