Add support for Ed25519 ssh keys

The Ed25519 public key algorithm is broadly deployed, and this commit adds support for it. Change-Id: I9300b3d5eb0bf351c094e1261dc56f990111934d
2023-07-07 14:02:43 +02:00 · 2023-07-07 14:02:43 +02:00 · 050523a3fb
commit 050523a3fb
parent 1eb61e7fc9
3 changed files with 36 additions and 20 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -226,14 +226,14 @@
 # [*nova_public_key*]
 #   (optional) Install public key in .ssh/authorized_keys for the 'nova' user.
 #   Expects a hash of the form { type => 'key-type', key => 'key-data' } where
-#   'key-type' is one of (ssh-rsa, ssh-dsa, ssh-ecdsa) and 'key-data' is the
-#   actual key data (e.g, 'AAAA...').
+#   'key-type' is one of (ssh-rsa, ssh-dsa, ssh-ecdsa, ssh-ed25519) and
+#   'key-data' is the actual key data (e.g, 'AAAA...').
 #
 # [*nova_private_key*]
 #   (optional) Install private key into .ssh/id_rsa (or appropriate equivalent
 #   for key type).  Expects a hash of the form { type => 'key-type', key =>
-#   'key-data' }, where 'key-type' is one of (ssh-rsa, ssh-dsa, ssh-ecdsa) and
-#   'key-data' is the contents of the private key file.
+#   'key-data' }, where 'key-type' is one of (ssh-rsa, ssh-dsa, ssh-ecdsa,
+#   ssh-ed25519) and 'key-data' is the contents of the private key file.
 #
 # [*ssl_only*]
 #   (optional) Disallow non-encrypted connections.
@ -505,15 +505,16 @@ in a future release.")
      }

      $nova_private_key_file = $nova_private_key['type'] ? {
-        'ssh-rsa'   => '/var/lib/nova/.ssh/id_rsa',
-        'ssh-dsa'   => '/var/lib/nova/.ssh/id_dsa',
-        'ssh-ecdsa' => '/var/lib/nova/.ssh/id_ecdsa',
-        default     => undef
+        'ssh-rsa'     => '/var/lib/nova/.ssh/id_rsa',
+        'ssh-dsa'     => '/var/lib/nova/.ssh/id_dsa',
+        'ssh-ecdsa'   => '/var/lib/nova/.ssh/id_ecdsa',
+        'ssh-ed25519' => '/var/lib/nova/.ssh/id_ed25519',
+        default       => undef
      }

      if ! $nova_private_key_file {
        fail("Unable to determine name of private key file.  Type specified was '${nova_private_key['type']}' \
-but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.")
+but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa, ssh-ed25519.")
      }

      file { $nova_private_key_file:
--- a/releasenotes/notes/ed25519-key-ce510b4bbbd172b5.yaml
+++ b/releasenotes/notes/ed25519-key-ce510b4bbbd172b5.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The ``nova::nova_private_key`` parameter now supports the ``ssh-ed25519``
+    type.
--- a/spec/classes/nova_init_spec.rb
+++ b/spec/classes/nova_init_spec.rb
@ -333,18 +333,28 @@ describe 'nova' do
      end
    end

-    context 'with ssh private key' do
-      let :params do
-        {
-          :nova_private_key => {'type' => 'ssh-rsa',
-                                'key'  => 'keydata'}
-        }
-      end
+    {
+      'ssh-rsa'     => 'id_rsa',
+      'ssh-dsa'     => 'id_dsa',
+      'ssh-ecdsa'   => 'id_ecdsa',
+      'ssh-ed25519' => 'id_ed25519'
+    }.each do |keytype, keyname|
+      context "with ssh private key(#{keytype})" do
+        let :params do
+          {
+            :nova_private_key => {'type' => keytype,
+                                  'key'  => 'keydata'}
+          }
+        end

-      it 'should install ssh private key' do
-        is_expected.to contain_file('/var/lib/nova/.ssh/id_rsa').with(
-          :content => 'keydata'
-        )
+        it 'should install ssh private key' do
+          is_expected.to contain_file("/var/lib/nova/.ssh/#{keyname}").with(
+            :content => 'keydata',
+            :mode    => '0600',
+            :owner   => 'nova',
+            :group   => 'nova',
+          )
+        end
      end
    end