openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Support SshKnownHostsDeployment with config-download 

Add support for the SshKnownHostsDeployment resources to
config-download. Since the deployment resources relied on Heat outputs,
they were not supported with the default handling from tripleo-common
that relies on the group_vars mechanism.

Instead, this patch refactors the templates to add the known hosts
entries as global_vars to deploy_steps_playbook.yaml, and then includes
the new tripleo-ssh-known-hosts role from tripleo-common to apply the
same configuration that the Heat deployment did.

Since these deployments no longer need to be triggered when including
config-download-environment.yaml, a mapping is added that can be
overridden to OS::Heat::None to disable the deployment resources when
using config-download.

The default behavior when not using config-download remains unchanged.

Closes-Bug: #1746336
Change-Id: Ia334fe6adc9a8ab228f75cb1d0c441c1344e2bd9
(cherry picked from commit 088d5c12f0)
This commit is contained in:
James Slagle 2018-01-12 15:52:26 -05:00
parent 47cf9f453a
commit 54010e2358
8 changed files with 64 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
common/deploy-steps.j2
View File

@ -79,6 +79,9 @@ parameters:
type: comma_delimited_list type: comma_delimited_list
default: ['ocata', 'pike', 'queens'] default: ['ocata', 'pike', 'queens']
description: List of releases to fast forward through during upgrade. Last release in list is used for post steps. description: List of releases to fast forward through during upgrade. Last release in list is used for post steps.
ssh_known_hosts_hostnames:
description: Mapping of hostname to ssh known hosts entry
type: json
conditions: conditions:
{% for step in range(1, deploy_steps_max) %} {% for step in range(1, deploy_steps_max) %}
@ -375,6 +378,7 @@ outputs:
value: value:
global_vars: global_vars:
deploy_steps_max: {{deploy_steps_max}} deploy_steps_max: {{deploy_steps_max}}
ssh_known_hosts: {get_param: ssh_known_hosts_hostnames}
common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml} common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml}
docker_puppet_script: {get_file: ../docker/docker-puppet.py} docker_puppet_script: {get_file: ../docker/docker-puppet.py}
deploy_steps_playbook: deploy_steps_playbook:
@ -401,13 +405,14 @@ outputs:
tags: tags:
- always - always
- hosts: overcloud - hosts: overcloud
name: Bootstrap TripleO servers name: Common roles for TripleO servers
gather_facts: no gather_facts: no
any_errors_fatal: yes any_errors_fatal: yes
roles: roles:
- tripleo-bootstrap - tripleo-bootstrap
- tripleo-ssh-known-hosts
tags: tags:
- bootstrap - common_roles
- hosts: overcloud - hosts: overcloud
name: Server deployments name: Server deployments
gather_facts: no gather_facts: no

9
config-download-software.yaml
View File

@ -71,15 +71,6 @@ outputs:
show: show:
value: '' value: ''
ecdsa:
description: Host ssh public key (ecdsa)
value: 'ecdsa'
rsa:
description: Host ssh public key (rsa)
value: 'rsa'
ed25519:
description: Host ssh public key (ed25519)
value: 'ed25519'
update_managed_packages: update_managed_packages:
description: boolean value indicating whether to upgrade managed packages description: boolean value indicating whether to upgrade managed packages
value: false value: false

9
config-download-structured.yaml
View File

@ -71,15 +71,6 @@ outputs:
show: show:
value: '' value: ''
ecdsa:
description: Host ssh public key (ecdsa)
value: 'ecdsa'
rsa:
description: Host ssh public key (rsa)
value: 'rsa'
ed25519:
description: Host ssh public key (ed25519)
value: 'ed25519'
update_managed_packages: update_managed_packages:
description: boolean value indicating whether to upgrade managed packages description: boolean value indicating whether to upgrade managed packages
value: false value: false

3
environments/config-download-environment.yaml
View File

@ -6,3 +6,6 @@ resource_registry:
OS::Heat::StructuredDeployment: ../config-download-structured.yaml OS::Heat::StructuredDeployment: ../config-download-structured.yaml
OS::TripleO::DeploymentSteps: OS::Heat::None OS::TripleO::DeploymentSteps: OS::Heat::None
OS::TripleO::Ssh::KnownHostsDeployment: OS::Heat::None
OS::TripleO::Ssh::HostPubKey: OS::Heat::None

1
overcloud-resource-registry-puppet.j2.yaml
View File

@ -7,6 +7,7 @@ resource_registry:
OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml
OS::TripleO::Ssh::HostPubKey: extraconfig/tasks/ssh/host_public_key.yaml OS::TripleO::Ssh::HostPubKey: extraconfig/tasks/ssh/host_public_key.yaml
OS::TripleO::Ssh::KnownHostsConfig: extraconfig/tasks/ssh/known_hosts_config.yaml OS::TripleO::Ssh::KnownHostsConfig: extraconfig/tasks/ssh/known_hosts_config.yaml
OS::TripleO::Ssh::KnownHostsDeployment: OS::Heat::StructuredDeployments
OS::TripleO::DefaultPasswords: default_passwords.yaml OS::TripleO::DefaultPasswords: default_passwords.yaml
OS::TripleO::RandomString: OS::Heat::RandomString OS::TripleO::RandomString: OS::Heat::RandomString

13
overcloud.j2.yaml
View File

@ -377,6 +377,16 @@ resources:
- {get_attr: [{{role.name}}, known_hosts_entry]} - {get_attr: [{{role.name}}, known_hosts_entry]}
{% endfor %} {% endfor %}
SshKnownHostsHostnames:
type: OS::Heat::Value
properties:
value:
map_merge:
list_concat:
{% for role in roles %}
- {get_attr: [{{role.name}}, known_hosts_hostnames]}
{% endfor %}
# Jinja loop for Role in roles_data.yaml # Jinja loop for Role in roles_data.yaml
{% for role in roles %} {% for role in roles %}
# Resources generated for {{role.name}} Role # Resources generated for {{role.name}} Role
@ -467,7 +477,7 @@ resources:
servers: {get_attr: [{{role.name}}Servers, value]} servers: {get_attr: [{{role.name}}Servers, value]}
{{role.name}}SshKnownHostsDeployment: {{role.name}}SshKnownHostsDeployment:
type: OS::Heat::StructuredDeployments type: OS::TripleO::Ssh::KnownHostsDeployment
properties: properties:
name: {{role.name}}SshKnownHostsDeployment name: {{role.name}}SshKnownHostsDeployment
config: {get_resource: SshKnownHostsConfig} config: {get_resource: SshKnownHostsConfig}
@ -920,6 +930,7 @@ resources:
{% endfor %} {% endfor %}
blacklisted_ip_addresses: {get_attr: [BlacklistedIpAddresses, value]} blacklisted_ip_addresses: {get_attr: [BlacklistedIpAddresses, value]}
blacklisted_hostnames: {get_attr: [BlacklistedHostnames, value]} blacklisted_hostnames: {get_attr: [BlacklistedHostnames, value]}
ssh_known_hosts_hostnames: {get_attr: [SshKnownHostsHostnames, value]}
ServerOsCollectConfigData: ServerOsCollectConfigData:
type: OS::Heat::Value type: OS::Heat::Value

49
puppet/role.role.j2.yaml
View File

@ -658,6 +658,27 @@ resources:
server: {get_resource: {{server_resource_name}}} server: {get_resource: {{server_resource_name}}}
deployment_actions: {get_attr: [DeploymentActions, value]} deployment_actions: {get_attr: [DeploymentActions, value]}
SshKnownHostsHostnames:
type: OS::Heat::Value
properties:
value:
str_replace:
template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
{%- for network in networks %}
{{network.name}}IP,{{network.name}}HOST.DOMAIN,{{network.name}}HOST,\
{%- endfor %}
CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST"
params:
PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]}
DOMAIN: {get_param: CloudDomain}
PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]}
{%- for network in networks %}
{{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]}
{{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]}
{%- endfor %}
CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
outputs: outputs:
ip_address: ip_address:
description: IP address of the server in the ctlplane network description: IP address of the server in the ctlplane network
@ -709,23 +730,17 @@ outputs:
known_hosts_entry: known_hosts_entry:
description: Entry for ssh known hosts description: Entry for ssh known hosts
value: value:
str_replace: list_join:
template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\ - ' '
{%- for network in networks %} - - {get_attr: [SshKnownHostsHostnames, value]}
{{network.name}}IP,{{network.name}}HOST.DOMAIN,{{network.name}}HOST,\ - {get_attr: [SshHostPubKey, ecdsa]}
{%- endfor %} known_hosts_hostnames:
CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY" description: Mapping of server name to hostnames portion of ssh known hosts entry
params: value:
PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]} map_replace:
DOMAIN: {get_param: CloudDomain} - name: {get_attr: [SshKnownHostsHostnames, value]}
PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]} - keys:
{%- for network in networks %} name: {get_attr: [{{server_resource_name}}, name]}
{{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]}
{{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]}
{%- endfor %}
CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]}
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]}
nova_server_resource: nova_server_resource:
description: Heat resource handle for {{role.name}} server description: Heat resource handle for {{role.name}} server
value: value:

9
releasenotes/notes/tripleo-ssh-known-hosts-5c64b1a90d61d7f2.yaml Normal file
View File

@ -0,0 +1,9 @@
---
fixes:
- Add support for the SshKnownHostsDeployment resources to config-download.
Since the deployment resources relied on Heat outputs, they were not
supported with the default handling from tripleo-common that relies on the
group_vars mechanism. The templates have been refactored to add
the known hosts entries as global_vars to deploy_steps_playbook.yaml, and
then include the new tripleo-ssh-known-hosts role from tripleo-common to
apply the same configuration that the Heat deployment did.