From e29049785cd51ebe140e0dbfdbc4b36372b28201 Mon Sep 17 00:00:00 2001 From: Jonathan Rosser Date: Wed, 19 Jan 2022 05:19:08 -0500 Subject: [PATCH] Create ssh certificate authority This happens once at the start of the deployment and the keys are stored on the deployment host. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/825113 Change-Id: I06bbf238321eb5d3e22b576b0797288d037e626d --- inventory/group_vars/all/ssh.yml | 30 ++++++++++++++++++++++++ playbooks/certificate-ssh-authority.yml | 31 +++++++++++++++++++++++++ playbooks/setup-hosts.yml | 1 + 3 files changed, 62 insertions(+) create mode 100644 inventory/group_vars/all/ssh.yml create mode 100644 playbooks/certificate-ssh-authority.yml diff --git a/inventory/group_vars/all/ssh.yml b/inventory/group_vars/all/ssh.yml new file mode 100644 index 0000000000..8d785c91fb --- /dev/null +++ b/inventory/group_vars/all/ssh.yml @@ -0,0 +1,30 @@ +--- +# Copyright 2022, BBC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +#the name for the SSH signing key +openstack_ssh_signing_key: "OpenStack-Ansible-SSH-Signing-Key" + +#override the setup host with this variable +#when not defined the default is 'localhost' +#openstack_ssh_keypairs_setup_host: 'my-ssh-setup-host' + +#directory on the ssh setup host to store ssh keypairs +openstack_ssh_keypairs_dir: "{{ openstack_config_dir }}/ssh_keypairs" + +#SSH signing key authority to create on the ssh setup host +openstack_ssh_keypairs_authorities: + - name: "{{ openstack_ssh_signing_key }}" + diff --git a/playbooks/certificate-ssh-authority.yml b/playbooks/certificate-ssh-authority.yml new file mode 100644 index 0000000000..f1c56fde9a --- /dev/null +++ b/playbooks/certificate-ssh-authority.yml @@ -0,0 +1,31 @@ +# Copyright 2022, BBC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Create SSHD CA + hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" + gather_facts: "{{ osa_gather_facts | default(True) }}" + tags: + - always + - sshd-ca + tasks: + - name: "Create SSHD certificate authority" + include_role: + name: openstack.osa.ssh_keypairs + vars: + ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" + ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir }}" + ssh_keypairs: "{{ openstack_ssh_keypairs_authorities }}" + ssh_keypairs_install_authorities: false + ssh_keypairs_install_keypairs: false + ssh_keypairs_install_authorized_keys: false diff --git a/playbooks/setup-hosts.yml b/playbooks/setup-hosts.yml index 48aaef9efc..ea6f607861 100644 --- a/playbooks/setup-hosts.yml +++ b/playbooks/setup-hosts.yml @@ -14,6 +14,7 @@ # limitations under the License. - import_playbook: certificate-authority.yml +- import_playbook: certificate-ssh-authority.yml - import_playbook: certificate-generate.yml - import_playbook: openstack-hosts-setup.yml - import_playbook: containers-deploy.yml