tripleo-ansible/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml

220 lines
7.6 KiB
YAML

---
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Playbook for establishing ssh keys
connection: "{{ (tripleo_target_host is defined) | ternary('ssh', 'local') }}"
hosts: "{{ tripleo_target_host | default('localhost') }}"
remote_user: "{{ tripleo_target_user | default(lookup('env', 'USER')) }}"
gather_facts: "{{ (tripleo_target_host is defined) | ternary(true, false) }}"
any_errors_fatal: true
vars:
BlacklistedIpAddresses: []
distribute_private_key: false
handlers:
- name: Remove mistral tmp file
file:
path: "{{ tempfile_1.path }}"
state: absent
tasks:
- name: No ssh servers defined
fail:
msg: >-
The ssh_servers option was undefined.
when:
- ssh_servers is undefined
- name: Cloud name block
when:
- tripleo_cloud_name is defined
block:
- name: Run blacklist IP check
command: >-
openstack --os-cloud undercloud stack output show {{ tripleo_cloud_name }} BlacklistedIpAddresses -f yaml
register: blacklist_cmd
changed_when: false
async: 1000
poll: 0
- name: Block on async blacklist check
async_status:
jid: "{{ blacklist_cmd.ansible_job_id }}"
register: blacklist_cmd_job_result
until: blacklist_cmd_job_result.finished
retries: 30
- name: Set BlacklistedIpAddresses fact
set_fact:
BlacklistedIpAddresses: "{{ (blacklist_cmd_job_result.stdout | from_yaml)['output_value'] }}"
- name: Set local connection user facts
set_fact:
ansible_home: "{{ lookup('env', 'HOME') }}"
ansible_user: "{{ lookup('env', 'USER') }}"
run_once: true
when:
- (tripleo_target_host is defined) | ternary('ssh', 'local') == 'local'
- name: Set facts for ssh servers and user private key file
set_fact:
set_ssh_servers: "{{ ssh_servers }}"
defined_user_private_key_file: "{{ user_private_key_file | default(ansible_home ~ '/.ssh/id_rsa_tripleo') }}"
run_once: true
- name: Ensure .ssh directory
file:
path: "{{ ansible_home }}/.ssh"
state: directory
mode: "0700"
owner: "{{ ansible_user }}"
become: true
- name: Ensure ssh key pair
user:
name: "{{ ansible_user }}"
generate_ssh_key: true
ssh_key_bits: 4096
ssh_key_file: "{{ ansible_home }}/.ssh/id_rsa"
become: true
- name: Stat key file
stat:
path: "{{ defined_user_private_key_file }}"
register: key_check
- name: Key block
when:
- user_public_key is undefined
- user_private_key is undefined
- user_private_key_file is undefined
block:
- name: Read key block
run_once: true
when:
- key_check.stat.exists | bool
block:
- name: Get local private key
slurp:
src: "{{ defined_user_private_key_file }}"
register: private_key_get
become: true
- name: Get local public key
slurp:
src: "{{ defined_user_private_key_file }}.pub"
register: public_key_get
become: true
- name: Set key facts
set_fact:
user_public_key: "{{ public_key_get['content'] | b64decode }}"
user_private_key: "{{ private_key_get['content'] | b64decode }}"
user_private_key_file: "{{ defined_user_private_key_file }}"
- name: Read and create key block
run_once: true
when:
- not (key_check.stat.exists | bool)
block:
- name: Get local private key
slurp:
src: "{{ ansible_home }}/.ssh/id_rsa"
register: private_key_get
become: true
- name: Get local public key
slurp:
src: "{{ ansible_home }}/.ssh/id_rsa.pub"
register: public_key_get
become: true
- name: Write tripleo private key
copy:
content: "{{ private_key_get['content'] | b64decode }}"
dest: "{{ defined_user_private_key_file }}"
mode: "0600"
- name: Write tripleo public key
copy:
content: "{{ public_key_get['content'] | b64decode }}"
dest: "{{ defined_user_private_key_file }}.pub"
mode: "0640"
- name: Set key file fact
set_fact:
user_public_key: "{{ public_key_get['content'] | b64decode }}"
user_private_key: "{{ private_key_get['content'] | b64decode }}"
user_private_key_file: "{{ defined_user_private_key_file }}"
- name: Ensure user can ssh to localhost
authorized_key:
user: "{{ ansible_user }}"
key: "{{ user_public_key }}"
become: true
- name: Set node key fact
set_fact:
node_key_fact: "{{ lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE') or (ansible_ssh_private_key_file | default(ansible_home ~ '/.ssh/id_rsa')) }}"
- name: Add ssh-servers
add_host:
hostname: "{{ item }}"
groups: tripleo_queues
user_public_key: "{{ user_public_key }}"
user_private_key: "{{ user_private_key }}"
user_private_key_file: "{{ user_private_key_file }}"
ansible_user: "{{ ssh_user | default(ansible_user) }}"
ansible_ssh_private_key_file: "{{ node_key_fact }}"
changed_when: false
loop: '{{ set_ssh_servers | difference(((BlacklistedIpAddresses | length) < 1) | ternary([], BlacklistedIpAddresses)) }}'
- name: Run Create admin
hosts: localhost:tripleo_queues
become: true
any_errors_fatal: true
gather_facts: false
pre_tasks:
# NOTE(cloudnull): The connection will allow for 40 minutes before failing. This time was chosen
# because a server may take anywhere from 5 to 40 minutes to boot, and in large
# deployments the number of "forks" may not accomodate all nodes running this
# task in parallel. Because we don't know the all of the characteristics of the
# machine being used, there's no way to compute the value appropriate for a
# given node(s), so 40 minutes should accommodate most environments.
- name: Wait for connection to become available
wait_for_connection:
sleep: 4
timeout: 2400
- name: Gather facts with an active connection
setup:
gather_subset:
- '!facter'
- '!ohai'
roles:
- role: tripleo_create_admin
tripleo_admin_user: tripleo-admin
tripleo_admin_pubkey: "{{ user_public_key }}"
tripleo_admin_prikey: "{{ user_private_key }}"
- name: Validate TripleO Admin Access
hosts: localhost:tripleo_queues
user: tripleo-admin
gather_facts: false
vars:
ansible_ssh_private_key_file: "{{ user_private_key_file }}"
tasks:
- name: Ping host
ping: {}