diff --git a/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml b/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml index 578f0fc05..e84acb878 100644 --- a/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml +++ b/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml @@ -21,6 +21,7 @@ any_errors_fatal: true vars: BlacklistedIpAddresses: [] + distribute_private_key: false handlers: - name: Remove mistral tmp file file: @@ -226,7 +227,7 @@ - role: tripleo_create_admin tripleo_admin_user: tripleo-admin tripleo_admin_pubkey: "{{ user_public_key }}" - + tripleo_admin_prikey: "{{ user_private_key }}" - name: Validate TripleO Admin Access hosts: localhost:tripleo_queues diff --git a/tripleo_ansible/roles/tripleo_create_admin/defaults/main.yml b/tripleo_ansible/roles/tripleo_create_admin/defaults/main.yml index 920693b4c..30489608c 100644 --- a/tripleo_ansible/roles/tripleo_create_admin/defaults/main.yml +++ b/tripleo_ansible/roles/tripleo_create_admin/defaults/main.yml @@ -26,3 +26,11 @@ tripleo_admin_generate_key: false # When `tripleo_admin_pubkey` is defined an additional authorized key will # added to the admin users authroized_keys file. # tripleo_admin_pubkey: ssh-rsa AAAA... + +# When `tripleo_admin_prikey` is defined and not empty and when +# distribute_private_key is true, then a private key will +# be added to the admin user's home dir. It will be called +# "~/.ssh/id_rsa" and contain something like: +# tripleo_admin_prikey: -----BEGIN OPENSSH PRIVATE KEY-----\nb3B... + +distribute_private_key: false diff --git a/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/converge.yml b/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/converge.yml index dc0a27600..dc4e665e1 100644 --- a/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/converge.yml +++ b/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/converge.yml @@ -26,3 +26,11 @@ vars: tripleo_admin_user: tripleo-admin tripleo_admin_pubkey: ssh-rsa AAAATEST + + - import_role: + name: tripleo_create_admin + tasks_from: distribute_key_files.yml + vars: + tripleo_admin_user: tripleo-admin + distribute_private_key: true + tripleo_admin_prikey: '-----BEGIN OPENSSH PRIVATE KEY-----' diff --git a/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/tests/test_keyadd.py b/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/tests/test_keyadd.py index 8d77d71c0..3826b5c83 100644 --- a/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/tests/test_keyadd.py +++ b/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/tests/test_keyadd.py @@ -26,3 +26,5 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( def test_user_key_add(host): auth_keys = host.file("/home/tripleo-admin/.ssh/authorized_keys") assert 'ssh-rsa AAAATEST' in auth_keys.content_string + private_key = host.file("/home/tripleo-admin/.ssh/id_rsa") + assert '-----BEGIN OPENSSH PRIVATE KEY-----' in private_key.content_string diff --git a/tripleo_ansible/roles/tripleo_create_admin/tasks/authorize_user.yml b/tripleo_ansible/roles/tripleo_create_admin/tasks/authorize_user.yml index 1bbe83333..afa9ee1d7 100644 --- a/tripleo_ansible/roles/tripleo_create_admin/tasks/authorize_user.yml +++ b/tripleo_ansible/roles/tripleo_create_admin/tasks/authorize_user.yml @@ -15,7 +15,7 @@ # under the License. -- name: authorize TripleO Mistral key for user {{ tripleo_admin_user }} +- name: authorize TripleO key for user {{ tripleo_admin_user }} lineinfile: path: /home/{{ tripleo_admin_user }}/.ssh/authorized_keys line: '{{ tripleo_admin_pubkey }}' diff --git a/tripleo_ansible/roles/tripleo_create_admin/tasks/distribute_key_files.yml b/tripleo_ansible/roles/tripleo_create_admin/tasks/distribute_key_files.yml new file mode 100644 index 000000000..05c5a1cde --- /dev/null +++ b/tripleo_ansible/roles/tripleo_create_admin/tasks/distribute_key_files.yml @@ -0,0 +1,39 @@ +--- +# Copyright 2021 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: Install private key on nodes for user {{ tripleo_admin_user }} + copy: + dest: /home/{{ tripleo_admin_user }}/.ssh/id_rsa + content: "{{ tripleo_admin_prikey }}" + owner: "{{ tripleo_admin_user }}" + group: "{{ tripleo_admin_user }}" + mode: '0600' + when: + - distribute_private_key | bool + - tripleo_admin_prikey is defined + - tripleo_admin_prikey | length > 0 + +- name: Install public key on nodes for user {{ tripleo_admin_user }} + copy: + dest: /home/{{ tripleo_admin_user }}/.ssh/id_rsa.pub + content: "{{ tripleo_admin_pubkey }}" + owner: "{{ tripleo_admin_user }}" + group: "{{ tripleo_admin_user }}" + mode: '0644' + when: + - distribute_private_key | bool + - tripleo_admin_pubkey is defined + - tripleo_admin_pubkey | length > 0 diff --git a/tripleo_ansible/roles/tripleo_create_admin/tasks/main.yml b/tripleo_ansible/roles/tripleo_create_admin/tasks/main.yml index a43750463..b597a323d 100644 --- a/tripleo_ansible/roles/tripleo_create_admin/tasks/main.yml +++ b/tripleo_ansible/roles/tripleo_create_admin/tasks/main.yml @@ -17,3 +17,5 @@ - import_tasks: create_user.yml - import_tasks: authorize_user.yml +- import_tasks: distribute_key_files.yml + when: distribute_private_key | bool