--- version: '2.0' name: tripleo.access.v1 description: TripleO administration access workflows workflows: enable_ssh_admin: description: >- This workflow creates an admin user on the overcloud nodes, which can then be used for connecting for automated administrative or deployment tasks, e.g. via Ansible. The workflow can be used both for Nova-managed and split-stack deployments, assuming the correct input values are passed in. The workflow defaults to Nova-managed approach, for which no additional parameters need to be supplied. In case of split-stack, temporary ssh connection details (user, key, list of servers) need to be provided -- these are only used temporarily to create the actual ssh admin user for use by Mistral. tags: - tripleo-common-managed input: - ssh_private_key: null - ssh_user: null - ssh_servers: [] - overcloud_admin: tripleo-admin - queue_name: tripleo - plan_name: overcloud tasks: get_pubkey: action: tripleo.validations.get_pubkey on-success: authorize_undercloud_admin publish: pubkey: <% task().result %> authorize_undercloud_admin: action: tripleo.ansible-playbook # older underclouds may not have a tripleo-admin user, # so continue on success or failure on-complete: get_blacklisted_ip_addresses input: inventory: undercloud: hosts: localhost: ansible_connection: local playbook: - hosts: undercloud tasks: - name: undercloud authorize user <% $.overcloud_admin %> import_role: name: tripleo-create-admin tasks_from: authorize_user.yml vars: tripleo_admin_user: <% $.overcloud_admin %> tripleo_admin_pubkey: <% $.pubkey %> execution_id: <% execution().id %> get_blacklisted_ip_addresses: action: heat.stacks_output_show input: stack_id: <% $.plan_name %> output_key: BlacklistedIpAddresses publish: blacklisted_ip_addresses: <% task().result.output.output_value %> on-success: get_ssh_servers_not_blacklisted publish-on-error: status: FAILED message: <% task().result %> get_ssh_servers_not_blacklisted: publish: ssh_servers_not_blacklisted: <% let(blacklisted=>$.blacklisted_ip_addresses, ssh_servers=>$.ssh_servers) -> $ssh_servers.where(not $ in $blacklisted) %> on-success: - create_admin_via_nova: <% $.ssh_private_key = null %> - create_admin_via_ssh: <% $.ssh_private_key != null %> publish-on-error: status: FAILED message: <% task().result %> # Nova variant create_admin_via_nova: workflow: tripleo.access.v1.create_admin_via_nova input: queue_name: <% $.queue_name %> ssh_servers: <% $.ssh_servers_not_blacklisted %> tasks: - name: create and authorize user <% $.overcloud_admin %> import_role: name: tripleo-create-admin vars: tripleo_admin_user: <% $.overcloud_admin %> tripleo_admin_pubkey: <% $.pubkey %> overcloud_admin: <% $.overcloud_admin %> # SSH variant create_admin_via_ssh: workflow: tripleo.access.v1.create_admin_via_ssh input: ssh_private_key: <% $.ssh_private_key %> ssh_user: <% $.ssh_user %> ssh_servers: <% $.ssh_servers_not_blacklisted %> tasks: - name: create and authorize user <% $.overcloud_admin %> import_role: name: tripleo-create-admin vars: tripleo_admin_user: <% $.overcloud_admin %> tripleo_admin_pubkey: <% $.pubkey %> create_admin_via_nova: input: - tasks - queue_name: tripleo - ssh_servers: [] - overcloud_admin: tripleo-admin - ansible_extra_env_variables: ANSIBLE_HOST_KEY_CHECKING: 'False' tags: - tripleo-common-managed tasks: get_servers: action: nova.servers_list with-items: server in <% $.ssh_servers %> input: search_opts: ip: <% $.server %> publish: servers: <% task().result._info %> on-success: create_admin create_admin: workflow: tripleo.deployment.v1.deploy_on_server on-success: get_privkey with-items: server in <% $.servers.flatten() %> input: server_name: <% $.server.name %> server_uuid: <% $.server.id %> queue_name: <% $.queue_name %> config_name: create_admin group: ansible config: | - hosts: localhost connection: local tasks: <% json_pp($.tasks) %> get_privkey: action: tripleo.validations.get_privkey on-success: wait_for_occ publish: privkey: <% task().result %> wait_for_occ: action: tripleo.ansible-playbook input: inventory: overcloud: hosts: <% $.ssh_servers.toDict($, {}) %> remote_user: <% $.overcloud_admin %> ssh_private_key: <% $.privkey %> extra_env_variables: <% $.ansible_extra_env_variables %> playbook: - hosts: overcloud gather_facts: no tasks: - name: wait for connection wait_for_connection: sleep: 5 timeout: 300 execution_id: <% execution().id %> create_admin_via_ssh: input: - tasks - ssh_private_key - ssh_user - ssh_servers - ansible_extra_env_variables: ANSIBLE_HOST_KEY_CHECKING: 'False' tags: - tripleo-common-managed tasks: write_tmp_playbook: action: tripleo.ansible-playbook input: inventory: overcloud: hosts: <% $.ssh_servers.toDict($, {}) %> remote_user: <% $.ssh_user %> ssh_private_key: <% $.ssh_private_key %> extra_env_variables: <% $.ansible_extra_env_variables %> become: true become_user: root playbook: - hosts: overcloud tasks: <% $.tasks %> execution_id: <% execution().id %>