Check pub key file perms and default to pub key data

The previously default /home/stack/.ssh/id_rsa.pub file may not exist or
be readable; exit with explicit error message. Users can still specify a
file path but will need to ensure it is readable. Should a file path not
be specified, default to amp_ssh_key_data. The value is passed by THT
with the public key of the 'default' keypair from the undercloud which
anyway is the public key of the 'stack' user.

This patch also fixes a syntax error in octavia-undercloud role.

Closes-Bug: #1770153
Closes-Bug: #1770641

Depends-On: https://review.openstack.org/568022
Change-Id: I0026343d90b84572c3002fa21001cfb09c742391
This commit is contained in:
Carlos Goncalves 2018-05-09 14:06:22 +02:00
parent 0dcfe268c7
commit 8a69b692c4
6 changed files with 41 additions and 9 deletions

View File

@ -5,6 +5,7 @@
vars:
amp_ssh_key_name: "{{ amp_ssh_key_name }}"
amp_ssh_key_path: "{{ amp_ssh_key_path }}"
amp_ssh_key_data: "{{ amp_ssh_key_data }}"
auth_username: "{{ auth_username }}"
auth_pasword: "{{ auth_password }}"
auth_project_name: "{{ auth_project_name }}"

View File

@ -3,7 +3,7 @@ amp_image_name: ""
amp_image_filename: ""
amp_image_tag: "amphora-image"
amp_ssh_key_name: "octavia-ssh-key"
amp_ssh_key_path: "/home/stack/.ssh/id_rsa.pub"
amp_ssh_key_path: ""
auth_username: "octavia"
auth_project_name: "service"
lb_mgmt_net_name: "lb-mgmt-net"

View File

@ -24,16 +24,39 @@
- include_tasks: image_mgmt.yml
when: image_file_result.stat.exists
- name: check if pub key file exists
stat: path="{{ amp_ssh_key_path }}"
register: ssh_pub_key_file_result
- name: use ssh pub key file if provided and is readable
block:
- name: check if pub key file exists
stat: path="{{ amp_ssh_key_path }}"
register: key_file_result
ignore_errors: true
- name: fail if ssh pub key file does not exist or is not readable
fail: msg="{{ amp_ssh_key_path }} does not exist or is not readable by user {{ ansible_user }}"
when: key_file_result|failed or key_file_result.stat.exists == False or key_file_result.stat.readable == False
- set_fact:
amp_ssh_key_path_final: "{{ amp_ssh_key_path }}"
when: amp_ssh_key_path is defined and amp_ssh_key_path != ""
- name: defaulting to public key from undercloud default keypair
block:
- name: create temp pub key file
tempfile: state=file
register: ssh_key_tmp_file
- name: copy ssh public key content to temp file
copy: content="{{ amp_ssh_key_data }}" dest="{{ ssh_key_tmp_file.path }}"
- set_fact:
amp_ssh_key_path_final: "{{ ssh_key_tmp_file.path }}"
when: amp_ssh_key_path is not defined or amp_ssh_key_path == ""
- name: upload pub key to overcloud
shell: |
openstack keypair show {{ amp_ssh_key_name }} || \
openstack keypair create --public-key {{ amp_ssh_key_path }} {{ amp_ssh_key_name }}
openstack keypair create --public-key {{ amp_ssh_key_path_final }} {{ amp_ssh_key_name }}
environment:
OS_USERNAME: {{ auth_username }}
OS_PASSWORD: {{ auth_password }}
OS_PROJECT_NAME: {{ auth_project_name }}
when: ssh_pub_key_file_result.stat.exists == True
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"

View File

@ -0,0 +1,3 @@
---
fixes:
- Check pub key file permissions and default to pub key data for Octavia.

View File

@ -0,0 +1,3 @@
---
fixes:
- Fix syntax error in octavia-undercloud role.

View File

@ -13,6 +13,7 @@ workflows:
- amp_image_tag
- amp_ssh_key_name
- amp_ssh_key_path
- amp_ssh_key_data
- auth_username
- auth_password
- auth_project_name
@ -101,6 +102,7 @@ workflows:
amp_image_tag: <% $.amp_image_tag %>
amp_ssh_key_name: <% $.amp_ssh_key_name %>
amp_ssh_key_path: <% $.amp_ssh_key_path %>
amp_ssh_key_data: <% $.amp_ssh_key_data %>
auth_username: <% $.auth_username %>
auth_password: <% $.auth_password %>
auth_project_name: <% $.auth_project_name %>