Check pub key file perms and default to pub key data

The previously default /home/stack/.ssh/id_rsa.pub file may not exist or be readable; exit with explicit error message. Users can still specify a file path but will need to ensure it is readable. Should a file path not be specified, default to amp_ssh_key_data. The value is passed by THT with the public key of the 'default' keypair from the undercloud which anyway is the public key of the 'stack' user. This patch also fixes a syntax error in octavia-undercloud role. Closes-Bug: #1770153 Closes-Bug: #1770641 Depends-On: https://review.openstack.org/568022 Change-Id: I0026343d90b84572c3002fa21001cfb09c742391 (cherry picked from commit 8a69b692c4)
2018-05-09 14:06:22 +02:00 · 2018-05-09 14:06:22 +02:00 · a2a5539579
parent 1d3aefbe2f
commit a2a5539579
6 changed files with 41 additions and 9 deletions
--- a/playbooks/octavia-files.yaml
+++ b/playbooks/octavia-files.yaml
@ -5,6 +5,7 @@
  vars:
    amp_ssh_key_name: "{{ amp_ssh_key_name }}"
    amp_ssh_key_path: "{{ amp_ssh_key_path }}"
+    amp_ssh_key_data: "{{ amp_ssh_key_data }}"
    auth_username: "{{ auth_username }}"
    auth_pasword: "{{ auth_password }}"
    auth_project_name: "{{ auth_project_name }}"
--- a/playbooks/roles/common/defaults/main.yml
+++ b/playbooks/roles/common/defaults/main.yml
@ -3,7 +3,7 @@ amp_image_name: "octavia-amphora"
 amp_image_filename: "/usr/share/openstack-octavia-amphora-images/amphora-x64-haproxy.qcow2"
 amp_image_tag: "amphora-image"
 amp_ssh_key_name: "octavia-ssh-key"
-amp_ssh_key_path: "/home/stack/.ssh/id_rsa.pub"
+amp_ssh_key_path: ""
 auth_username: "octavia"
 auth_project_name: "service"
 lb_mgmt_net_name: "lb-mgmt-net"
--- a/playbooks/roles/octavia-undercloud/tasks/main.yml
+++ b/playbooks/roles/octavia-undercloud/tasks/main.yml
@ -14,16 +14,39 @@
    changed_when: "image_result.stdout != ''"
    when: amp_image_file_result.stat.exists == True

-  - name: check if pub key file exists
-    stat: path="{{ amp_ssh_key_path }}"
-    register: ssh_pub_key_file_result
+  - name: use ssh pub key file if provided and is readable
+    block:
+      - name: check if pub key file exists
+        stat: path="{{ amp_ssh_key_path }}"
+        register: key_file_result
+        ignore_errors: true
+
+      - name: fail if ssh pub key file does not exist or is not readable
+        fail: msg="{{ amp_ssh_key_path }} does not exist or is not readable by user {{ ansible_user }}"
+        when: key_file_result|failed or key_file_result.stat.exists == False or key_file_result.stat.readable == False
+
+      - set_fact:
+          amp_ssh_key_path_final: "{{ amp_ssh_key_path }}"
+    when: amp_ssh_key_path is defined and amp_ssh_key_path != ""
+
+  - name: defaulting to public key from undercloud default keypair
+    block:
+      - name: create temp pub key file
+        tempfile: state=file
+        register: ssh_key_tmp_file
+
+      - name: copy ssh public key content to temp file
+        copy: content="{{ amp_ssh_key_data }}" dest="{{ ssh_key_tmp_file.path }}"
+
+      - set_fact:
+          amp_ssh_key_path_final: "{{ ssh_key_tmp_file.path }}"
+    when: amp_ssh_key_path is not defined or amp_ssh_key_path == ""

  - name: upload pub key to overcloud
    shell: |
      openstack keypair show {{ amp_ssh_key_name }} || \
-        openstack keypair create --public-key {{ amp_ssh_key_path }} {{ amp_ssh_key_name }}
+        openstack keypair create --public-key {{ amp_ssh_key_path_final }} {{ amp_ssh_key_name }}
    environment:
-      OS_USERNAME: {{ auth_username }}
-      OS_PASSWORD: {{ auth_password }}
-      OS_PROJECT_NAME: {{ auth_project_name }}
-    when: ssh_pub_key_file_result.stat.exists == True
+      OS_USERNAME: "{{ auth_username }}"
+      OS_PASSWORD: "{{ auth_password }}"
+      OS_PROJECT_NAME: "{{ auth_project_name }}"
--- a/releasenotes/notes/fix-octavia-pub-key-d195fbf1976a8d36.yaml
+++ b/releasenotes/notes/fix-octavia-pub-key-d195fbf1976a8d36.yaml
@ -0,0 +1,3 @@
+---
+fixes:
+  - Check pub key file permissions and default to pub key data for Octavia.
--- a/releasenotes/notes/fix-syntax-error-in-octavia-undercloud-role-c02b0c5b0f1ece34.yaml
+++ b/releasenotes/notes/fix-syntax-error-in-octavia-undercloud-role-c02b0c5b0f1ece34.yaml
@ -0,0 +1,3 @@
+---
+fixes:
+  - Fix syntax error in octavia-undercloud role.
--- a/workbooks/octavia_post.yaml
+++ b/workbooks/octavia_post.yaml
@ -13,6 +13,7 @@ workflows:
      - amp_image_tag
      - amp_ssh_key_name
      - amp_ssh_key_path
+      - amp_ssh_key_data
      - auth_username
      - auth_password
      - auth_project_name
@ -101,6 +102,7 @@ workflows:
            amp_image_tag: <% $.amp_image_tag %>
            amp_ssh_key_name: <% $.amp_ssh_key_name %>
            amp_ssh_key_path: <% $.amp_ssh_key_path %>
+            amp_ssh_key_data: <% $.amp_ssh_key_data %>
            auth_username: <% $.auth_username %>
            auth_password: <% $.auth_password %>
            auth_project_name: <% $.auth_project_name %>