bastion host: add global known_hosts values

Write out the ssh host keys from the inventory as part of the bastion host bootstrap. Change-Id: I0823c09165c445e9178c75ac5083f1988e8d3055
3 months ago · d03f4b1f22
parent 618708b42a
commit d03f4b1f22
4 changed files with 50 additions and 0 deletions
--- a/playbooks/bootstrap-bridge.yaml
+++ b/playbooks/bootstrap-bridge.yaml
@ -97,3 +97,7 @@
        BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
        ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
      no_log: true
+
+    - name: Setup global known_hosts
+      include_role:
+        name: add-inventory-known-hosts
--- a/playbooks/roles/add-inventory-known-hosts/README.rst
+++ b/playbooks/roles/add-inventory-known-hosts/README.rst
@ -0,0 +1 @@
+Add the host keys from inventory to global known_hosts
--- a/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
+++ b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
@ -0,0 +1,31 @@
+- name: Load the current inventory from bridge
+  slurp:
+    src: '/home/zuul/src/opendev.org/opendev/system-config/inventory/base/hosts.yaml'
+  register: _bridge_inventory_encoded
+
+- name: Turn inventory into variable
+  set_fact:
+    _bridge_inventory: '{{ _bridge_inventory_encoded.content | b64decode | from_yaml }}'
+
+- name: Build known_hosts list
+  set_fact:
+    bastion_known_hosts: >-
+        [
+        {%- for host, values in _bridge_inventory['all']['hosts'].items() -%}
+        {%   for key in values['host_keys'] %}
+        '{{ host }},{{ values.public_v4 }}{{ "," + values.public_v6 if 'public_v6' in values}} {{ key }}',
+        {%   endfor %}
+        {%- endfor -%}
+        ]
+
+- name: Write out values to /etc/ssh/ssh_known_hosts
+  blockinfile:
+    path: '/etc/ssh/ssh_known_hosts'
+    block: |
+      {% for entry in bastion_known_hosts %}
+      {{ entry }}
+      {% endfor %}
+    owner: root
+    group: root
+    mode: 0644
+    create: yes
--- a/testinfra/test_bridge.py
+++ b/testinfra/test_bridge.py
@ -102,3 +102,17 @@ def test_rax_dns_backup(host):

    output_dir = host.file('/var/lib/rax-dns-backup')
    assert output_dir.exists
+
+
+def test_ssh_known_hosts(host):
+    f = host.file('/etc/ssh/ssh_known_hosts')
+
+    assert f.exists
+    assert f.is_file
+    assert f.user == 'root'
+    assert f.group == 'root'
+    assert f.mode == 0o644
+
+    # Nothing special about this host, just testing it has an entry we
+    # expect.
+    assert b'bridge01.opendev.org,104.130.253.34,2001:4800:7818:103:be76:4eff:fe04:48c1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGG6WTR3dkhn766C69IRcLNN1Oxx7WMrcNsN03r+uZbU' in f.content
				`@ -0,0 +1 @@`
				`Add the host keys from inventory to global known_hosts`