Honor blacklist with enable_ssh_admin

Use the stack output BlacklistedIpAddresses in the enable_ssh_admin workflow so that the workflow does not use any of the servers in the blacklist. Change-Id: Ie5dbe86232c3b6a85665a9eec08ace8ba9415ea1 Depends-On: Ie96acf29a857e4801f5823f26a7de6bc989f39e2 Closes-Bug: #1785680
2018-08-06 17:23:59 -04:00
parent 7b226e70e6
commit 893cd2af3f
3 changed files with 30 additions and 3 deletions
--- a/releasenotes/notes/enable-ssh-admin-honor-blacklist-f1371554ab1b38f6.yaml
+++ b/releasenotes/notes/enable-ssh-admin-honor-blacklist-f1371554ab1b38f6.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - tripleo.access.v1.enable_ssh_admin now honors the server blacklist if one
+    is set. Servers in the blacklist will not be used by the workflow.
--- a/workbooks/access.yaml
+++ b/workbooks/access.yaml
@@ -26,13 +26,35 @@ workflows:
      - ssh_servers: []
      - overcloud_admin: tripleo-admin
      - queue_name: tripleo
+      - plan_name: overcloud
+
    tasks:
      get_pubkey:
        action: tripleo.validations.get_pubkey
-        on-success: generate_playbook
+        on-success: get_blacklisted_ip_addresses
        publish:
          pubkey: <% task().result %>

+      get_blacklisted_ip_addresses:
+        action: heat.stacks_output_show
+        input:
+          stack_id: <% $.plan_name %>
+          output_key: BlacklistedIpAddresses
+        publish:
+          blacklisted_ip_addresses: <% task().result.output.output_value %>
+        on-success: get_ssh_servers_not_blacklisted
+        publish-on-error:
+          status: FAILED
+          message: <% task().result %>
+
+      get_ssh_servers_not_blacklisted:
+        publish:
+          ssh_servers_not_blacklisted: <% let(blacklisted=>$.blacklisted_ip_addresses, ssh_servers=>$.ssh_servers) -> $ssh_servers.where(not $ in $blacklisted) %>
+        on-success: generate_playbook
+        publish-on-error:
+          status: FAILED
+          message: <% task().result %>
+
      generate_playbook:
        on-success:
          - create_admin_via_nova: <% $.ssh_private_key = null %>
@@ -73,7 +95,7 @@ workflows:
        workflow: tripleo.access.v1.create_admin_via_nova
        input:
          queue_name: <% $.queue_name %>
-          ssh_servers: <% $.ssh_servers %>
+          ssh_servers: <% $.ssh_servers_not_blacklisted %>
          tasks: <% $.create_admin_tasks %>
          overcloud_admin: <% $.overcloud_admin %>

@@ -83,7 +105,7 @@ workflows:
        input:
          ssh_private_key: <% $.ssh_private_key %>
          ssh_user: <% $.ssh_user %>
-          ssh_servers: <% $.ssh_servers %>
+          ssh_servers: <% $.ssh_servers_not_blacklisted %>
          tasks: <% $.create_admin_tasks %>

  create_admin_via_nova:
--- a/workbooks/deployment.yaml
+++ b/workbooks/deployment.yaml
@@ -259,6 +259,7 @@ workflows:
          ssh_private_key: <% $.private_key %>
          # FIXME(mandre) this shouldn't be hardcoded
          ssh_user: heat-admin
+          plan_name: <% $.container %>
        publish-on-error:
          message: <% task().result %>
        on-success: config_download_deploy