221 lines
7.6 KiB
YAML
221 lines
7.6 KiB
YAML
---
|
|
# Copyright 2019 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
- name: Playbook for establishing ssh keys
|
|
connection: "{{ (tripleo_target_host is defined) | ternary('ssh', 'local') }}"
|
|
hosts: "{{ tripleo_target_host | default('localhost') }}"
|
|
remote_user: "{{ tripleo_target_user | default(lookup('env', 'USER')) }}"
|
|
gather_facts: "{{ (tripleo_target_host is defined) | ternary(true, false) }}"
|
|
any_errors_fatal: true
|
|
vars:
|
|
BlacklistedIpAddresses: []
|
|
distribute_private_key: false
|
|
handlers:
|
|
- name: Remove mistral tmp file
|
|
file:
|
|
path: "{{ tempfile_1.path }}"
|
|
state: absent
|
|
tasks:
|
|
- name: No ssh servers defined
|
|
fail:
|
|
msg: >-
|
|
The ssh_servers option was undefined.
|
|
when:
|
|
- ssh_servers is undefined
|
|
|
|
- name: Cloud name block
|
|
when:
|
|
- tripleo_cloud_name is defined
|
|
block:
|
|
- name: Run blacklist IP check
|
|
shell: >-
|
|
openstack stack output show {{ tripleo_cloud_name }} BlacklistedIpAddresses -f yaml
|
|
register: blacklist_cmd
|
|
changed_when: false
|
|
async: 1000
|
|
poll: 0
|
|
|
|
- name: Block on async blacklist check
|
|
async_status:
|
|
jid: "{{ blacklist_cmd.ansible_job_id }}"
|
|
register: blacklist_cmd_job_result
|
|
until: blacklist_cmd_job_result.finished
|
|
retries: 30
|
|
|
|
- name: Set BlacklistedIpAddresses fact
|
|
set_fact:
|
|
BlacklistedIpAddresses: "{{ (blacklist_cmd_job_result.stdout | from_yaml)['output_value'] }}"
|
|
|
|
- name: Set local connection user facts
|
|
set_fact:
|
|
ansible_home: "{{ lookup('env', 'HOME') }}"
|
|
ansible_user: "{{ lookup('env', 'USER') }}"
|
|
run_once: true
|
|
when:
|
|
- (tripleo_target_host is defined) | ternary('ssh', 'local') == 'local'
|
|
|
|
- name: Set facts for ssh servers and user private key file
|
|
set_fact:
|
|
set_ssh_servers: "{{ ssh_servers }}"
|
|
defined_user_private_key_file: "{{ user_private_key_file | default(ansible_home ~ '/.ssh/id_rsa_tripleo') }}"
|
|
run_once: true
|
|
|
|
- name: Ensure .ssh directory
|
|
file:
|
|
path: "{{ ansible_home }}/.ssh"
|
|
state: directory
|
|
mode: "0700"
|
|
owner: "{{ ansible_user }}"
|
|
group: "{{ ansible_user }}"
|
|
become: true
|
|
|
|
- name: Ensure ssh key pair
|
|
user:
|
|
name: "{{ ansible_user }}"
|
|
generate_ssh_key: true
|
|
ssh_key_bits: 4096
|
|
ssh_key_file: "{{ ansible_home }}/.ssh/id_rsa"
|
|
become: true
|
|
|
|
- name: Stat key file
|
|
stat:
|
|
path: "{{ defined_user_private_key_file }}"
|
|
register: key_check
|
|
|
|
- name: Key block
|
|
when:
|
|
- user_public_key is undefined
|
|
- user_private_key is undefined
|
|
- user_private_key_file is undefined
|
|
block:
|
|
- name: Read key block
|
|
run_once: true
|
|
when:
|
|
- key_check.stat.exists | bool
|
|
block:
|
|
- name: Get local private key
|
|
slurp:
|
|
src: "{{ defined_user_private_key_file }}"
|
|
register: private_key_get
|
|
become: true
|
|
|
|
- name: Get local public key
|
|
slurp:
|
|
src: "{{ defined_user_private_key_file }}.pub"
|
|
register: public_key_get
|
|
become: true
|
|
|
|
- name: Set key facts
|
|
set_fact:
|
|
user_public_key: "{{ public_key_get['content'] | b64decode }}"
|
|
user_private_key: "{{ private_key_get['content'] | b64decode }}"
|
|
user_private_key_file: "{{ defined_user_private_key_file }}"
|
|
|
|
- name: Read and create key block
|
|
run_once: true
|
|
when:
|
|
- not (key_check.stat.exists | bool)
|
|
block:
|
|
- name: Get local private key
|
|
slurp:
|
|
src: "{{ ansible_home }}/.ssh/id_rsa"
|
|
register: private_key_get
|
|
become: true
|
|
|
|
- name: Get local public key
|
|
slurp:
|
|
src: "{{ ansible_home }}/.ssh/id_rsa.pub"
|
|
register: public_key_get
|
|
become: true
|
|
|
|
- name: Write tripleo private key
|
|
copy:
|
|
content: "{{ private_key_get['content'] | b64decode }}"
|
|
dest: "{{ defined_user_private_key_file }}"
|
|
mode: "0600"
|
|
|
|
- name: Write tripleo public key
|
|
copy:
|
|
content: "{{ public_key_get['content'] | b64decode }}"
|
|
dest: "{{ defined_user_private_key_file }}.pub"
|
|
mode: "0640"
|
|
|
|
- name: Set key file fact
|
|
set_fact:
|
|
user_public_key: "{{ public_key_get['content'] | b64decode }}"
|
|
user_private_key: "{{ private_key_get['content'] | b64decode }}"
|
|
user_private_key_file: "{{ defined_user_private_key_file }}"
|
|
|
|
- name: Ensure user can ssh to localhost
|
|
authorized_key:
|
|
user: "{{ ansible_user }}"
|
|
key: "{{ user_public_key }}"
|
|
become: true
|
|
|
|
- name: Set node key fact
|
|
set_fact:
|
|
node_key_fact: "{{ lookup('env', 'ANSIBLE_PRIVATE_KEY_FILE') or (ansible_ssh_private_key_file | default(ansible_home ~ '/.ssh/id_rsa')) }}"
|
|
|
|
- name: Add ssh-servers
|
|
add_host:
|
|
hostname: "{{ item }}"
|
|
groups: tripleo_queues
|
|
user_public_key: "{{ user_public_key }}"
|
|
user_private_key: "{{ user_private_key }}"
|
|
user_private_key_file: "{{ user_private_key_file }}"
|
|
ansible_user: "{{ ssh_user | default(ansible_user) }}"
|
|
ansible_ssh_private_key_file: "{{ node_key_fact }}"
|
|
changed_when: false
|
|
loop: '{{ set_ssh_servers | difference(((BlacklistedIpAddresses | length) < 1) | ternary([], BlacklistedIpAddresses)) }}'
|
|
|
|
|
|
- name: Run Create admin
|
|
hosts: localhost:tripleo_queues
|
|
become: true
|
|
any_errors_fatal: true
|
|
gather_facts: false
|
|
pre_tasks:
|
|
# NOTE(cloudnull): The connection will allow for 40 minutes before failing. This time was chosen
|
|
# because a server may take anywhere from 5 to 40 minutes to boot, and in large
|
|
# deployments the number of "forks" may not accomodate all nodes running this
|
|
# task in parallel. Because we don't know the all of the characteristics of the
|
|
# machine being used, there's no way to compute the value appropriate for a
|
|
# given node(s), so 40 minutes should accommodate most environments.
|
|
- name: Wait for connection to become available
|
|
wait_for_connection:
|
|
sleep: 4
|
|
timeout: 2400
|
|
|
|
- name: Gather facts with an active connection
|
|
setup:
|
|
gather_subset:
|
|
- '!facter'
|
|
- '!ohai'
|
|
roles:
|
|
- role: tripleo_create_admin
|
|
tripleo_admin_user: tripleo-admin
|
|
tripleo_admin_pubkey: "{{ user_public_key }}"
|
|
tripleo_admin_prikey: "{{ user_private_key }}"
|
|
|
|
- name: Validate TripleO Admin Access
|
|
hosts: localhost:tripleo_queues
|
|
user: tripleo-admin
|
|
gather_facts: false
|
|
vars:
|
|
ansible_ssh_private_key_file: "{{ user_private_key_file }}"
|
|
tasks:
|
|
- name: Ping host
|
|
ping: {}
|