openstack/tripleo-heat-templates
Code Issues Proposed changes

Use Ansible for ssh known hosts config

Browse Source 
Migrate to using the template mode of the tripleo-ssh-known-hosts role.

Detailed Changes:
common/deploy-steps.j2:
  Remove ssh_known_hosts_hostnames parameter
  Remove ssh_known_hosts variable in config-download output
  Set tripleo_ssh_known_hosts_use_template var to true when including
    the tripleo-ssh-known-hosts role to activate template mode.
extraconfig/tasks/ssh/host_public_key.yaml:
  Template removed as it was deprecated and is no longer used.
extraconfig/tasks/ssh/known_hosts_config.yaml:
  Template removed as it was deprecated and is no longer used.
overcloud-resource-registry-puppet.j2.yaml:
  Mappings for Ssh known hosts resources removed
overcloud.j2.yaml:
  Resources removed: SshKnownHostsConfig, SshKnownHostsHostnames,
    {{role.name}}SshKnownHostsDeployment
  Removed passing in ssh_known_hosts_hostnames parameter to
    common/deploy-steps.j2
puppet/role.role.j2.yaml:
  Removed SshHostPubKey and SshKnownHostsHostnames resources
  Removed known_hosts_entry and known_hosts_hostnames stack outputs
  Add role_networks to set Ansible group vars which is a list of enabled
    networks for the role

Change-Id: I10d0de42acc0b88b7947b464e976b5d0b9067ca2
This commit is contained in:
James Slagle 2019-07-09 21:42:30 -04:00 committed by Emilien Macchi
parent 39861c6eca
commit 2f6f519149
6 changed files with 8 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
common/deploy-steps.j2
View File

@ -88,9 +88,6 @@ parameters:
type: comma_delimited_list
default: ['ocata', 'pike', 'queens']
description: List of releases to fast forward through during upgrade. Last release in list is used for post steps.
ssh_known_hosts_hostnames:
description: Mapping of hostname to ssh known hosts entry
type: json
ContainerLogStdoutPath:
type: string
description: Absolute path for container stdout output (Podman only)
@ -328,7 +325,6 @@ outputs:
value:
global_vars:
deploy_steps_max: {{deploy_steps_max}}
ssh_known_hosts: {get_param: ssh_known_hosts_hostnames}
service_net_map: {get_param: ServiceNetMapLower}
validate_controllers_icmp: {get_param: ValidateControllersIcmp}
validate_gateways_icmp: {get_param: ValidateGatewaysIcmp}
@ -457,6 +453,8 @@ outputs:
name: Common roles for TripleO servers
gather_facts: {{ '"{{' }} gather_facts | default(false) {{ '}}"' }}
any_errors_fatal: yes
vars:
tripleo_ssh_known_hosts_use_template: true
roles:
- tripleo-bootstrap
- tripleo-ssh-known-hosts

56
extraconfig/tasks/ssh/host_public_key.yaml
View File

@ -1,56 +0,0 @@
# DEPRECATED: The following template is deprecated in Queens in favor of the
# tripleo-ssh-known-hosts from tripleo-common. This template does not work with
# config-download and will be removed from tripleo-heat-templates in the Stein
# release.
heat_template_version: rocky
description: >
This is a template which will fetch the ssh host public key.
parameters:
server:
description: ID of the node to apply this config to
type: string
deployment_actions:
default: ['CREATE', 'UPDATE']
type: comma_delimited_list
description: >
List of stack actions that will trigger any deployments in this
templates. The actions will be an empty list of the server is in the
toplevel DeploymentServerBlacklist parameter's value.
resources:
SshHostPubKeyConfig:
type: OS::Heat::SoftwareConfig
properties:
group: script
outputs:
- name: rsa
- name: ecdsa
- name: ed25519
config: |
#!/bin/sh -x
test -e '/etc/ssh/ssh_host_rsa_key.pub' && cat /etc/ssh/ssh_host_rsa_key.pub > $heat_outputs_path.rsa
test -e '/etc/ssh/ssh_host_ecdsa_key.pub' && cat /etc/ssh/ssh_host_ecdsa_key.pub > $heat_outputs_path.ecdsa
test -e '/etc/ssh/ssh_host_ed25519_key.pub' && cat /etc/ssh/ssh_host_ed25519_key.pub > $heat_outputs_path.ed25519
SshHostPubKeyDeployment:
type: OS::Heat::SoftwareDeployment
properties:
config: {get_resource: SshHostPubKeyConfig}
server: {get_param: server}
actions: {get_param: deployment_actions}
name: SshHostPubKeyDeployment
outputs:
ecdsa:
description: Host ssh public key (ecdsa)
value: {get_attr: [SshHostPubKeyDeployment, ecdsa]}
rsa:
description: Host ssh public key (rsa)
value: {get_attr: [SshHostPubKeyDeployment, rsa]}
ed25519:
description: Host ssh public key (ed25519)
value: {get_attr: [SshHostPubKeyDeployment, ed25519]}

42
extraconfig/tasks/ssh/known_hosts_config.yaml
View File

@ -1,42 +0,0 @@
heat_template_version: rocky
description: 'SSH Known Hosts Config'
parameters:
known_hosts:
type: string
resources:
SSHKnownHostsConfig:
type: OS::Heat::SoftwareConfig
properties:
group: script
config:
str_replace:
params:
KNOWN_HOSTS: {get_param: known_hosts}
template: |
#!/bin/bash
set -eux
set -o pipefail
echo "Creating ssh known hosts file"
if [ -d /etc/ssh/ssh_known_hosts ]; then
rm -rf /etc/ssh/ssh_known_hosts
fi
cat <<EOF | grep -v '^$' >/etc/ssh/ssh_known_hosts
KNOWN_HOSTS
EOF
if [ ! -s /etc/ssh/ssh_known_hosts ]; then
echo "No known hosts"
rm -f /etc/ssh/ssh_known_hosts
else
echo "$(cat /etc/ssh/ssh_known_hosts | wc -l) known hosts"
chmod 0644 /etc/ssh/ssh_known_hosts
fi
outputs:
OS::stack_id:
description: The SSHKnownHostsConfig resource.
value: {get_resource: SSHKnownHostsConfig}

3
overcloud-resource-registry-puppet.j2.yaml
View File

@ -6,9 +6,6 @@ resource_registry:
OS::TripleO::PostDeploySteps: common/post.yaml
OS::TripleO::AllNodesDeployment: OS::Heat::None
OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml
OS::TripleO::Ssh::HostPubKey: OS::Heat::None
OS::TripleO::Ssh::KnownHostsConfig: extraconfig/tasks/ssh/known_hosts_config.yaml
OS::TripleO::Ssh::KnownHostsDeployment: OS::Heat::None
OS::TripleO::DefaultPasswords: default_passwords.yaml
OS::TripleO::RandomString: OS::Heat::RandomString

28
overcloud.j2.yaml
View File

@ -442,26 +442,6 @@ resources:
- NovaVNCProxyCellPublic: {get_attr: [EndpointMap, endpoint_map, NovaVNCProxyPublic]}
- {}
SshKnownHostsConfig:
type: OS::TripleO::Ssh::KnownHostsConfig
properties:
known_hosts:
list_join:
- ''
{% for role in roles %}
- {get_attr: [{{role.name}}, known_hosts_entry]}
{% endfor %}
SshKnownHostsHostnames:
type: OS::Heat::Value
properties:
value:
map_merge:
list_concat:
{% for role in roles %}
- {get_attr: [{{role.name}}, known_hosts_hostnames]}
{% endfor %}
# Creates the "heat-admin" user if configured via the environment
# Should return a OS::Heat::MultipartMime reference via OS::stack_id
NodeAdminUserData:
@ -570,13 +550,6 @@ resources:
- keystone_admin_api
- keystone_public_api
{{role.name}}SshKnownHostsDeployment:
type: OS::TripleO::Ssh::KnownHostsDeployment
properties:
name: {{role.name}}SshKnownHostsDeployment
config: {get_resource: SshKnownHostsConfig}
servers: {get_attr: [{{role.name}}Servers, value]}
{{role.name}}IpListMap:
type: OS::TripleO::Network::Ports::NetIpListMap
properties:
@ -1014,7 +987,6 @@ resources:
- {get_attr: [{{role.name}}ServiceChainRoleData, value]}
- {get_attr: [{{role.name}}MergedConfigSettings, value]}
{%- endfor %}
ssh_known_hosts_hostnames: {get_attr: [SshKnownHostsHostnames, value]}
{%- for role in roles %}
{{role.name}}Count: {get_param: {{role.name}}Count}
{{role.name}}DeploymentHieradata:

52
puppet/role.role.j2.yaml
View File

@ -697,38 +697,6 @@ resources:
- ['CREATE', 'UPDATE']
- []
SshHostPubKey:
type: OS::TripleO::Ssh::HostPubKey
properties:
server: {get_resource: {{server_resource_name}}}
deployment_actions: {get_attr: [DeploymentActions, value]}
SshKnownHostsHostnames:
type: OS::Heat::Value
properties:
value:
str_replace:
template: "[PRIMARYIP]*,[PRIMARYHOST.DOMAIN]*,[PRIMARYHOST]*,\
{%- for network in networks %}
{%- if network.enabled|default(true) and network.name in role.networks|default([]) %}
[{{network.name}}IP]*,[{{network.name}}HOST.DOMAIN]*,\
[{{network.name}}HOST]*,\
{%- endif %}
{%- endfor %}
[CTLPLANEIP]*,[CTLPLANEHOST.DOMAIN]*,[CTLPLANEHOST]*"
params:
PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]}
DOMAIN: {get_param: CloudDomain}
PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]}
{%- for network in networks %}
{%- if network.enabled|default(true) and network.name in role.networks|default([]) %}
{{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]}
{{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]}
{%- endif %}
{%- endfor %}
CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
{{server_resource_name}}AnsibleHostVars:
type: OS::Heat::Value
properties:
@ -817,20 +785,6 @@ outputs:
{%- endfor %}
CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
known_hosts_entry:
description: Entry for ssh known hosts
value:
list_join:
- ' '
- - {get_attr: [SshKnownHostsHostnames, value]}
- {get_attr: [SshHostPubKey, ecdsa]}
known_hosts_hostnames:
description: Mapping of server name to hostnames portion of ssh known hosts entry
value:
map_replace:
- name: {get_attr: [SshKnownHostsHostnames, value]}
- keys:
name: {get_attr: [{{server_resource_name}}, name]}
nova_server_resource:
description: Heat resource handle for {{role.name}} server
value:
@ -869,6 +823,12 @@ outputs:
neutron_physical_bridge_name: {get_param: NeutronPhysicalBridge}
neutron_public_interface_name: {get_param: NeutronPublicInterface}
network_deployment_actions: {get_attr: [NetworkDeploymentActionsValue, value]}
role_networks:
{%- for network in networks %}
{%- if network.enabled|default(true) and network.name in role.networks|default([]) %}
- {{network.name}}
{%- endif %}
{%- endfor %}
{%- for network in networks %}
{%- if network.enabled|default(true) and network.name in role.networks|default([]) %}
{{network.name}}_cidr: