Browse Source

Merge "Simplify ssh_known_hosts role"

tags/1.2.0
Zuul Gerrit Code Review 2 weeks ago
parent
commit
660102739a
8 changed files with 215 additions and 30 deletions
  1. +15
    -6
      tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/default/molecule.yml
  2. +8
    -4
      tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/default/tests/test_default.py
  3. +37
    -0
      tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/Dockerfile
  4. +58
    -0
      tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/molecule.yml
  5. +22
    -0
      tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/playbook.yml
  6. +26
    -0
      tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/prepare.yml
  7. +33
    -0
      tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/tests/test_no_networks.py
  8. +16
    -20
      tripleo_ansible/roles/tripleo_ssh_known_hosts/tasks/main.yml

+ 15
- 6
tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/default/molecule.yml View File

@@ -29,18 +29,27 @@ provisioner:
inventory:
hosts:
all:
vars:
ctlplane_ip: 10.0.0.0
cloud_domain: localdomain
enabled_networks: []
role_networks: []
children:
overcloud:
hosts:
centos8:
ansible_ssh_host_key_rsa_public: AAAATEST
ctlplane_ip: 10.0.0.1
ctlplane_hostname: centos8.ctlplane.localdomain
internal_api_ip: 10.0.1.1
internal_api_hostname: centos8.internalapi.localdomain
management_ip: 10.0.0.1 # no management_hostname
canonical_hostname: centos8.localdomain
tripleo_role_networks: [ctlplane, internal_api, management]
centos7:
ansible_ssh_host_key_rsa_public: AAAATEST
ansible_ssh_host_key_rsa_public: BBBBTEST
hostname_resolve_network: ctlplane
ctlplane_ip: 10.0.0.2
ctlplane_hostname: centos7.ctlplane.localdomain
internal_api_ip: 10.0.1.2
internal_api_hostname: centos7.internalapi.localdomain
canonical_hostname: centos7.localdomain
tripleo_role_networks: [ctlplane, internal_api]
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml


+ 8
- 4
tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/default/tests/test_default.py View File

@@ -23,7 +23,11 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')


def test_host_key_add(host):
hostname = host.ansible.get_variables()['inventory_hostname']
line = '[10.0.0.0]*,[%s.localdomain]*,[%s]* ssh-rsa AAAATEST' % (hostname, hostname)
assert line in host.file("/etc/ssh/ssh_known_hosts").content_string
def test_ssh_host_keys(host):
expected = [
'[10.0.0.1]*,[centos8.ctlplane.localdomain]*,[10.0.1.1]*,[centos8.internalapi.localdomain]*,[centos8.localdomain]*,[centos8]* ssh-rsa AAAATEST',
'[10.0.0.2]*,[centos7.ctlplane.localdomain]*,[10.0.1.2]*,[centos7.internalapi.localdomain]*,[centos7.localdomain]*,[centos7]* ssh-rsa BBBBTEST'
]
known_hosts = host.file("/etc/ssh/ssh_known_hosts").content_string
for line in expected:
assert line in host.file("/etc/ssh/ssh_known_hosts").content_string

+ 37
- 0
tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/Dockerfile View File

@@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}

RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install sudo python*-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi

{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}


CMD ["sh", "-c", "while true; do sleep 10000; done"]

+ 58
- 0
tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/molecule.yml View File

@@ -0,0 +1,58 @@
---
driver:
name: docker

log: true

platforms:
- name: centos7
hostname: centos7
image: centos:7
dockerfile: Dockerfile
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"

- name: centos8
hostname: centos8
image: centos:8
dockerfile: Dockerfile
pkg_extras: python*-setuptools
environment:
<<: *env

provisioner:
name: ansible
inventory:
hosts:
all:
children:
overcloud:
hosts:
centos8:
ansible_ssh_host_key_rsa_public: AAAATEST
centos7:
ansible_ssh_host_key_rsa_public: BBBBTEST
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml

scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy

lint:
enabled: false

verifier:
name: testinfra
lint:
name: flake8

+ 22
- 0
tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/playbook.yml View File

@@ -0,0 +1,22 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


- name: Converge
hosts: all
pre_tasks:
roles:
- role: "tripleo_ssh_known_hosts"

+ 26
- 0
tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/prepare.yml View File

@@ -0,0 +1,26 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


- name: Prepare
hosts: all
roles:
- role: test_deps
tasks:
- name: Install additional dependencies
package:
name: openssh
state: present

+ 33
- 0
tripleo_ansible/roles/tripleo_ssh_known_hosts/molecule/no_networks/tests/test_no_networks.py View File

@@ -0,0 +1,33 @@
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


import os

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')


def test_ssh_host_keys(host):
expected = [
'[centos8]* ssh-rsa AAAATEST',
'[centos7]* ssh-rsa BBBBTEST'
]
known_hosts = host.file("/etc/ssh/ssh_known_hosts").content_string
for line in expected:
assert line in host.file("/etc/ssh/ssh_known_hosts").content_string

+ 16
- 20
tripleo_ansible/roles/tripleo_ssh_known_hosts/tasks/main.yml View File

@@ -47,29 +47,25 @@
run_once: true
set_fact:
ssh_known_hosts_lines: |-
{% for host in (groups['overcloud'] | intersect(play_hosts)) %}
{% for host in groups['overcloud'] | intersect(play_hosts) %}
{% set hostdata = hostvars[host] %}
{% if ('ansible_ssh_host_key_rsa_public' in hostdata) or (ansible_ssh_host_key_rsa_public is defined) %}
{% if (cloud_domain is defined) and (hostdata['ctlplane_ip'] is defined) %}
{% set line = '[' ~ hostdata['ctlplane_ip'] ~ ']*,[' ~ host ~ '.' ~ cloud_domain ~ ']*,[' ~ host ~ ']*' %}
{% set role_networks = hostdata['role_networks'] | default([]) %}
{% if ((enabled_networks is defined and enabled_networks) and ((enabled_networks | length) > 0)) %}
{% if ((role_networks is defined and role_networks) and ((role_networks | length) > 0)) %}
{% set line = line ~ ',' %}
{% for network in enabled_networks %}
{% if network in role_networks %}
{% set line = line ~ '[' ~ hostdata[(networks[network]["name"] ~ '_ip')] ~ ']*,[' ~ host ~ '.' ~ network.lower() ~ ']*,' %}
{% set line = line ~ '[' ~ host ~ '.' ~ network.lower() ~ '.' ~ cloud_domain ~ ']*' %}
{% if not loop.last %}
{% set line = line ~ ',' %}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% if 'ansible_ssh_host_key_rsa_public' in hostdata %}
{% set entries = [] %}
{% set enabled_host_networks = hostdata['tripleo_role_networks']|default([]) %}
{% for network in enabled_host_networks %}
{% if (network ~ '_ip') in hostdata %}
{% set _ = entries.append('[' ~ hostdata[network ~ '_ip'] ~ ']*') %}
{% endif %}
{% set line = line ~ ' ssh-rsa ' ~ hostdata['ansible_ssh_host_key_rsa_public'] | default(ansible_ssh_host_key_rsa_public) %}
{{ line }}
{% if (network ~ '_hostname') in hostdata %}
{% set _ = entries.append('[' ~ hostdata[network ~ '_hostname'] ~ ']*') %}
{% endif %}
{% endfor %}
{% if 'canonical_hostname' in hostdata %}
{% set _ = entries.append('[' ~ hostdata['canonical_hostname'] ~ ']*') %}
{% endif %}
{% set _ = entries.append('[' ~ host ~ ']*') %}
{% set line = entries|unique|join(',') ~ ' ssh-rsa ' ~ hostdata['ansible_ssh_host_key_rsa_public'] %}
{{ line }}
{% endif %}
{% endfor %}



Loading…
Cancel
Save