From 3d65bce9b3efdbadacee85b0593f4bdcf917528c Mon Sep 17 00:00:00 2001
From: John Fulton <fulton@redhat.com>
Date: Wed, 23 Dec 2020 19:21:23 +0000
Subject: [PATCH] Add distribute_private_key boolean for tripleo_create_admin

Add boolean option to distribute the private key which is
created by the cli-enable-ssh-admin.yaml playbook and update
the tripleo_create_admin role to distribute the private key
when it is true.

This option defaults to false as we normally don't want to
do this. However, cephadm needs a private key on all nodes
with the OS::TripleO::Services::CephMgr service in order to
manage a Ceph cluster. This option will likely only be used
for the ceph-admin user which is similar to but not the same
as the tripleo-admin user.

Also, remove old reference to Mistral in task name.

Implements: blueprint tripleo-ceph
Change-Id: I69c74c1869aa0f54c1695fd53098df7e78f64247
---
 .../playbooks/cli-enable-ssh-admin.yaml       |  3 +-
 .../tripleo_create_admin/defaults/main.yml    |  8 ++++
 .../molecule/addkey/converge.yml              |  8 ++++
 .../molecule/addkey/tests/test_keyadd.py      |  2 +
 .../tasks/authorize_user.yml                  |  2 +-
 .../tasks/distribute_key_files.yml            | 39 +++++++++++++++++++
 .../roles/tripleo_create_admin/tasks/main.yml |  2 +
 7 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 tripleo_ansible/roles/tripleo_create_admin/tasks/distribute_key_files.yml

diff --git a/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml b/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml
index 578f0fc05..e84acb878 100644
--- a/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml
+++ b/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml
@@ -21,6 +21,7 @@
   any_errors_fatal: true
   vars:
     BlacklistedIpAddresses: []
+    distribute_private_key: false
   handlers:
     - name: Remove mistral tmp file
       file:
@@ -226,7 +227,7 @@
     - role: tripleo_create_admin
       tripleo_admin_user: tripleo-admin
       tripleo_admin_pubkey: "{{ user_public_key }}"
-
+      tripleo_admin_prikey: "{{ user_private_key }}"
 
 - name: Validate TripleO Admin Access
   hosts: localhost:tripleo_queues
diff --git a/tripleo_ansible/roles/tripleo_create_admin/defaults/main.yml b/tripleo_ansible/roles/tripleo_create_admin/defaults/main.yml
index 920693b4c..30489608c 100644
--- a/tripleo_ansible/roles/tripleo_create_admin/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_create_admin/defaults/main.yml
@@ -26,3 +26,11 @@ tripleo_admin_generate_key: false
 # When `tripleo_admin_pubkey` is defined an additional authorized key will
 # added to the admin users authroized_keys file.
 #   tripleo_admin_pubkey: ssh-rsa AAAA...
+
+# When `tripleo_admin_prikey` is defined and not empty and when
+# distribute_private_key is true, then a private key will
+# be added to the admin user's home dir. It will be called
+# "~/.ssh/id_rsa" and contain something like:
+#   tripleo_admin_prikey: -----BEGIN OPENSSH PRIVATE KEY-----\nb3B...
+
+distribute_private_key: false
diff --git a/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/converge.yml b/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/converge.yml
index dc0a27600..dc4e665e1 100644
--- a/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/converge.yml
+++ b/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/converge.yml
@@ -26,3 +26,11 @@
       vars:
         tripleo_admin_user: tripleo-admin
         tripleo_admin_pubkey: ssh-rsa AAAATEST
+
+    - import_role:
+        name: tripleo_create_admin
+        tasks_from: distribute_key_files.yml
+      vars:
+        tripleo_admin_user: tripleo-admin
+        distribute_private_key: true
+        tripleo_admin_prikey: '-----BEGIN OPENSSH PRIVATE KEY-----'
diff --git a/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/tests/test_keyadd.py b/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/tests/test_keyadd.py
index 8d77d71c0..3826b5c83 100644
--- a/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/tests/test_keyadd.py
+++ b/tripleo_ansible/roles/tripleo_create_admin/molecule/addkey/tests/test_keyadd.py
@@ -26,3 +26,5 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 def test_user_key_add(host):
     auth_keys = host.file("/home/tripleo-admin/.ssh/authorized_keys")
     assert 'ssh-rsa AAAATEST' in auth_keys.content_string
+    private_key = host.file("/home/tripleo-admin/.ssh/id_rsa")
+    assert '-----BEGIN OPENSSH PRIVATE KEY-----' in private_key.content_string
diff --git a/tripleo_ansible/roles/tripleo_create_admin/tasks/authorize_user.yml b/tripleo_ansible/roles/tripleo_create_admin/tasks/authorize_user.yml
index 1bbe83333..afa9ee1d7 100644
--- a/tripleo_ansible/roles/tripleo_create_admin/tasks/authorize_user.yml
+++ b/tripleo_ansible/roles/tripleo_create_admin/tasks/authorize_user.yml
@@ -15,7 +15,7 @@
 # under the License.
 
 
-- name: authorize TripleO Mistral key for user {{ tripleo_admin_user }}
+- name: authorize TripleO key for user {{ tripleo_admin_user }}
   lineinfile:
     path: /home/{{ tripleo_admin_user }}/.ssh/authorized_keys
     line: '{{ tripleo_admin_pubkey }}'
diff --git a/tripleo_ansible/roles/tripleo_create_admin/tasks/distribute_key_files.yml b/tripleo_ansible/roles/tripleo_create_admin/tasks/distribute_key_files.yml
new file mode 100644
index 000000000..05c5a1cde
--- /dev/null
+++ b/tripleo_ansible/roles/tripleo_create_admin/tasks/distribute_key_files.yml
@@ -0,0 +1,39 @@
+---
+# Copyright 2021 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Install private key on nodes for user {{ tripleo_admin_user }}
+  copy:
+    dest: /home/{{ tripleo_admin_user }}/.ssh/id_rsa
+    content: "{{ tripleo_admin_prikey }}"
+    owner: "{{ tripleo_admin_user }}"
+    group: "{{ tripleo_admin_user }}"
+    mode: '0600'
+  when:
+    - distribute_private_key | bool
+    - tripleo_admin_prikey is defined
+    - tripleo_admin_prikey | length > 0
+
+- name: Install public key on nodes for user {{ tripleo_admin_user }}
+  copy:
+    dest: /home/{{ tripleo_admin_user }}/.ssh/id_rsa.pub
+    content: "{{ tripleo_admin_pubkey }}"
+    owner: "{{ tripleo_admin_user }}"
+    group: "{{ tripleo_admin_user }}"
+    mode: '0644'
+  when:
+    - distribute_private_key | bool
+    - tripleo_admin_pubkey is defined
+    - tripleo_admin_pubkey | length > 0
diff --git a/tripleo_ansible/roles/tripleo_create_admin/tasks/main.yml b/tripleo_ansible/roles/tripleo_create_admin/tasks/main.yml
index a43750463..b597a323d 100644
--- a/tripleo_ansible/roles/tripleo_create_admin/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_create_admin/tasks/main.yml
@@ -17,3 +17,5 @@
 
 - import_tasks: create_user.yml
 - import_tasks: authorize_user.yml
+- import_tasks: distribute_key_files.yml
+  when: distribute_private_key | bool