Merge "Create ssh certificate authority"

2022-03-21 20:48:42 +00:00 · 2022-03-21 20:48:42 +00:00 · 6ae7806fdd
commit 6ae7806fdd
parent 1a288c63cb e29049785c
3 changed files with 62 additions and 0 deletions
--- a/inventory/group_vars/all/ssh.yml
+++ b/inventory/group_vars/all/ssh.yml
@ -0,0 +1,30 @@
+---
+# Copyright 2022, BBC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+#the name for the SSH signing key
+openstack_ssh_signing_key: "OpenStack-Ansible-SSH-Signing-Key"
+
+#override the setup host with this variable
+#when not defined the default is 'localhost'
+#openstack_ssh_keypairs_setup_host: 'my-ssh-setup-host'
+
+#directory on the ssh setup host to store ssh keypairs
+openstack_ssh_keypairs_dir: "{{ openstack_config_dir }}/ssh_keypairs"
+
+#SSH signing key authority to create on the ssh setup host
+openstack_ssh_keypairs_authorities:
+  - name: "{{ openstack_ssh_signing_key }}"
+
--- a/playbooks/certificate-ssh-authority.yml
+++ b/playbooks/certificate-ssh-authority.yml
@ -0,0 +1,31 @@
+# Copyright 2022, BBC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create SSHD CA
+  hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
+  gather_facts: "{{ osa_gather_facts | default(True) }}"
+  tags:
+    - always
+    - sshd-ca
+  tasks:
+    - name: "Create SSHD certificate authority"
+      include_role:
+        name: openstack.osa.ssh_keypairs
+      vars:
+        ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
+        ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir }}"
+        ssh_keypairs: "{{ openstack_ssh_keypairs_authorities }}"
+        ssh_keypairs_install_authorities: false
+        ssh_keypairs_install_keypairs: false
+        ssh_keypairs_install_authorized_keys: false
--- a/playbooks/setup-hosts.yml
+++ b/playbooks/setup-hosts.yml
@ -14,6 +14,7 @@
 # limitations under the License.

 - import_playbook: certificate-authority.yml
+- import_playbook: certificate-ssh-authority.yml
 - import_playbook: certificate-generate.yml
 - import_playbook: openstack-hosts-setup.yml
 - import_playbook: containers-deploy.yml