Use Ansible for ssh known hosts config
Migrate to using the template mode of the tripleo-ssh-known-hosts role. Detailed Changes: common/deploy-steps.j2: Remove ssh_known_hosts_hostnames parameter Remove ssh_known_hosts variable in config-download output Set tripleo_ssh_known_hosts_use_template var to true when including the tripleo-ssh-known-hosts role to activate template mode. extraconfig/tasks/ssh/host_public_key.yaml: Template removed as it was deprecated and is no longer used. extraconfig/tasks/ssh/known_hosts_config.yaml: Template removed as it was deprecated and is no longer used. overcloud-resource-registry-puppet.j2.yaml: Mappings for Ssh known hosts resources removed overcloud.j2.yaml: Resources removed: SshKnownHostsConfig, SshKnownHostsHostnames, {{role.name}}SshKnownHostsDeployment Removed passing in ssh_known_hosts_hostnames parameter to common/deploy-steps.j2 puppet/role.role.j2.yaml: Removed SshHostPubKey and SshKnownHostsHostnames resources Removed known_hosts_entry and known_hosts_hostnames stack outputs Add role_networks to set Ansible group vars which is a list of enabled networks for the role Change-Id: I10d0de42acc0b88b7947b464e976b5d0b9067ca2
This commit is contained in:
parent
39861c6eca
commit
2f6f519149
@ -88,9 +88,6 @@ parameters:
|
||||
type: comma_delimited_list
|
||||
default: ['ocata', 'pike', 'queens']
|
||||
description: List of releases to fast forward through during upgrade. Last release in list is used for post steps.
|
||||
ssh_known_hosts_hostnames:
|
||||
description: Mapping of hostname to ssh known hosts entry
|
||||
type: json
|
||||
ContainerLogStdoutPath:
|
||||
type: string
|
||||
description: Absolute path for container stdout output (Podman only)
|
||||
@ -328,7 +325,6 @@ outputs:
|
||||
value:
|
||||
global_vars:
|
||||
deploy_steps_max: {{deploy_steps_max}}
|
||||
ssh_known_hosts: {get_param: ssh_known_hosts_hostnames}
|
||||
service_net_map: {get_param: ServiceNetMapLower}
|
||||
validate_controllers_icmp: {get_param: ValidateControllersIcmp}
|
||||
validate_gateways_icmp: {get_param: ValidateGatewaysIcmp}
|
||||
@ -457,6 +453,8 @@ outputs:
|
||||
name: Common roles for TripleO servers
|
||||
gather_facts: {{ '"{{' }} gather_facts | default(false) {{ '}}"' }}
|
||||
any_errors_fatal: yes
|
||||
vars:
|
||||
tripleo_ssh_known_hosts_use_template: true
|
||||
roles:
|
||||
- tripleo-bootstrap
|
||||
- tripleo-ssh-known-hosts
|
||||
|
@ -1,56 +0,0 @@
|
||||
# DEPRECATED: The following template is deprecated in Queens in favor of the
|
||||
# tripleo-ssh-known-hosts from tripleo-common. This template does not work with
|
||||
# config-download and will be removed from tripleo-heat-templates in the Stein
|
||||
# release.
|
||||
|
||||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
This is a template which will fetch the ssh host public key.
|
||||
|
||||
parameters:
|
||||
server:
|
||||
description: ID of the node to apply this config to
|
||||
type: string
|
||||
deployment_actions:
|
||||
default: ['CREATE', 'UPDATE']
|
||||
type: comma_delimited_list
|
||||
description: >
|
||||
List of stack actions that will trigger any deployments in this
|
||||
templates. The actions will be an empty list of the server is in the
|
||||
toplevel DeploymentServerBlacklist parameter's value.
|
||||
|
||||
resources:
|
||||
SshHostPubKeyConfig:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: script
|
||||
outputs:
|
||||
- name: rsa
|
||||
- name: ecdsa
|
||||
- name: ed25519
|
||||
config: |
|
||||
#!/bin/sh -x
|
||||
test -e '/etc/ssh/ssh_host_rsa_key.pub' && cat /etc/ssh/ssh_host_rsa_key.pub > $heat_outputs_path.rsa
|
||||
test -e '/etc/ssh/ssh_host_ecdsa_key.pub' && cat /etc/ssh/ssh_host_ecdsa_key.pub > $heat_outputs_path.ecdsa
|
||||
test -e '/etc/ssh/ssh_host_ed25519_key.pub' && cat /etc/ssh/ssh_host_ed25519_key.pub > $heat_outputs_path.ed25519
|
||||
|
||||
SshHostPubKeyDeployment:
|
||||
type: OS::Heat::SoftwareDeployment
|
||||
properties:
|
||||
config: {get_resource: SshHostPubKeyConfig}
|
||||
server: {get_param: server}
|
||||
actions: {get_param: deployment_actions}
|
||||
name: SshHostPubKeyDeployment
|
||||
|
||||
|
||||
outputs:
|
||||
ecdsa:
|
||||
description: Host ssh public key (ecdsa)
|
||||
value: {get_attr: [SshHostPubKeyDeployment, ecdsa]}
|
||||
rsa:
|
||||
description: Host ssh public key (rsa)
|
||||
value: {get_attr: [SshHostPubKeyDeployment, rsa]}
|
||||
ed25519:
|
||||
description: Host ssh public key (ed25519)
|
||||
value: {get_attr: [SshHostPubKeyDeployment, ed25519]}
|
@ -1,42 +0,0 @@
|
||||
heat_template_version: rocky
|
||||
description: 'SSH Known Hosts Config'
|
||||
|
||||
parameters:
|
||||
known_hosts:
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
SSHKnownHostsConfig:
|
||||
type: OS::Heat::SoftwareConfig
|
||||
properties:
|
||||
group: script
|
||||
config:
|
||||
str_replace:
|
||||
params:
|
||||
KNOWN_HOSTS: {get_param: known_hosts}
|
||||
template: |
|
||||
#!/bin/bash
|
||||
set -eux
|
||||
set -o pipefail
|
||||
|
||||
echo "Creating ssh known hosts file"
|
||||
|
||||
if [ -d /etc/ssh/ssh_known_hosts ]; then
|
||||
rm -rf /etc/ssh/ssh_known_hosts
|
||||
fi
|
||||
cat <<EOF | grep -v '^$' >/etc/ssh/ssh_known_hosts
|
||||
KNOWN_HOSTS
|
||||
EOF
|
||||
if [ ! -s /etc/ssh/ssh_known_hosts ]; then
|
||||
echo "No known hosts"
|
||||
rm -f /etc/ssh/ssh_known_hosts
|
||||
else
|
||||
echo "$(cat /etc/ssh/ssh_known_hosts | wc -l) known hosts"
|
||||
chmod 0644 /etc/ssh/ssh_known_hosts
|
||||
fi
|
||||
|
||||
outputs:
|
||||
OS::stack_id:
|
||||
description: The SSHKnownHostsConfig resource.
|
||||
value: {get_resource: SSHKnownHostsConfig}
|
@ -6,9 +6,6 @@ resource_registry:
|
||||
OS::TripleO::PostDeploySteps: common/post.yaml
|
||||
OS::TripleO::AllNodesDeployment: OS::Heat::None
|
||||
OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml
|
||||
OS::TripleO::Ssh::HostPubKey: OS::Heat::None
|
||||
OS::TripleO::Ssh::KnownHostsConfig: extraconfig/tasks/ssh/known_hosts_config.yaml
|
||||
OS::TripleO::Ssh::KnownHostsDeployment: OS::Heat::None
|
||||
OS::TripleO::DefaultPasswords: default_passwords.yaml
|
||||
OS::TripleO::RandomString: OS::Heat::RandomString
|
||||
|
||||
|
@ -442,26 +442,6 @@ resources:
|
||||
- NovaVNCProxyCellPublic: {get_attr: [EndpointMap, endpoint_map, NovaVNCProxyPublic]}
|
||||
- {}
|
||||
|
||||
SshKnownHostsConfig:
|
||||
type: OS::TripleO::Ssh::KnownHostsConfig
|
||||
properties:
|
||||
known_hosts:
|
||||
list_join:
|
||||
- ''
|
||||
{% for role in roles %}
|
||||
- {get_attr: [{{role.name}}, known_hosts_entry]}
|
||||
{% endfor %}
|
||||
|
||||
SshKnownHostsHostnames:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
value:
|
||||
map_merge:
|
||||
list_concat:
|
||||
{% for role in roles %}
|
||||
- {get_attr: [{{role.name}}, known_hosts_hostnames]}
|
||||
{% endfor %}
|
||||
|
||||
# Creates the "heat-admin" user if configured via the environment
|
||||
# Should return a OS::Heat::MultipartMime reference via OS::stack_id
|
||||
NodeAdminUserData:
|
||||
@ -570,13 +550,6 @@ resources:
|
||||
- keystone_admin_api
|
||||
- keystone_public_api
|
||||
|
||||
{{role.name}}SshKnownHostsDeployment:
|
||||
type: OS::TripleO::Ssh::KnownHostsDeployment
|
||||
properties:
|
||||
name: {{role.name}}SshKnownHostsDeployment
|
||||
config: {get_resource: SshKnownHostsConfig}
|
||||
servers: {get_attr: [{{role.name}}Servers, value]}
|
||||
|
||||
{{role.name}}IpListMap:
|
||||
type: OS::TripleO::Network::Ports::NetIpListMap
|
||||
properties:
|
||||
@ -1014,7 +987,6 @@ resources:
|
||||
- {get_attr: [{{role.name}}ServiceChainRoleData, value]}
|
||||
- {get_attr: [{{role.name}}MergedConfigSettings, value]}
|
||||
{%- endfor %}
|
||||
ssh_known_hosts_hostnames: {get_attr: [SshKnownHostsHostnames, value]}
|
||||
{%- for role in roles %}
|
||||
{{role.name}}Count: {get_param: {{role.name}}Count}
|
||||
{{role.name}}DeploymentHieradata:
|
||||
|
@ -697,38 +697,6 @@ resources:
|
||||
- ['CREATE', 'UPDATE']
|
||||
- []
|
||||
|
||||
SshHostPubKey:
|
||||
type: OS::TripleO::Ssh::HostPubKey
|
||||
properties:
|
||||
server: {get_resource: {{server_resource_name}}}
|
||||
deployment_actions: {get_attr: [DeploymentActions, value]}
|
||||
|
||||
SshKnownHostsHostnames:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
value:
|
||||
str_replace:
|
||||
template: "[PRIMARYIP]*,[PRIMARYHOST.DOMAIN]*,[PRIMARYHOST]*,\
|
||||
{%- for network in networks %}
|
||||
{%- if network.enabled|default(true) and network.name in role.networks|default([]) %}
|
||||
[{{network.name}}IP]*,[{{network.name}}HOST.DOMAIN]*,\
|
||||
[{{network.name}}HOST]*,\
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
[CTLPLANEIP]*,[CTLPLANEHOST.DOMAIN]*,[CTLPLANEHOST]*"
|
||||
params:
|
||||
PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]}
|
||||
DOMAIN: {get_param: CloudDomain}
|
||||
PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]}
|
||||
{%- for network in networks %}
|
||||
{%- if network.enabled|default(true) and network.name in role.networks|default([]) %}
|
||||
{{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]}
|
||||
{{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]}
|
||||
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
|
||||
|
||||
{{server_resource_name}}AnsibleHostVars:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
@ -817,20 +785,6 @@ outputs:
|
||||
{%- endfor %}
|
||||
CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]}
|
||||
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
|
||||
known_hosts_entry:
|
||||
description: Entry for ssh known hosts
|
||||
value:
|
||||
list_join:
|
||||
- ' '
|
||||
- - {get_attr: [SshKnownHostsHostnames, value]}
|
||||
- {get_attr: [SshHostPubKey, ecdsa]}
|
||||
known_hosts_hostnames:
|
||||
description: Mapping of server name to hostnames portion of ssh known hosts entry
|
||||
value:
|
||||
map_replace:
|
||||
- name: {get_attr: [SshKnownHostsHostnames, value]}
|
||||
- keys:
|
||||
name: {get_attr: [{{server_resource_name}}, name]}
|
||||
nova_server_resource:
|
||||
description: Heat resource handle for {{role.name}} server
|
||||
value:
|
||||
@ -869,6 +823,12 @@ outputs:
|
||||
neutron_physical_bridge_name: {get_param: NeutronPhysicalBridge}
|
||||
neutron_public_interface_name: {get_param: NeutronPublicInterface}
|
||||
network_deployment_actions: {get_attr: [NetworkDeploymentActionsValue, value]}
|
||||
role_networks:
|
||||
{%- for network in networks %}
|
||||
{%- if network.enabled|default(true) and network.name in role.networks|default([]) %}
|
||||
- {{network.name}}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
{%- for network in networks %}
|
||||
{%- if network.enabled|default(true) and network.name in role.networks|default([]) %}
|
||||
{{network.name}}_cidr:
|
||||
|
Loading…
x
Reference in New Issue
Block a user