bastion host: add global known_hosts values

Write out the ssh host keys from the inventory as part of the bastion
host bootstrap.

Change-Id: I0823c09165c445e9178c75ac5083f1988e8d3055
This commit is contained in:
Ian Wienand 2022-10-27 11:35:39 +11:00
parent 618708b42a
commit d03f4b1f22
No known key found for this signature in database
4 changed files with 50 additions and 0 deletions

View File

@ -97,3 +97,7 @@
BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}' BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles' ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
no_log: true no_log: true
- name: Setup global known_hosts
include_role:
name: add-inventory-known-hosts

View File

@ -0,0 +1 @@
Add the host keys from inventory to global known_hosts

View File

@ -0,0 +1,31 @@
- name: Load the current inventory from bridge
slurp:
src: '/home/zuul/src/opendev.org/opendev/system-config/inventory/base/hosts.yaml'
register: _bridge_inventory_encoded
- name: Turn inventory into variable
set_fact:
_bridge_inventory: '{{ _bridge_inventory_encoded.content | b64decode | from_yaml }}'
- name: Build known_hosts list
set_fact:
bastion_known_hosts: >-
[
{%- for host, values in _bridge_inventory['all']['hosts'].items() -%}
{% for key in values['host_keys'] %}
'{{ host }},{{ values.public_v4 }}{{ "," + values.public_v6 if 'public_v6' in values}} {{ key }}',
{% endfor %}
{%- endfor -%}
]
- name: Write out values to /etc/ssh/ssh_known_hosts
blockinfile:
path: '/etc/ssh/ssh_known_hosts'
block: |
{% for entry in bastion_known_hosts %}
{{ entry }}
{% endfor %}
owner: root
group: root
mode: 0644
create: yes

View File

@ -102,3 +102,17 @@ def test_rax_dns_backup(host):
output_dir = host.file('/var/lib/rax-dns-backup') output_dir = host.file('/var/lib/rax-dns-backup')
assert output_dir.exists assert output_dir.exists
def test_ssh_known_hosts(host):
f = host.file('/etc/ssh/ssh_known_hosts')
assert f.exists
assert f.is_file
assert f.user == 'root'
assert f.group == 'root'
assert f.mode == 0o644
# Nothing special about this host, just testing it has an entry we
# expect.
assert b'bridge01.opendev.org,104.130.253.34,2001:4800:7818:103:be76:4eff:fe04:48c1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGG6WTR3dkhn766C69IRcLNN1Oxx7WMrcNsN03r+uZbU' in f.content