f98c136078
The ceph-ansible and skydive workflows now consumes the blacklisted_ip_addresses input. The enable_ssh_admin workflow is modified to consume a list of ip addresses and only enable ssh on the given set of addresses. Change-Id: I4255739c852409fb8e170a9913fe7ad810711734 Depends-On: Ic158171c629e82892e480f1e6903a67457f86064 Closes-Bug: #1743046
171 lines
5.6 KiB
YAML
171 lines
5.6 KiB
YAML
---
|
|
version: '2.0'
|
|
name: tripleo.access.v1
|
|
description: TripleO administration access workflows
|
|
|
|
workflows:
|
|
|
|
enable_ssh_admin:
|
|
description: >-
|
|
This workflow creates an admin user on the overcloud nodes,
|
|
which can then be used for connecting for automated
|
|
administrative or deployment tasks, e.g. via Ansible. The
|
|
workflow can be used both for Nova-managed and split-stack
|
|
deployments, assuming the correct input values are passed
|
|
in. The workflow defaults to Nova-managed approach, for which no
|
|
additional parameters need to be supplied. In case of
|
|
split-stack, temporary ssh connection details (user, key, list
|
|
of servers) need to be provided -- these are only used
|
|
temporarily to create the actual ssh admin user for use by
|
|
Mistral.
|
|
tags:
|
|
- tripleo-common-managed
|
|
input:
|
|
- ssh_private_key: null
|
|
- ssh_user: null
|
|
- ssh_servers: []
|
|
- overcloud_admin: tripleo-admin
|
|
- queue_name: tripleo
|
|
tasks:
|
|
get_pubkey:
|
|
action: tripleo.validations.get_pubkey
|
|
on-success: generate_playbook
|
|
publish:
|
|
pubkey: <% task().result %>
|
|
|
|
generate_playbook:
|
|
on-success:
|
|
- create_admin_via_nova: <% $.ssh_private_key = null %>
|
|
- create_admin_via_ssh: <% $.ssh_private_key != null %>
|
|
publish:
|
|
create_admin_tasks:
|
|
- name: create user <% $.overcloud_admin %>
|
|
user:
|
|
name: '<% $.overcloud_admin %>'
|
|
- name: grant admin rights to user <% $.overcloud_admin %>
|
|
copy:
|
|
dest: /etc/sudoers.d/<% $.overcloud_admin %>
|
|
content: |
|
|
<% $.overcloud_admin %> ALL=(ALL) NOPASSWD:ALL
|
|
mode: 0440
|
|
- name: ensure .ssh dir exists for user <% $.overcloud_admin %>
|
|
file:
|
|
path: /home/<% $.overcloud_admin %>/.ssh
|
|
state: directory
|
|
owner: <% $.overcloud_admin %>
|
|
group: <% $.overcloud_admin %>
|
|
mode: 0700
|
|
- name: ensure authorized_keys file exists for user <% $.overcloud_admin %>
|
|
file:
|
|
path: /home/<% $.overcloud_admin %>/.ssh/authorized_keys
|
|
state: touch
|
|
owner: <% $.overcloud_admin %>
|
|
group: <% $.overcloud_admin %>
|
|
mode: 0700
|
|
- name: authorize TripleO Mistral key for user <% $.overcloud_admin %>
|
|
lineinfile:
|
|
path: /home/<% $.overcloud_admin %>/.ssh/authorized_keys
|
|
line: <% $.pubkey %>
|
|
regexp: "Generated by TripleO"
|
|
|
|
# Nova variant
|
|
create_admin_via_nova:
|
|
workflow: tripleo.access.v1.create_admin_via_nova
|
|
input:
|
|
queue_name: <% $.queue_name %>
|
|
ssh_servers: <% $.ssh_servers %>
|
|
tasks: <% $.create_admin_tasks %>
|
|
overcloud_admin: <% $.overcloud_admin %>
|
|
|
|
# SSH variant
|
|
create_admin_via_ssh:
|
|
workflow: tripleo.access.v1.create_admin_via_ssh
|
|
input:
|
|
ssh_private_key: <% $.ssh_private_key %>
|
|
ssh_user: <% $.ssh_user %>
|
|
ssh_servers: <% $.ssh_servers %>
|
|
tasks: <% $.create_admin_tasks %>
|
|
|
|
create_admin_via_nova:
|
|
input:
|
|
- tasks
|
|
- queue_name: tripleo
|
|
- ssh_servers: []
|
|
- overcloud_admin: tripleo-admin
|
|
- ansible_extra_env_variables:
|
|
ANSIBLE_HOST_KEY_CHECKING: 'False'
|
|
tags:
|
|
- tripleo-common-managed
|
|
tasks:
|
|
get_servers:
|
|
action: nova.servers_list
|
|
on-success: create_admin
|
|
publish:
|
|
servers: <% let(root => $) -> task().result._info.where($.addresses.ctlplane.addr.any($ in $root.ssh_servers)) %>
|
|
|
|
create_admin:
|
|
workflow: tripleo.deployment.v1.deploy_on_server
|
|
on-success: get_privkey
|
|
with-items: server in <% $.servers %>
|
|
input:
|
|
server_name: <% $.server.name %>
|
|
server_uuid: <% $.server.id %>
|
|
queue_name: <% $.queue_name %>
|
|
config_name: create_admin
|
|
group: ansible
|
|
config: |
|
|
- hosts: localhost
|
|
connection: local
|
|
tasks: <% json_pp($.tasks) %>
|
|
|
|
get_privkey:
|
|
action: tripleo.validations.get_privkey
|
|
on-success: wait_for_occ
|
|
publish:
|
|
privkey: <% task().result %>
|
|
|
|
wait_for_occ:
|
|
action: tripleo.ansible-playbook
|
|
input:
|
|
inventory:
|
|
overcloud:
|
|
hosts: <% $.ssh_servers.toDict($, {}) %>
|
|
remote_user: <% $.overcloud_admin %>
|
|
ssh_private_key: <% $.privkey %>
|
|
extra_env_variables: <% $.ansible_extra_env_variables %>
|
|
playbook:
|
|
- hosts: overcloud
|
|
gather_facts: no
|
|
tasks:
|
|
- name: wait for connection
|
|
wait_for_connection:
|
|
sleep: 5
|
|
timeout: 300
|
|
|
|
create_admin_via_ssh:
|
|
input:
|
|
- tasks
|
|
- ssh_private_key
|
|
- ssh_user
|
|
- ssh_servers
|
|
- ansible_extra_env_variables:
|
|
ANSIBLE_HOST_KEY_CHECKING: 'False'
|
|
|
|
tags:
|
|
- tripleo-common-managed
|
|
tasks:
|
|
write_tmp_playbook:
|
|
action: tripleo.ansible-playbook
|
|
input:
|
|
inventory:
|
|
overcloud:
|
|
hosts: <% $.ssh_servers.toDict($, {}) %>
|
|
remote_user: <% $.ssh_user %>
|
|
ssh_private_key: <% $.ssh_private_key %>
|
|
extra_env_variables: <% $.ansible_extra_env_variables %>
|
|
become: true
|
|
become_user: root
|
|
playbook:
|
|
- hosts: overcloud
|
|
tasks: <% $.tasks %>
|