From 088d5c12f0f37e24d836e6f8791f41fbeba3326d Mon Sep 17 00:00:00 2001 From: James Slagle Date: Fri, 12 Jan 2018 15:52:26 -0500 Subject: [PATCH] Support SshKnownHostsDeployment with config-download Add support for the SshKnownHostsDeployment resources to config-download. Since the deployment resources relied on Heat outputs, they were not supported with the default handling from tripleo-common that relies on the group_vars mechanism. Instead, this patch refactors the templates to add the known hosts entries as global_vars to deploy_steps_playbook.yaml, and then includes the new tripleo-ssh-known-hosts role from tripleo-common to apply the same configuration that the Heat deployment did. Since these deployments no longer need to be triggered when including config-download-environment.yaml, a mapping is added that can be overridden to OS::Heat::None to disable the deployment resources when using config-download. The default behavior when not using config-download remains unchanged. Closes-Bug: #1746336 Change-Id: Ia334fe6adc9a8ab228f75cb1d0c441c1344e2bd9 --- common/deploy-steps.j2 | 9 +++- config-download-software.yaml | 9 ---- config-download-structured.yaml | 9 ---- environments/config-download-environment.yaml | 3 ++ overcloud-resource-registry-puppet.j2.yaml | 1 + overcloud.j2.yaml | 13 ++++- puppet/role.role.j2.yaml | 49 ++++++++++++------- ...pleo-ssh-known-hosts-5c64b1a90d61d7f2.yaml | 9 ++++ 8 files changed, 64 insertions(+), 38 deletions(-) create mode 100644 releasenotes/notes/tripleo-ssh-known-hosts-5c64b1a90d61d7f2.yaml diff --git a/common/deploy-steps.j2 b/common/deploy-steps.j2 index f0edd29af6..d51ef67b59 100644 --- a/common/deploy-steps.j2 +++ b/common/deploy-steps.j2 @@ -78,6 +78,9 @@ parameters: type: comma_delimited_list default: ['ocata', 'pike', 'queens'] description: List of releases to fast forward through during upgrade. Last release in list is used for post steps. + ssh_known_hosts_hostnames: + description: Mapping of hostname to ssh known hosts entry + type: json conditions: {% for step in range(1, deploy_steps_max) %} @@ -372,6 +375,7 @@ outputs: value: global_vars: deploy_steps_max: {{deploy_steps_max}} + ssh_known_hosts: {get_param: ssh_known_hosts_hostnames} common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml} docker_puppet_script: {get_file: ../docker/docker-puppet.py} deploy_steps_playbook: @@ -398,13 +402,14 @@ outputs: tags: - always - hosts: overcloud - name: Bootstrap TripleO servers + name: Common roles for TripleO servers gather_facts: no any_errors_fatal: yes roles: - tripleo-bootstrap + - tripleo-ssh-known-hosts tags: - - bootstrap + - common_roles - hosts: overcloud name: Server deployments gather_facts: no diff --git a/config-download-software.yaml b/config-download-software.yaml index 0db5486f92..6fb833f6ff 100644 --- a/config-download-software.yaml +++ b/config-download-software.yaml @@ -70,15 +70,6 @@ outputs: show: value: '' - ecdsa: - description: Host ssh public key (ecdsa) - value: 'ecdsa' - rsa: - description: Host ssh public key (rsa) - value: 'rsa' - ed25519: - description: Host ssh public key (ed25519) - value: 'ed25519' update_managed_packages: description: boolean value indicating whether to upgrade managed packages value: false diff --git a/config-download-structured.yaml b/config-download-structured.yaml index f6f73bc6ca..1016cbf14d 100644 --- a/config-download-structured.yaml +++ b/config-download-structured.yaml @@ -70,15 +70,6 @@ outputs: show: value: '' - ecdsa: - description: Host ssh public key (ecdsa) - value: 'ecdsa' - rsa: - description: Host ssh public key (rsa) - value: 'rsa' - ed25519: - description: Host ssh public key (ed25519) - value: 'ed25519' update_managed_packages: description: boolean value indicating whether to upgrade managed packages value: false diff --git a/environments/config-download-environment.yaml b/environments/config-download-environment.yaml index da97c929ef..30ac4d6b25 100644 --- a/environments/config-download-environment.yaml +++ b/environments/config-download-environment.yaml @@ -6,3 +6,6 @@ resource_registry: OS::Heat::StructuredDeployment: ../config-download-structured.yaml OS::TripleO::DeploymentSteps: OS::Heat::None + + OS::TripleO::Ssh::KnownHostsDeployment: OS::Heat::None + OS::TripleO::Ssh::HostPubKey: OS::Heat::None diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 0152b99854..d4778c7249 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -7,6 +7,7 @@ resource_registry: OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml OS::TripleO::Ssh::HostPubKey: extraconfig/tasks/ssh/host_public_key.yaml OS::TripleO::Ssh::KnownHostsConfig: extraconfig/tasks/ssh/known_hosts_config.yaml + OS::TripleO::Ssh::KnownHostsDeployment: OS::Heat::StructuredDeployments OS::TripleO::DefaultPasswords: default_passwords.yaml OS::TripleO::RandomString: OS::Heat::RandomString diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index 828b6febbd..77e4fe28d8 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -377,6 +377,16 @@ resources: - {get_attr: [{{role.name}}, known_hosts_entry]} {% endfor %} + SshKnownHostsHostnames: + type: OS::Heat::Value + properties: + value: + map_merge: + list_concat: + {% for role in roles %} + - {get_attr: [{{role.name}}, known_hosts_hostnames]} + {% endfor %} + # Jinja loop for Role in roles_data.yaml {% for role in roles %} # Resources generated for {{role.name}} Role @@ -467,7 +477,7 @@ resources: servers: {get_attr: [{{role.name}}Servers, value]} {{role.name}}SshKnownHostsDeployment: - type: OS::Heat::StructuredDeployments + type: OS::TripleO::Ssh::KnownHostsDeployment properties: name: {{role.name}}SshKnownHostsDeployment config: {get_resource: SshKnownHostsConfig} @@ -919,6 +929,7 @@ resources: {% endfor %} blacklisted_ip_addresses: {get_attr: [BlacklistedIpAddresses, value]} blacklisted_hostnames: {get_attr: [BlacklistedHostnames, value]} + ssh_known_hosts_hostnames: {get_attr: [SshKnownHostsHostnames, value]} ServerOsCollectConfigData: type: OS::Heat::Value diff --git a/puppet/role.role.j2.yaml b/puppet/role.role.j2.yaml index f843a3800e..204e25093b 100644 --- a/puppet/role.role.j2.yaml +++ b/puppet/role.role.j2.yaml @@ -637,6 +637,27 @@ resources: server: {get_resource: {{server_resource_name}}} deployment_actions: {get_attr: [DeploymentActions, value]} + SshKnownHostsHostnames: + type: OS::Heat::Value + properties: + value: + str_replace: + template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\ + {%- for network in networks %} + {{network.name}}IP,{{network.name}}HOST.DOMAIN,{{network.name}}HOST,\ + {%- endfor %} + CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST" + params: + PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]} + DOMAIN: {get_param: CloudDomain} + PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]} + {%- for network in networks %} + {{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]} + {{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]} + {%- endfor %} + CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} + CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]} + outputs: ip_address: description: IP address of the server in the ctlplane network @@ -688,23 +709,17 @@ outputs: known_hosts_entry: description: Entry for ssh known hosts value: - str_replace: - template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\ - {%- for network in networks %} -{{network.name}}IP,{{network.name}}HOST.DOMAIN,{{network.name}}HOST,\ - {%- endfor %} -CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY" - params: - PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]} - DOMAIN: {get_param: CloudDomain} - PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]} - {%- for network in networks %} - {{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]} - {{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]} - {%- endfor %} - CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]} - CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]} - HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]} + list_join: + - ' ' + - - {get_attr: [SshKnownHostsHostnames, value]} + - {get_attr: [SshHostPubKey, ecdsa]} + known_hosts_hostnames: + description: Mapping of server name to hostnames portion of ssh known hosts entry + value: + map_replace: + - name: {get_attr: [SshKnownHostsHostnames, value]} + - keys: + name: {get_attr: [{{server_resource_name}}, name]} nova_server_resource: description: Heat resource handle for {{role.name}} server value: diff --git a/releasenotes/notes/tripleo-ssh-known-hosts-5c64b1a90d61d7f2.yaml b/releasenotes/notes/tripleo-ssh-known-hosts-5c64b1a90d61d7f2.yaml new file mode 100644 index 0000000000..f3ddbab92d --- /dev/null +++ b/releasenotes/notes/tripleo-ssh-known-hosts-5c64b1a90d61d7f2.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - Add support for the SshKnownHostsDeployment resources to config-download. + Since the deployment resources relied on Heat outputs, they were not + supported with the default handling from tripleo-common that relies on the + group_vars mechanism. The templates have been refactored to add + the known hosts entries as global_vars to deploy_steps_playbook.yaml, and + then include the new tripleo-ssh-known-hosts role from tripleo-common to + apply the same configuration that the Heat deployment did.