From 68fc8d30573b28914d9ccec12966f644807c2afb Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Thu, 12 Apr 2018 18:28:32 +0100
Subject: [PATCH] Make kayobe ansible user bootstrap optional

The bootstrap user may be used to create the kayobe user account and
configure passwordless sudo. We can't assume that the bootstrap user
account will exist after the initial bootstrapping, or that the current
operator's key is authorised for the bootstrap user. We therefore
attempt to access the kayobe user account via SSH, and only perform the
bootstrap process if the account is inaccessible.

This change also adds some tasks to verify that the kayobe ansible user
is accessible and has passwordless sudo configured.

Change-Id: Ibdab0053caa2db71df2fd03cc8a598ae5aac73c9
Story: 2001659
Task: 6692
---
 ansible/kayobe-ansible-user.yml | 56 ++++++++++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/ansible/kayobe-ansible-user.yml b/ansible/kayobe-ansible-user.yml
index 8d8d3f8fc..f01c06abf 100644
--- a/ansible/kayobe-ansible-user.yml
+++ b/ansible/kayobe-ansible-user.yml
@@ -1,6 +1,41 @@
 ---
-- name: Ensure the Kayobe Ansible user account exists
+# NOTE(mgoddard): The bootstrap user may be used to create the kayobe user
+# account and configure passwordless sudo. We can't assume that the bootstrap
+# user account will exist after the initial bootstrapping, or that the
+# current operator's key is authorised for the bootstrap user. We therefore
+# attempt to access the kayobe user account via SSH, and only perform the
+# bootstrap process if the account is inaccessible.
+
+- name: Determine whether user bootstrapping is required
   hosts: seed:overcloud
+  gather_facts: false
+  tags:
+    - kayobe-ansible-user
+  tasks:
+    - name: Check whether the host is accessible via SSH
+      local_action:
+        module: command ssh -p {{ ssh_port }} {{ ssh_user }}@{{ ssh_host }} hostname
+      failed_when: false
+      changed_when: false
+      register: ssh_result
+      vars:
+        ssh_user: "{{ ansible_user }}"
+        ssh_host: "{{ ansible_host | default(inventory_hostname) }}"
+        ssh_port: "{{ ansible_ssh_port | default('22') }}"
+
+    - name: Group hosts requiring kayobe user bootstrapping
+      group_by:
+        key: kayobe_user_bootstrap_required_{{ ssh_result.rc != 0 }}
+
+    - name: Display a message when bootstrapping is required
+      debug:
+        msg: >
+          Cannot access host via SSH using Kayobe Ansible user account -
+          attempting bootstrap
+      when: ssh_result.rc != 0
+
+- name: Ensure the Kayobe Ansible user account exists
+  hosts: kayobe_user_bootstrap_required_True
   tags:
     - kayobe-ansible-user
   vars:
@@ -25,3 +60,22 @@
         dest: "/etc/sudoers.d/kayobe-ansible-user"
         mode: 0440
       become: True
+
+- name: Verify that the Kayobe Ansible user account is accessible
+  hosts: seed:overcloud
+  gather_facts: false
+  tags:
+    - kayobe-ansible-user
+  vars:
+    # We can't assume that a virtualenv exists at this point, so use the system
+    # python interpreter.
+    ansible_python_interpreter: /usr/bin/python
+  tasks:
+    - name: Verify that a command can be executed
+      command: hostname
+      changed_when: false
+
+    - name: Verify that a command can be executed with become
+      command: hostname
+      changed_when: false
+      become: true