Use ssh_keypairs role to generate cold migration ssh keys

This uses ssh signed certificates so there is no longer the need to distribute the nova public key from each compute host to all other compute hosts. The legacy scripts and authorized key files are removed as a migration step. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/825292 Change-Id: I3456bdf7bed66a2675b8a410d4cf6b2174598a22
2022-01-19 07:43:17 -05:00 · 2022-01-19 07:43:17 -05:00 · e2fc7361cf
commit e2fc7361cf
parent 4d942b815f
5 changed files with 60 additions and 125 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -343,10 +343,6 @@ nova_scheduler_extra_filters: []
 # this value to -1.
 nova_discover_hosts_in_cells_interval: "{{ 300 if groups['nova_compute'] | length > 10 else 60 }}"

-# If you want to regenerate the nova users SSH keys, on each run, set this var to True
-# Otherwise keys will be generated on the first run and not regenerated each run.
-nova_recreate_keys: False
-
 # Define nfs information to enable nfs shares as mounted directories for
 # nova. The ``nova_nfs_client`` value is a list of dictionaries that must
 # be filled out completely to enable the persistent NFS mounts.
@ -683,3 +679,34 @@ nova_pki_console_install_certificates:
    owner: "root"
    group: "{{ nova_system_group_name }}"
    mode: "0640"
+
+# host which holds the ssh certificate authority
+nova_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host  | default('localhost') }}"
+
+# directory on the deploy host to create and store SSH keypairs
+nova_ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir }}"
+
+#Each compute host needs a signed ssh certificate to log into the others
+nova_ssh_keypairs:
+  - name: "nova-{{ inventory_hostname }}"
+    cert:
+      signed_by: "{{ openstack_ssh_signing_key }}"
+      principals: "{{ nova_ssh_key_principals | default('nova') }}"
+      valid_from: "{{ nova_ssh_key_valid_from | default('always') }}"
+      valid_to: "{{ nova_ssh_key_valid_to | default('forever') }}"
+
+#Each compute host needs the signed ssh certificate installing to the nova user
+nova_ssh_keypairs_install_keys:
+  owner: "{{ nova_system_user_name }}"
+  group: "{{ nova_system_group_name }}"
+  keys:
+    - cert: "nova-{{ inventory_hostname }}"
+      dest: "{{ nova_system_home_folder }}/.ssh/id_rsa"
+
+#Each compute host must trust the SSHD certificate authoritiy in the sshd configuration
+nova_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
+
+#Each compute host must allow SSH certificates with the appropriate principal to log into the nova user
+nova_ssh_keypairs_principals:
+  - user: "{{ nova_system_user_name }}"
+    principals: "{{ nova_ssh_key_principals | default(['nova']) }}"
--- a/tasks/nova_compute.yml
+++ b/tasks/nova_compute.yml
@ -21,21 +21,41 @@
  tags:
    - always

- include_tasks: nova_compute_key_populate.yml
-  args:
-    apply:
-      tags:
-        - nova-config
-        - nova-key
+- name: Create the nova SSH config file
+  copy:
+    src: "ssh_config"
+    dest: "{{ nova_system_home_folder }}/.ssh/config"
+    owner: "{{ nova_system_user_name }}"
+    group: "{{ nova_system_user_name }}"
+    mode: "0644"
  tags:
-    - always
+    - nova-key

- include_tasks: nova_compute_key_distribute.yml
+# NOTE(jrosser) Remove this task in the Z development cycle
+- name: Clean up legacy ssh keys configuration
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "/usr/local/bin/openstack-nova-key.sh"
+    - "{{ nova_system_home_folder }}/.ssh/authorized_keys"
+  tags:
+    - nova-key
+
+- name: Create ssh keys and config for cold migrations
+  include_role:
+    name: openstack.osa.ssh_keypairs
  args:
    apply:
      tags:
-        - nova-config
        - nova-key
+  vars:
+      ssh_keypairs_setup_host: "{{ nova_ssh_keypairs_setup_host }}"
+      ssh_keypairs_dir: "{{ nova_ssh_keypairs_dir }}"
+      ssh_keypairs: "{{ nova_ssh_keypairs }}"
+      ssh_keypairs_install_keys: "{{ nova_ssh_keypairs_install_keys }}"
+      ssh_keypairs_install_ca: "{{ nova_ssh_keypairs_install_ca }}"
+      ssh_keypairs_principals: "{{ nova_ssh_keypairs_principals }}"
  tags:
    - always

--- a/tasks/nova_compute_key_distribute.yml
+++ b/tasks/nova_compute_key_distribute.yml
@ -1,56 +0,0 @@
---
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Determine first available nova compute host
-  set_fact:
-    first_available_compute: "{{ groups['nova_compute'] | intersect(play_hosts) | first }}"
-  tags:
-    - nova-key
-    - nova-key-distribute
-
-# The authorized key file script will be generated locally and copied to all known
-#  compute hosts within the environment. This script will add a key to the nova
-#  user's .ssh/authorized_keys file if it's not already found.
- name: Drop authorized keys file script locally
-  template:
-    src: "nova-key-insert.sh.j2"
-    dest: "/var/tmp/openstack-nova-key.sh"
-    mode: "0755"
-  delegate_to: localhost
-  when:
-    - inventory_hostname == first_available_compute
-  tags:
-    - nova-key
-    - nova-key-distribute
-
- name: Copy templated authorized keys file script
-  copy:
-    src: "/var/tmp/openstack-nova-key.sh"
-    dest: "/usr/local/bin/openstack-nova-key.sh"
-    mode: "0755"
-  tags:
-    - nova-key
-    - nova-key-distribute
-
- name: Run authorized keys file script
-  command: "/usr/local/bin/openstack-nova-key.sh"
-  register: key_create
-  changed_when: key_create.rc == 3
-  failed_when:
-    - key_create.rc != 3
-    - key_create.rc != 0
-  tags:
-    - nova-key
-    - nova-key-distribute
--- a/tasks/nova_compute_key_populate.yml
+++ b/tasks/nova_compute_key_populate.yml
@ -1,41 +0,0 @@
---
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
- name: Create the nova SSH config file
-  copy:
-    src: "ssh_config"
-    dest: "{{ nova_system_home_folder }}/.ssh/config"
-    owner: "{{ nova_system_user_name }}"
-    group: "{{ nova_system_user_name }}"
-    mode: "0644"
-  tags:
-    - nova-key
-    - nova-key-create
-
- name: Get public key contents and store as var
-  slurp:
-    src: "{{ nova_system_home_folder }}/.ssh/id_rsa.pub"
-  register: nova_pub
-  changed_when: false
-  tags:
-    - nova-key
-    - nova-key-create
-
- name: Register a fact for the nova pub key
-  set_fact:
-     nova_pubkey: "{{ nova_pub.content }}"
-  tags:
-    - nova-key
-    - nova-key-create
--- a/tasks/nova_pre_install.yml
+++ b/tasks/nova_pre_install.yml
@ -22,20 +22,6 @@
  tags:
    - nova-group

- name: Remove old key file(s) if found
-  file:
-    path: "{{ item }}"
-    state: "absent"
-  with_items:
-    - "{{ nova_system_home_folder }}/.ssh/authorized_keys"
-    - "{{ nova_system_home_folder }}/.ssh/id_rsa"
-    - "{{ nova_system_home_folder }}/.ssh/id_rsa.pub"
-  when:
-    - nova_recreate_keys | bool
-  tags:
-    - nova-key
-    - nova-key-create
-
 - name: Create the nova system user
  user:
    name: "{{ nova_system_user_name }}"
@ -50,7 +36,6 @@
  tags:
    - nova-user
    - nova-key
-    - nova-key-create

 - name: Create Nova NFS mount point(s)
  file: