Use ssh_keypairs role to generate fernet sync ssh keys

This uses ssh signed certificates so there is no longer the need to distribute the keystone public key from each keystone host to all other keystone hosts. The legacy scripts and authorized key files are removed as a migration step. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/836377 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292 Change-Id: If39df0cc80860576abac1830d5cfc66ca50fc655
2022-01-31 08:41:25 -05:00 · 2022-01-31 08:41:25 -05:00 · 19af9dabc8
commit 19af9dabc8
parent eb47b6d160
6 changed files with 60 additions and 74 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -291,9 +291,6 @@ keystone_ldap: {}
 keystone_ldap_domain_config_dir: /etc/keystone/domains


-# If you want to regenerate the keystone users SSH keys, on each run, set this var to True
-# Otherwise keys will be generated on the first run and not regenerated each run.
-keystone_recreate_keys: False

 ## Policy vars
 # Provide a list of access controls to update the default policy.json with. These changes will be merged
@ -560,3 +557,34 @@ keystone_set_real_ip_from: []
 # doing upgrades, but should not usually be required.
 # ref: https://bugs.launchpad.net/openstack-ansible/+bug/1793389
 keystone_flush_memcache: no
+
+# host which holds the ssh certificate authority
+keystone_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
+
+# directory on the deploy host to create and store SSH keypairs
+keystone_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir }}"
+
+#Each keystone host needs a signed ssh certificate to log into the others
+keystone_ssh_keypairs:
+  - name: "keystone-{{ inventory_hostname }}"
+    cert:
+      signed_by: "{{ openstack_ssh_signing_key }}"
+      principals: "{{ keystone_ssh_key_principals | default('keystone') }}"
+      valid_from: "{{ keystone_ssh_key_valid_from | default('always') }}"
+      valid_to: "{{ keystone_ssh_key_valid_to | default('forever') }}"
+
+#Each keystone host needs the signed ssh certificate installing to the keystone user
+keystone_ssh_keypairs_install_keys:
+  owner: "{{ keystone_system_user_name }}"
+  group: "{{ keystone_system_group_name }}"
+  keys:
+    - cert: "keystone-{{ inventory_hostname }}"
+      dest: "{{ keystone_system_user_home }}/.ssh/id_rsa"
+
+#Each compute host must trust the SSHD certificate authoritiy in the sshd configuration
+keystone_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
+
+#Each compute host must allow SSH certificates with the appropriate principal to log into the keystone user
+keystone_ssh_keypairs_principals:
+  - user: "{{ keystone_system_user_name }}"
+    principals: "{{ keystone_ssh_key_principals | default(['keystone']) }}"
--- a/tasks/keystone_key_distribute.yml
+++ b/tasks/keystone_key_distribute.yml
@ -1,22 +0,0 @@
---
-# Copyright 2015, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Create authorized keys file from host vars
-  authorized_key:
-    user: "{{ keystone_system_user_name }}"
-    key: "{{ keystone_pubkey | b64decode }}"
-  when: _keystone_is_first_play_host
-  delegate_to: "{{ item }}"
-  with_items: "{{ ansible_play_hosts }}"
--- a/tasks/keystone_key_populate.yml
+++ b/tasks/keystone_key_populate.yml
@ -1,25 +0,0 @@
---
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Get public key contents and store as var
-  slurp:
-    src: "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
-  register: keystone_pub
-  changed_when: false
-
- name: Register a fact for the keystone pub key
-  set_fact:
-     keystone_pubkey: "{{ ansible_play_batch | map('extract', hostvars, 'keystone_pub') | map(attribute='content') | map('b64decode') | join('\n') | b64encode }}"
-  when: _keystone_is_first_play_host
--- a/tasks/keystone_key_setup.yml
+++ b/tasks/keystone_key_setup.yml
@ -13,6 +13,33 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- include_tasks: keystone_key_populate.yml
+- name: Ensure .ssh directory is present
+  file:
+    state: directory
+    path: "{{ keystone_system_user_home }}/.ssh"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: '0755'

- include_tasks: keystone_key_distribute.yml
+- name: Create ssh keys for synchronising fernet keys
+  include_role:
+    name: openstack.osa.ssh_keypairs
+  args:
+    apply:
+      tags:
+        - keystone-key
+  vars:
+      ssh_keypairs_setup_host: "{{ keystone_ssh_keypairs_setup_host }}"
+      ssh_keypairs_dir: "{{ keystone_ssh_keypairs_dir }}"
+      ssh_keypairs: "{{ keystone_ssh_keypairs }}"
+      ssh_keypairs_install_keys: "{{ keystone_ssh_keypairs_install_keys }}"
+      ssh_keypairs_install_ca: "{{ keystone_ssh_keypairs_install_ca }}"
+      ssh_keypairs_principals: "{{ keystone_ssh_keypairs_principals }}"
+  tags:
+    - always
+
+# TODO (jrosser) Remove this task for the Z release
+- name: Remove legacy authorized keys file
+  file:
+    path: "{{ keystone_system_user_name }}/.ssh/authorized_keys"
+    state: absent
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@ -27,14 +27,6 @@
  with_items: "{{ ansible_play_hosts }}"
  when: _keystone_is_first_play_host

- name: Generate the keystone system user ssh key
-  user:
-    name: "{{ keystone_system_user_name }}"
-    generate_ssh_key: "yes"
-  delegate_to: "{{ item }}"
-  with_items: "{{ ansible_play_hosts }}"
-  when: _keystone_is_first_play_host
-
 - name: Copy keystone configuration files
  openstack.config_template.config_template:
    src: "keystone.conf.j2"
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@ -33,20 +33,6 @@
    - "{{ keystone_system_additional_groups }}"
  when: _keystone_is_first_play_host

- name: Remove old key file(s) if found
-  file:
-    path: "{{ item[1] }}"
-    state: "absent"
-  with_nested:
-    - "{{ ansible_play_hosts }}"
-    - - "{{ keystone_system_user_home }}/.ssh/authorized_keys"
-      - "{{ keystone_system_user_home }}/.ssh/id_rsa"
-      - "{{ keystone_system_user_home }}/.ssh/id_rsa.pub"
-  when:
-    - keystone_recreate_keys | bool
-    - _keystone_is_first_play_host
-  delegate_to: "{{ item[0] }}"
-
 - name: Create the keystone system user
  user:
    name: "{{ keystone_system_user_name }}"