-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathtest-prepare-keys.yml
179 lines (165 loc) · 5.57 KB
/
test-prepare-keys.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Note(andymccr):
# This uses local connection for the initial key setup
# as no key is setup to allow a connection to localhost
# as a remote host.
- name: Playbook for establishing ssh keys
hosts: localhost
gather_facts: false
any_errors_fatal: true
connection: local
become: yes
tasks:
- name: Ensure root has a .ssh directory
file:
path: /root/.ssh
state: directory
owner: root
group: root
mode: "0700"
- name: Create ssh key pair for root
community.crypto.openssh_keypair:
path: /root/.ssh/id_rsa
comment: "openstack-ansible-tests generated"
- name: Get root private key
slurp:
src: /root/.ssh/id_rsa
register: private_key_get
changed_when: false
- name: Get root public key
slurp:
src: /root/.ssh/id_rsa.pub
register: public_key_get
changed_when: false
- name: Set key facts
set_fact:
root_public_key: "{{ public_key_get.content | b64decode }}"
root_private_key: "{{ private_key_get.content | b64decode }}"
- name: Add root ssh key to authorized_keys
authorized_key:
user: "root"
key: "{{ root_public_key }}"
# Note(hwoarang):
# This uses local connection for the initial key setup
# as no key is setup to allow a connection to localhost
# as a remote host.
- name: Playbook for establishing user ssh keys
hosts: localhost
connection: local
become: no
any_errors_fatal: true
vars:
_user_id: "{{ lookup('env', 'USER') }}"
tasks:
- name: Run following tasks only when current user is not root
when:
- _user_id != 'root'
block:
# Shell used because facts may not be ready yet
- name: Get user home directory
shell: |
set -o pipefail
getent passwd '{{ _user_id }}' | cut -d':' -f6
args:
executable: /bin/bash
register: user_home
changed_when: false
- name: Set local user home fact
set_fact:
calling_user_home: "{{ user_home.stdout }}"
- name: Ensure user has a .ssh directory
file:
path: "{{ calling_user_home }}/.ssh"
state: directory
owner: "{{ _user_id }}"
group: "{{ _user_id }}"
mode: "0700"
- name: Ensure user has the known private key
copy:
content: "{{ root_private_key }}"
dest: "{{ calling_user_home }}/.ssh/id_rsa"
owner: "{{ _user_id }}"
group: "{{ _user_id }}"
mode: "0600"
- name: Ensure user has the known public key
copy:
content: "{{ root_public_key }}"
dest: "{{ calling_user_home }}/.ssh/id_rsa.pub"
owner: "{{ _user_id }}"
group: "{{ _user_id }}"
mode: "0600"
- name: Ensure local user can ssh to localhost
authorized_key:
user: "{{ _user_id }}"
key: "{{ root_public_key }}"
- name: Create SSHD CA
hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}"
gather_facts: false
become: yes
tasks:
- name: "Create SSHD certificate authority"
include_role:
name: openstack.osa.ssh_keypairs
vars:
ssh_keypairs_setup_host: localhost
ssh_keypairs_dir: "/etc/openstack_deploy/ssh_keypairs"
ssh_keypairs:
- name: "OpenStack-Ansible-SSH-Signing-Key"
ssh_keypairs_install_authorities: false
ssh_keypairs_install_keypairs: false
ssh_keypairs_install_authorized_keys: false
- name: Create CA certificates
hosts: "{{ openstack_pki_setup_host | default('localhost') }}"
gather_facts: false
become: true
tasks:
- name: "Create CA certificates"
include_role:
name: pki
tasks_from: main_ca.yml
vars:
pki_dir: "/etc/openstack_deploy/pki"
pki_create_ca: true
pki_authorities:
- name: "ExampleCorpRoot"
provider: selfsigned
basic_constraints: "CA:TRUE"
cn: "Example Corp Root CA"
email_address: "pki@example.com"
country_name: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
- name: "ExampleCorpIntermediate"
provider: ownca
basic_constraints: "CA:TRUE,pathlen:0"
cn: "Example Corp Openstack Infrastructure Intermediate CA"
email_address: "pki@example.com"
country_name: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
not_after: "+3650d"
signed_by: "ExampleCorpRoot"