003fdfaa5b
Current Ansible version for tests repo, which is used for functional tests can not deal with some more modern logic, causing CI to fail for Ubuntu Jammy on apt_package_pinning for Galera role. Updating Ansible version fixes the issue. Change-Id: I70838dc4fb1cadfcf579b5e9af5769a8f48108da
180 lines
5.6 KiB
YAML
180 lines
5.6 KiB
YAML
---
|
|
# Copyright 2015, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Note(andymccr):
|
|
# This uses local connection for the initial key setup
|
|
# as no key is setup to allow a connection to localhost
|
|
# as a remote host.
|
|
- name: Playbook for establishing ssh keys
|
|
hosts: localhost
|
|
gather_facts: false
|
|
any_errors_fatal: true
|
|
connection: local
|
|
become: yes
|
|
tasks:
|
|
- name: Ensure root has a .ssh directory
|
|
file:
|
|
path: /root/.ssh
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
|
|
- name: Create ssh key pair for root
|
|
community.crypto.openssh_keypair:
|
|
path: /root/.ssh/id_rsa
|
|
comment: "openstack-ansible-tests generated"
|
|
|
|
- name: Get root private key
|
|
slurp:
|
|
src: /root/.ssh/id_rsa
|
|
register: private_key_get
|
|
changed_when: false
|
|
|
|
- name: Get root public key
|
|
slurp:
|
|
src: /root/.ssh/id_rsa.pub
|
|
register: public_key_get
|
|
changed_when: false
|
|
|
|
- name: Set key facts
|
|
set_fact:
|
|
root_public_key: "{{ public_key_get.content | b64decode }}"
|
|
root_private_key: "{{ private_key_get.content | b64decode }}"
|
|
|
|
- name: Add root ssh key to authorized_keys
|
|
authorized_key:
|
|
user: "root"
|
|
key: "{{ root_public_key }}"
|
|
|
|
# Note(hwoarang):
|
|
# This uses local connection for the initial key setup
|
|
# as no key is setup to allow a connection to localhost
|
|
# as a remote host.
|
|
- name: Playbook for establishing user ssh keys
|
|
hosts: localhost
|
|
connection: local
|
|
become: no
|
|
any_errors_fatal: true
|
|
vars:
|
|
_user_id: "{{ lookup('env', 'USER') }}"
|
|
tasks:
|
|
- name: Run following tasks only when current user is not root
|
|
when:
|
|
- _user_id != 'root'
|
|
block:
|
|
# Shell used because facts may not be ready yet
|
|
- name: Get user home directory
|
|
shell: |
|
|
set -o pipefail
|
|
getent passwd '{{ _user_id }}' | cut -d':' -f6
|
|
args:
|
|
executable: /bin/bash
|
|
register: user_home
|
|
changed_when: false
|
|
|
|
- name: Set local user home fact
|
|
set_fact:
|
|
calling_user_home: "{{ user_home.stdout }}"
|
|
|
|
- name: Ensure user has a .ssh directory
|
|
file:
|
|
path: "{{ calling_user_home }}/.ssh"
|
|
state: directory
|
|
owner: "{{ _user_id }}"
|
|
group: "{{ _user_id }}"
|
|
mode: "0700"
|
|
|
|
- name: Ensure user has the known private key
|
|
copy:
|
|
content: "{{ root_private_key }}"
|
|
dest: "{{ calling_user_home }}/.ssh/id_rsa"
|
|
owner: "{{ _user_id }}"
|
|
group: "{{ _user_id }}"
|
|
mode: "0600"
|
|
|
|
- name: Ensure user has the known public key
|
|
copy:
|
|
content: "{{ root_public_key }}"
|
|
dest: "{{ calling_user_home }}/.ssh/id_rsa.pub"
|
|
owner: "{{ _user_id }}"
|
|
group: "{{ _user_id }}"
|
|
mode: "0600"
|
|
|
|
- name: Ensure local user can ssh to localhost
|
|
authorized_key:
|
|
user: "{{ _user_id }}"
|
|
key: "{{ root_public_key }}"
|
|
|
|
- name: Create SSHD CA
|
|
hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
|
|
gather_facts: false
|
|
become: yes
|
|
tasks:
|
|
- name: "Create SSHD certificate authority"
|
|
include_role:
|
|
name: openstack.osa.ssh_keypairs
|
|
vars:
|
|
ssh_keypairs_setup_host: localhost
|
|
ssh_keypairs_dir: "/etc/openstack_deploy/ssh_keypairs"
|
|
ssh_keypairs:
|
|
- name: "OpenStack-Ansible-SSH-Signing-Key"
|
|
ssh_keypairs_install_authorities: false
|
|
ssh_keypairs_install_keypairs: false
|
|
ssh_keypairs_install_authorized_keys: false
|
|
|
|
- name: Create CA certificates
|
|
hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
|
|
gather_facts: false
|
|
become: true
|
|
tasks:
|
|
- name: "Create CA certificates"
|
|
include_role:
|
|
name: pki
|
|
tasks_from: main_ca.yml
|
|
vars:
|
|
pki_dir: "/etc/openstack_deploy/pki"
|
|
pki_create_ca: true
|
|
pki_authorities:
|
|
- name: "ExampleCorpRoot"
|
|
provider: selfsigned
|
|
basic_constraints: "CA:TRUE"
|
|
cn: "Example Corp Root CA"
|
|
email_address: "pki@example.com"
|
|
country_name: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
- name: "ExampleCorpIntermediate"
|
|
provider: ownca
|
|
basic_constraints: "CA:TRUE,pathlen:0"
|
|
cn: "Example Corp Openstack Infrastructure Intermediate CA"
|
|
email_address: "pki@example.com"
|
|
country_name: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
signed_by: "ExampleCorpRoot"
|