From 014b3004c0edbd40e8b8190ef6cd0f3e136290eb Mon Sep 17 00:00:00 2001
From: Monty Taylor <mordred@inaugust.com>
Date: Mon, 13 Apr 2020 10:10:35 -0500
Subject: [PATCH] Add self host keys to known_hosts on gerrit

We run some utility scripts which ssh to ourselves, but we aren't
setting host keys for them. We should fix that.

Change-Id: I2aa5d5e65b15c5c151767377dbc5ead1e442b3ce
---
 playbooks/host_vars/review-dev01.opendev.org.yaml   | 1 +
 playbooks/host_vars/review01.openstack.org.yaml     | 1 +
 playbooks/roles/backup/tasks/main.yaml              | 2 +-
 playbooks/roles/gerrit/tasks/main.yaml              | 6 ++++++
 playbooks/roles/gerrit/templates/manage-projects.j2 | 1 +
 playbooks/roles/gerrit/templates/track-upstream.j2  | 1 +
 6 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/playbooks/host_vars/review-dev01.opendev.org.yaml b/playbooks/host_vars/review-dev01.opendev.org.yaml
index 541653da9d..e933ba7563 100644
--- a/playbooks/host_vars/review-dev01.opendev.org.yaml
+++ b/playbooks/host_vars/review-dev01.opendev.org.yaml
@@ -12,3 +12,4 @@ gerrit_vhost_name: review-dev.opendev.org
 gerrit_redirect_vhost: review-dev.openstack.org
 gerrit_project_config_base: /opt/project-config/dev
 gerrit_project_creator_user: openstack-dev-project-creator
+gerrit_self_hostkey: '[review-dev.opendev.org]:29418,[review-dev.openstack.org]:29418,[23.253.109.153]:29418,[2001:4800:7819:104:be76:4eff:fe04:8e55]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRHt4h3i2OFA8FQzPwn510VJlWIDp3Ar1VRTPFs9hTh3zofLJPsGbAqlKxiy4lg1keZIMViQLGRA847kn+TiSBQNqReurTEOo622IzkXGEMy1RJzyzKSioYRtNuyprO3DDCvajvvaWdEB5q2Vr3eKXvIYFJtYmGarZYqMXTL1DYWA9SjviWQWncp2eXCjV05rHAS8DdM1HhYEDdVRXlvUJLH7QVhAWrYrDWUlpUDOOKUEfWCOnFvAwsMAFKDthgeFCr4hJXaIrFJClmp+Fexqy8XJ8CPWKvnYlT46DUVd/ARm6DnfYr0tcudnQw6+TgjzlMAt3/zo11CJ3uDa2aYW5'
diff --git a/playbooks/host_vars/review01.openstack.org.yaml b/playbooks/host_vars/review01.openstack.org.yaml
index fa4490904b..cb14ac9c7a 100644
--- a/playbooks/host_vars/review01.openstack.org.yaml
+++ b/playbooks/host_vars/review01.openstack.org.yaml
@@ -84,3 +84,4 @@ letsencrypt_certs:
 # Also, on review01.openstack.org, 3001 is openstackwatch and
 # 3002 is github.
 letsencrypt_gid: 3003
+gerrit_self_hostkey: '[review.opendev.org]:29418,[review.openstack.org]:29418,[104.130.246.32]:29418,[2001:4800:7819:103:be76:4eff:fe04:9229]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1u1xdkaUv31ZDDPuRMZB2up2X/7CppphCcbZFWySZ4jL/g+XVahbGTgOoJ9hgH4pm5B6EZDZvvs93N0aHC/tlRLS1e3uqGdCiQt4dk/1Q1TLFM5k/DdvlhXDZrrafeMquhrGGuh5KUZQ97abIYTs7aMqyjzYW0tHu1QatcmDdCb90BXsMg6pLXx3dktsJZAWao457maAJxmAl0FY6iO3odlXM+lM+rayskYMvwHi2Atq8MLISdZJX05SpaSGmXji8ee80bK1fSqCVIOWMWiBT/ZcczpEFiTwZ+yPQliug70NhG6eD461/d8koNwyi7FjugmjZlO0GiQTu9o9R4BMh'
diff --git a/playbooks/roles/backup/tasks/main.yaml b/playbooks/roles/backup/tasks/main.yaml
index 65f823b103..e07f9cbcf9 100644
--- a/playbooks/roles/backup/tasks/main.yaml
+++ b/playbooks/roles/backup/tasks/main.yaml
@@ -58,4 +58,4 @@
     user: root
     hour: '5'
     minute: '{{ 59|random(seed=item) }}'
-  with_inventory_hostnames: backup-server
\ No newline at end of file
+  with_inventory_hostnames: backup-server
diff --git a/playbooks/roles/gerrit/tasks/main.yaml b/playbooks/roles/gerrit/tasks/main.yaml
index e040a572cc..dc87325428 100644
--- a/playbooks/roles/gerrit/tasks/main.yaml
+++ b/playbooks/roles/gerrit/tasks/main.yaml
@@ -245,6 +245,12 @@
     group: gerrit2
     mode: 0600
 
+- name: Accept own own hostkey
+  known_hosts:
+    state: present
+    key: '{{ gerrit_self_hostkey }}'
+    name: '[{{ gerrit_vhost_name }}]:29418'
+
 - name: Install apache2
   apt:
     name:
diff --git a/playbooks/roles/gerrit/templates/manage-projects.j2 b/playbooks/roles/gerrit/templates/manage-projects.j2
index d7e94425fb..78f9861e5e 100644
--- a/playbooks/roles/gerrit/templates/manage-projects.j2
+++ b/playbooks/roles/gerrit/templates/manage-projects.j2
@@ -22,5 +22,6 @@ exec docker run --rm --net=host -u root \
   -v/opt/lib/jeepyb:/opt/lib/jeepyb \
   -v/home/gerrit2/review_site/etc/ssh_project_rsa_key:/home/gerrit2/review_site/etc/ssh_project_rsa_key \
   -v/home/gerrit2/projects.ini:/home/gerrit2/projects.ini \
+  -v/root/.ssh/known_hosts:/root/.ssh/known_hosts \
   -v/var/log:/var/log \
   {{ gerrit_container_image }} manage-projects $@
diff --git a/playbooks/roles/gerrit/templates/track-upstream.j2 b/playbooks/roles/gerrit/templates/track-upstream.j2
index 117035f5ab..c12337b5b6 100644
--- a/playbooks/roles/gerrit/templates/track-upstream.j2
+++ b/playbooks/roles/gerrit/templates/track-upstream.j2
@@ -21,5 +21,6 @@ exec docker run --rm --net=host -u root \
   -v/opt/lib/jeepyb:/opt/lib/jeepyb \
   -v/home/gerrit2/review_site/etc/ssh_project_rsa_key:/home/gerrit2/review_site/etc/ssh_project_rsa_key \
   -v/home/gerrit2/projects.ini:/home/gerrit2/projects.ini \
+  -v/root/.ssh/known_hosts:/root/.ssh/known_hosts \
   -v/var/log:/var/log \
   {{ gerrit_container_image }} track-upstream -v -l /var/log/track_upstream.log