tripleo-common/workbooks/access.yaml
Steve Baker c1341fc4d1 Authorize undercloud tripleo-admin user
This adds the public key into the .ssh/authorized_keys file
in /home/tripleo-admin. Failure is ignored because this may be running
on an undercloud which doesn't yet have a configured tripleo-admin
user.

This change also refactors the removal of the generate_playbook task
since the playbook now just invokes a role, there is no maintainence
benefit to justify the extra complexity.

Partial-Bug: #1813832
Change-Id: Id2ee912c456d66ed189fd5fdbaa5c1c3627bdf20
Depends-On: I4c8ee04534636622581eb386c01790d6610e7f58
2019-02-05 16:20:30 +13:00

201 lines
6.5 KiB
YAML

---
version: '2.0'
name: tripleo.access.v1
description: TripleO administration access workflows
workflows:
enable_ssh_admin:
description: >-
This workflow creates an admin user on the overcloud nodes,
which can then be used for connecting for automated
administrative or deployment tasks, e.g. via Ansible. The
workflow can be used both for Nova-managed and split-stack
deployments, assuming the correct input values are passed
in. The workflow defaults to Nova-managed approach, for which no
additional parameters need to be supplied. In case of
split-stack, temporary ssh connection details (user, key, list
of servers) need to be provided -- these are only used
temporarily to create the actual ssh admin user for use by
Mistral.
tags:
- tripleo-common-managed
input:
- ssh_private_key: null
- ssh_user: null
- ssh_servers: []
- overcloud_admin: tripleo-admin
- queue_name: tripleo
- plan_name: overcloud
tasks:
get_pubkey:
action: tripleo.validations.get_pubkey
on-success: authorize_undercloud_admin
publish:
pubkey: <% task().result %>
authorize_undercloud_admin:
action: tripleo.ansible-playbook
# older underclouds may not have a tripleo-admin user,
# so continue on success or failure
on-complete: get_blacklisted_ip_addresses
input:
inventory:
undercloud:
hosts:
localhost:
ansible_connection: local
playbook:
- hosts: undercloud
tasks:
- name: undercloud authorize user <% $.overcloud_admin %>
import_role:
name: tripleo-create-admin
tasks_from: authorize_user.yml
vars:
tripleo_admin_user: <% $.overcloud_admin %>
tripleo_admin_pubkey: <% $.pubkey %>
execution_id: <% execution().id %>
get_blacklisted_ip_addresses:
action: heat.stacks_output_show
input:
stack_id: <% $.plan_name %>
output_key: BlacklistedIpAddresses
publish:
blacklisted_ip_addresses: <% task().result.output.output_value %>
on-success: get_ssh_servers_not_blacklisted
publish-on-error:
status: FAILED
message: <% task().result %>
get_ssh_servers_not_blacklisted:
publish:
ssh_servers_not_blacklisted: <% let(blacklisted=>$.blacklisted_ip_addresses, ssh_servers=>$.ssh_servers) -> $ssh_servers.where(not $ in $blacklisted) %>
on-success:
- create_admin_via_nova: <% $.ssh_private_key = null %>
- create_admin_via_ssh: <% $.ssh_private_key != null %>
publish-on-error:
status: FAILED
message: <% task().result %>
# Nova variant
create_admin_via_nova:
workflow: tripleo.access.v1.create_admin_via_nova
input:
queue_name: <% $.queue_name %>
ssh_servers: <% $.ssh_servers_not_blacklisted %>
tasks:
- name: create and authorize user <% $.overcloud_admin %>
import_role:
name: tripleo-create-admin
vars:
tripleo_admin_user: <% $.overcloud_admin %>
tripleo_admin_pubkey: <% $.pubkey %>
overcloud_admin: <% $.overcloud_admin %>
# SSH variant
create_admin_via_ssh:
workflow: tripleo.access.v1.create_admin_via_ssh
input:
ssh_private_key: <% $.ssh_private_key %>
ssh_user: <% $.ssh_user %>
ssh_servers: <% $.ssh_servers_not_blacklisted %>
tasks:
- name: create and authorize user <% $.overcloud_admin %>
import_role:
name: tripleo-create-admin
vars:
tripleo_admin_user: <% $.overcloud_admin %>
tripleo_admin_pubkey: <% $.pubkey %>
create_admin_via_nova:
input:
- tasks
- queue_name: tripleo
- ssh_servers: []
- overcloud_admin: tripleo-admin
- ansible_extra_env_variables:
ANSIBLE_HOST_KEY_CHECKING: 'False'
tags:
- tripleo-common-managed
tasks:
get_servers:
action: nova.servers_list
with-items: server in <% $.ssh_servers %>
input:
search_opts:
ip: <% $.server %>
publish:
servers: <% task().result._info %>
on-success: create_admin
create_admin:
workflow: tripleo.deployment.v1.deploy_on_server
on-success: get_privkey
with-items: server in <% $.servers.flatten() %>
input:
server_name: <% $.server.name %>
server_uuid: <% $.server.id %>
queue_name: <% $.queue_name %>
config_name: create_admin
group: ansible
config: |
- hosts: localhost
connection: local
tasks: <% json_pp($.tasks) %>
get_privkey:
action: tripleo.validations.get_privkey
on-success: wait_for_occ
publish:
privkey: <% task().result %>
wait_for_occ:
action: tripleo.ansible-playbook
input:
inventory:
overcloud:
hosts: <% $.ssh_servers.toDict($, {}) %>
remote_user: <% $.overcloud_admin %>
ssh_private_key: <% $.privkey %>
extra_env_variables: <% $.ansible_extra_env_variables %>
playbook:
- hosts: overcloud
gather_facts: no
tasks:
- name: wait for connection
wait_for_connection:
sleep: 5
timeout: 300
execution_id: <% execution().id %>
create_admin_via_ssh:
input:
- tasks
- ssh_private_key
- ssh_user
- ssh_servers
- ansible_extra_env_variables:
ANSIBLE_HOST_KEY_CHECKING: 'False'
tags:
- tripleo-common-managed
tasks:
write_tmp_playbook:
action: tripleo.ansible-playbook
input:
inventory:
overcloud:
hosts: <% $.ssh_servers.toDict($, {}) %>
remote_user: <% $.ssh_user %>
ssh_private_key: <% $.ssh_private_key %>
extra_env_variables: <% $.ansible_extra_env_variables %>
become: true
become_user: root
playbook:
- hosts: overcloud
tasks: <% $.tasks %>
execution_id: <% execution().id %>