Support SshKnownHostsDeployment with config-download
Add support for the SshKnownHostsDeployment resources to
config-download. Since the deployment resources relied on Heat outputs,
they were not supported with the default handling from tripleo-common
that relies on the group_vars mechanism.
Instead, this patch refactors the templates to add the known hosts
entries as global_vars to deploy_steps_playbook.yaml, and then includes
the new tripleo-ssh-known-hosts role from tripleo-common to apply the
same configuration that the Heat deployment did.
Since these deployments no longer need to be triggered when including
config-download-environment.yaml, a mapping is added that can be
overridden to OS::Heat::None to disable the deployment resources when
using config-download.
The default behavior when not using config-download remains unchanged.
Closes-Bug: #1746336
Change-Id: Ia334fe6adc9a8ab228f75cb1d0c441c1344e2bd9
(cherry picked from commit 088d5c12f0
)
This commit is contained in:
parent
47cf9f453a
commit
54010e2358
|
@ -79,6 +79,9 @@ parameters:
|
||||||
type: comma_delimited_list
|
type: comma_delimited_list
|
||||||
default: ['ocata', 'pike', 'queens']
|
default: ['ocata', 'pike', 'queens']
|
||||||
description: List of releases to fast forward through during upgrade. Last release in list is used for post steps.
|
description: List of releases to fast forward through during upgrade. Last release in list is used for post steps.
|
||||||
|
ssh_known_hosts_hostnames:
|
||||||
|
description: Mapping of hostname to ssh known hosts entry
|
||||||
|
type: json
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
{% for step in range(1, deploy_steps_max) %}
|
{% for step in range(1, deploy_steps_max) %}
|
||||||
|
@ -375,6 +378,7 @@ outputs:
|
||||||
value:
|
value:
|
||||||
global_vars:
|
global_vars:
|
||||||
deploy_steps_max: {{deploy_steps_max}}
|
deploy_steps_max: {{deploy_steps_max}}
|
||||||
|
ssh_known_hosts: {get_param: ssh_known_hosts_hostnames}
|
||||||
common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml}
|
common_deploy_steps_tasks: {get_file: deploy-steps-tasks.yaml}
|
||||||
docker_puppet_script: {get_file: ../docker/docker-puppet.py}
|
docker_puppet_script: {get_file: ../docker/docker-puppet.py}
|
||||||
deploy_steps_playbook:
|
deploy_steps_playbook:
|
||||||
|
@ -401,13 +405,14 @@ outputs:
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
- hosts: overcloud
|
- hosts: overcloud
|
||||||
name: Bootstrap TripleO servers
|
name: Common roles for TripleO servers
|
||||||
gather_facts: no
|
gather_facts: no
|
||||||
any_errors_fatal: yes
|
any_errors_fatal: yes
|
||||||
roles:
|
roles:
|
||||||
- tripleo-bootstrap
|
- tripleo-bootstrap
|
||||||
|
- tripleo-ssh-known-hosts
|
||||||
tags:
|
tags:
|
||||||
- bootstrap
|
- common_roles
|
||||||
- hosts: overcloud
|
- hosts: overcloud
|
||||||
name: Server deployments
|
name: Server deployments
|
||||||
gather_facts: no
|
gather_facts: no
|
||||||
|
|
|
@ -71,15 +71,6 @@ outputs:
|
||||||
show:
|
show:
|
||||||
value: ''
|
value: ''
|
||||||
|
|
||||||
ecdsa:
|
|
||||||
description: Host ssh public key (ecdsa)
|
|
||||||
value: 'ecdsa'
|
|
||||||
rsa:
|
|
||||||
description: Host ssh public key (rsa)
|
|
||||||
value: 'rsa'
|
|
||||||
ed25519:
|
|
||||||
description: Host ssh public key (ed25519)
|
|
||||||
value: 'ed25519'
|
|
||||||
update_managed_packages:
|
update_managed_packages:
|
||||||
description: boolean value indicating whether to upgrade managed packages
|
description: boolean value indicating whether to upgrade managed packages
|
||||||
value: false
|
value: false
|
||||||
|
|
|
@ -71,15 +71,6 @@ outputs:
|
||||||
show:
|
show:
|
||||||
value: ''
|
value: ''
|
||||||
|
|
||||||
ecdsa:
|
|
||||||
description: Host ssh public key (ecdsa)
|
|
||||||
value: 'ecdsa'
|
|
||||||
rsa:
|
|
||||||
description: Host ssh public key (rsa)
|
|
||||||
value: 'rsa'
|
|
||||||
ed25519:
|
|
||||||
description: Host ssh public key (ed25519)
|
|
||||||
value: 'ed25519'
|
|
||||||
update_managed_packages:
|
update_managed_packages:
|
||||||
description: boolean value indicating whether to upgrade managed packages
|
description: boolean value indicating whether to upgrade managed packages
|
||||||
value: false
|
value: false
|
||||||
|
|
|
@ -6,3 +6,6 @@ resource_registry:
|
||||||
OS::Heat::StructuredDeployment: ../config-download-structured.yaml
|
OS::Heat::StructuredDeployment: ../config-download-structured.yaml
|
||||||
|
|
||||||
OS::TripleO::DeploymentSteps: OS::Heat::None
|
OS::TripleO::DeploymentSteps: OS::Heat::None
|
||||||
|
|
||||||
|
OS::TripleO::Ssh::KnownHostsDeployment: OS::Heat::None
|
||||||
|
OS::TripleO::Ssh::HostPubKey: OS::Heat::None
|
||||||
|
|
|
@ -7,6 +7,7 @@ resource_registry:
|
||||||
OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml
|
OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml
|
||||||
OS::TripleO::Ssh::HostPubKey: extraconfig/tasks/ssh/host_public_key.yaml
|
OS::TripleO::Ssh::HostPubKey: extraconfig/tasks/ssh/host_public_key.yaml
|
||||||
OS::TripleO::Ssh::KnownHostsConfig: extraconfig/tasks/ssh/known_hosts_config.yaml
|
OS::TripleO::Ssh::KnownHostsConfig: extraconfig/tasks/ssh/known_hosts_config.yaml
|
||||||
|
OS::TripleO::Ssh::KnownHostsDeployment: OS::Heat::StructuredDeployments
|
||||||
OS::TripleO::DefaultPasswords: default_passwords.yaml
|
OS::TripleO::DefaultPasswords: default_passwords.yaml
|
||||||
OS::TripleO::RandomString: OS::Heat::RandomString
|
OS::TripleO::RandomString: OS::Heat::RandomString
|
||||||
|
|
||||||
|
|
|
@ -377,6 +377,16 @@ resources:
|
||||||
- {get_attr: [{{role.name}}, known_hosts_entry]}
|
- {get_attr: [{{role.name}}, known_hosts_entry]}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
SshKnownHostsHostnames:
|
||||||
|
type: OS::Heat::Value
|
||||||
|
properties:
|
||||||
|
value:
|
||||||
|
map_merge:
|
||||||
|
list_concat:
|
||||||
|
{% for role in roles %}
|
||||||
|
- {get_attr: [{{role.name}}, known_hosts_hostnames]}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
# Jinja loop for Role in roles_data.yaml
|
# Jinja loop for Role in roles_data.yaml
|
||||||
{% for role in roles %}
|
{% for role in roles %}
|
||||||
# Resources generated for {{role.name}} Role
|
# Resources generated for {{role.name}} Role
|
||||||
|
@ -467,7 +477,7 @@ resources:
|
||||||
servers: {get_attr: [{{role.name}}Servers, value]}
|
servers: {get_attr: [{{role.name}}Servers, value]}
|
||||||
|
|
||||||
{{role.name}}SshKnownHostsDeployment:
|
{{role.name}}SshKnownHostsDeployment:
|
||||||
type: OS::Heat::StructuredDeployments
|
type: OS::TripleO::Ssh::KnownHostsDeployment
|
||||||
properties:
|
properties:
|
||||||
name: {{role.name}}SshKnownHostsDeployment
|
name: {{role.name}}SshKnownHostsDeployment
|
||||||
config: {get_resource: SshKnownHostsConfig}
|
config: {get_resource: SshKnownHostsConfig}
|
||||||
|
@ -920,6 +930,7 @@ resources:
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
blacklisted_ip_addresses: {get_attr: [BlacklistedIpAddresses, value]}
|
blacklisted_ip_addresses: {get_attr: [BlacklistedIpAddresses, value]}
|
||||||
blacklisted_hostnames: {get_attr: [BlacklistedHostnames, value]}
|
blacklisted_hostnames: {get_attr: [BlacklistedHostnames, value]}
|
||||||
|
ssh_known_hosts_hostnames: {get_attr: [SshKnownHostsHostnames, value]}
|
||||||
|
|
||||||
ServerOsCollectConfigData:
|
ServerOsCollectConfigData:
|
||||||
type: OS::Heat::Value
|
type: OS::Heat::Value
|
||||||
|
|
|
@ -658,6 +658,27 @@ resources:
|
||||||
server: {get_resource: {{server_resource_name}}}
|
server: {get_resource: {{server_resource_name}}}
|
||||||
deployment_actions: {get_attr: [DeploymentActions, value]}
|
deployment_actions: {get_attr: [DeploymentActions, value]}
|
||||||
|
|
||||||
|
SshKnownHostsHostnames:
|
||||||
|
type: OS::Heat::Value
|
||||||
|
properties:
|
||||||
|
value:
|
||||||
|
str_replace:
|
||||||
|
template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
|
||||||
|
{%- for network in networks %}
|
||||||
|
{{network.name}}IP,{{network.name}}HOST.DOMAIN,{{network.name}}HOST,\
|
||||||
|
{%- endfor %}
|
||||||
|
CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST"
|
||||||
|
params:
|
||||||
|
PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]}
|
||||||
|
DOMAIN: {get_param: CloudDomain}
|
||||||
|
PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]}
|
||||||
|
{%- for network in networks %}
|
||||||
|
{{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]}
|
||||||
|
{{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]}
|
||||||
|
{%- endfor %}
|
||||||
|
CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]}
|
||||||
|
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
ip_address:
|
ip_address:
|
||||||
description: IP address of the server in the ctlplane network
|
description: IP address of the server in the ctlplane network
|
||||||
|
@ -709,23 +730,17 @@ outputs:
|
||||||
known_hosts_entry:
|
known_hosts_entry:
|
||||||
description: Entry for ssh known hosts
|
description: Entry for ssh known hosts
|
||||||
value:
|
value:
|
||||||
str_replace:
|
list_join:
|
||||||
template: "PRIMARYIP,PRIMARYHOST.DOMAIN,PRIMARYHOST,\
|
- ' '
|
||||||
{%- for network in networks %}
|
- - {get_attr: [SshKnownHostsHostnames, value]}
|
||||||
{{network.name}}IP,{{network.name}}HOST.DOMAIN,{{network.name}}HOST,\
|
- {get_attr: [SshHostPubKey, ecdsa]}
|
||||||
{%- endfor %}
|
known_hosts_hostnames:
|
||||||
CTLPLANEIP,CTLPLANEHOST.DOMAIN,CTLPLANEHOST HOSTSSHPUBKEY"
|
description: Mapping of server name to hostnames portion of ssh known hosts entry
|
||||||
params:
|
value:
|
||||||
PRIMARYIP: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, {{role.name}}HostnameResolveNetwork]}]}
|
map_replace:
|
||||||
DOMAIN: {get_param: CloudDomain}
|
- name: {get_attr: [SshKnownHostsHostnames, value]}
|
||||||
PRIMARYHOST: {get_attr: [{{server_resource_name}}, name]}
|
- keys:
|
||||||
{%- for network in networks %}
|
name: {get_attr: [{{server_resource_name}}, name]}
|
||||||
{{network.name}}IP: {get_attr: [{{network.name}}Port, ip_address]}
|
|
||||||
{{network.name}}HOST: {get_attr: [NetHostMap, value, {{network.name_lower|default(network.name.lower())}}, short]}
|
|
||||||
{%- endfor %}
|
|
||||||
CTLPLANEIP: {get_attr: [{{server_resource_name}}, networks, ctlplane, 0]}
|
|
||||||
CTLPLANEHOST: {get_attr: [NetHostMap, value, ctlplane, short]}
|
|
||||||
HOSTSSHPUBKEY: {get_attr: [SshHostPubKey, ecdsa]}
|
|
||||||
nova_server_resource:
|
nova_server_resource:
|
||||||
description: Heat resource handle for {{role.name}} server
|
description: Heat resource handle for {{role.name}} server
|
||||||
value:
|
value:
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- Add support for the SshKnownHostsDeployment resources to config-download.
|
||||||
|
Since the deployment resources relied on Heat outputs, they were not
|
||||||
|
supported with the default handling from tripleo-common that relies on the
|
||||||
|
group_vars mechanism. The templates have been refactored to add
|
||||||
|
the known hosts entries as global_vars to deploy_steps_playbook.yaml, and
|
||||||
|
then include the new tripleo-ssh-known-hosts role from tripleo-common to
|
||||||
|
apply the same configuration that the Heat deployment did.
|
Loading…
Reference in New Issue