Add parameter to upload-git-mirror to specify ssh host key

If we attempt to push a mirror to a host we've never connected to before, it won't be in the SSH known hosts and the mirror will fail. This makes a new host_key parameter required and the role takes care of setting it up in the known_hosts for the duration of the job. Change-Id: I4bd40a289003fe3e88c9af4029576236c064fc3d Depends-On: https://review.openstack.org/#/c/649183/
2019-04-01 09:56:47 -04:00 · 2019-04-01 09:56:47 -04:00 · ed9f1d14a0
parent 4ce2d40d68
commit ed9f1d14a0
4 changed files with 28 additions and 4 deletions
--- a/roles/upload-git-mirror/README.rst
+++ b/roles/upload-git-mirror/README.rst
@ -20,11 +20,16 @@ superuser privileges to run.

     SSH host for the remote git repository

-  .. zuul:rolevar:: key
+  .. zuul:rolevar:: ssh_key

     Literal private key contents.
     Should start with something like ``-----BEGIN RSA PRIVATE KEY-----``.

+  .. zuul:rolevar:: host_key
+
+     SSH host key of the remote git server.
+     Can be obtained with ``ssh-keyscan -H <host>``.
+
 .. zuul:rolevar:: git_mirror_repository

   Path of the remote git repository
--- a/roles/upload-git-mirror/defaults/main.yaml
+++ b/roles/upload-git-mirror/defaults/main.yaml
@ -3,7 +3,8 @@
 # git_mirror_credentials:
 #   user:
 #   host:
-#   key:
+#   ssh_key:
+#   host_key:

 # Repository to replicate to
 # git_mirror_repository:
--- a/roles/upload-git-mirror/tasks/main.yaml
+++ b/roles/upload-git-mirror/tasks/main.yaml
@ -6,7 +6,7 @@

    - name: Set up private key
      copy:
-        content: "{{ git_mirror_credentials.key }}"
+        content: "{{ git_mirror_credentials.ssh_key }}"
        dest: "{{ ssh_private_key_tmp.path }}"
        mode: 0600

@ -26,6 +26,12 @@
        mode: 0600
        block: "{{ ssh_config }}"

+    - name: Add host key to known hosts
+      known_hosts:
+        state: present
+        name: "{{ git_mirror_credentials.host }}"
+        key: "{{ git_mirror_credentials.host_key }}"
+
    - name: Mirror the git repository
      command: git push --mirror {{ git_mirror_credentials.user }}@{{ git_mirror_credentials.host }}:{{ git_mirror_repository }}
      args:
@ -45,3 +51,10 @@
        mode: 0600
        block: "{{ ssh_config }}"
      register: git_mirror_ssh_config_removed
+
+    - name: Remove host key from known hosts
+      known_hosts:
+        state: absent
+        name: "{{ git_mirror_credentials.host }}"
+        key: "{{ git_mirror_credentials.host_key }}"
+      register: git_mirror_host_key_removed
--- a/zuul.yaml
+++ b/zuul.yaml
@ -68,11 +68,16 @@

          SSH host for the remote git repository

-        .. zuul:jobvar:: key
+        .. zuul:jobvar:: ssh_key

          Literal private key contents.
          Should start with something like ``-----BEGIN RSA PRIVATE KEY-----``.

+        .. zuul:jobvar:: host_key
+
+          SSH host key of the remote git server.
+          Can be obtained with ``ssh-keyscan -H <host>``.
+
      .. zuul:jobvar:: git_mirror_repository

        Path of the remote git repository