From 7fcf3ca30bc31877c8d8384000b932095f221057 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Fri, 25 Mar 2022 11:37:58 +0100 Subject: [PATCH] neutron: add ssh key This key can be used by users in networking-generic-switch scenario instead of adding cleartext password in ml2_conf.ini. Change-Id: I10003e6526a55a97f22678ab81c411e4645c5157 --- ansible/roles/neutron/tasks/config.yml | 12 ++++++++++++ ansible/roles/neutron/templates/id_rsa | 1 + .../roles/neutron/templates/neutron-server.json.j2 | 6 ++++++ doc/source/reference/networking/neutron.rst | 11 +++++++++++ etc/kolla/passwords.yml | 4 ++++ kolla_ansible/cmd/genpwd.py | 3 ++- .../notes/neutron-ssh-key-736d2456b56176d8.yaml | 6 ++++++ 7 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/neutron/templates/id_rsa create mode 100644 releasenotes/notes/neutron-ssh-key-736d2456b56176d8.yaml diff --git a/ansible/roles/neutron/tasks/config.yml b/ansible/roles/neutron/tasks/config.yml index cfc4e74fc5..07de73cf18 100644 --- a/ansible/roles/neutron/tasks/config.yml +++ b/ansible/roles/neutron/tasks/config.yml @@ -142,6 +142,18 @@ notify: - "Restart {{ item.key }} container" +- name: Copying over ssh key + become: true + vars: + neutron_server: "{{ neutron_services['neutron-server'] }}" + template: + src: "id_rsa" + dest: "{{ node_config_directory }}/neutron-server/id_rsa" + mode: 0600 + when: + - neutron_server.enabled | bool + - neutron_server.host_in_groups | bool + - name: Copying over ml2_conf.ini become: true vars: diff --git a/ansible/roles/neutron/templates/id_rsa b/ansible/roles/neutron/templates/id_rsa new file mode 100644 index 0000000000..1f8c64bc55 --- /dev/null +++ b/ansible/roles/neutron/templates/id_rsa @@ -0,0 +1 @@ +{{ neutron_ssh_key.private_key }} diff --git a/ansible/roles/neutron/templates/neutron-server.json.j2 b/ansible/roles/neutron/templates/neutron-server.json.j2 index f8f9e4a94b..f1e93a72c3 100644 --- a/ansible/roles/neutron/templates/neutron-server.json.j2 +++ b/ansible/roles/neutron/templates/neutron-server.json.j2 @@ -38,6 +38,12 @@ "dest": "/etc/neutron/plugins/ml2/ml2_conf.ini", "owner": "neutron", "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/id_rsa", + "dest": "/var/lib/neutron/.ssh/id_rsa", + "owner": "neutron", + "perm": "0600" } ], "permissions": [ diff --git a/doc/source/reference/networking/neutron.rst b/doc/source/reference/networking/neutron.rst index c7796d079a..eedbf786b6 100644 --- a/doc/source/reference/networking/neutron.rst +++ b/doc/source/reference/networking/neutron.rst @@ -164,3 +164,14 @@ via ``neutron_mlnx_physnet_mappings`` which is presented to neutron_mlnx_physnet_mappings: ibphysnet: "ib0" + +SSH authentication in external systems (switches) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Kolla, by default, generates and copies an ssh key to the ``neutron_server`` +container (under ``/var/lib/neutron/.ssh/id_rsa``) which can be used for +authentication in external systems (e.g. in ``networking-generic-switch`` or +``networking-ansible`` managed switches). + +You can set ``neutron_ssh_key`` variable in ``passwords.yml`` to control the +used key. diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index 4bdded23ce..86fd797279 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -199,6 +199,10 @@ octavia_amp_ssh_key: private_key: public_key: +neutron_ssh_key: + private_key: + public_key: + #################### # Gnocchi options #################### diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py index f1aed498ea..6bfda5367c 100755 --- a/kolla_ansible/cmd/genpwd.py +++ b/kolla_ansible/cmd/genpwd.py @@ -116,7 +116,8 @@ def main(): # SSH key pair ssh_keys = ['kolla_ssh_key', 'nova_ssh_key', - 'keystone_ssh_key', 'bifrost_ssh_key', 'octavia_amp_ssh_key'] + 'keystone_ssh_key', 'bifrost_ssh_key', 'octavia_amp_ssh_key', + 'neutron_ssh_key'] # If these keys are None, leave them as None blank_keys = ['docker_registry_password'] diff --git a/releasenotes/notes/neutron-ssh-key-736d2456b56176d8.yaml b/releasenotes/notes/neutron-ssh-key-736d2456b56176d8.yaml new file mode 100644 index 0000000000..5483dcb5ef --- /dev/null +++ b/releasenotes/notes/neutron-ssh-key-736d2456b56176d8.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds an SSH key for Neutron server which can be used for passwordless + public key authentication in external systems (e.g. for + ``networking-generic-switch`` managed switches).