vos-release: fix key sourcing; disable exclusive key

I wasn't correctly sourcing the key; it has to come from hostvars as it is in a different play on different hosts. This fixes it. We also need to not have the base roles overwrite the authorized_keys file each time. The key we provision can only run a limited script that wraps "vos release". Unfortunately our gitops falls down a bit here because we don't have full testing for the AFS servers; put this on the todo list :) I have run this manually for testing. Change-Id: I0995434bde7e43082c01daa331c4b8b268d9b4bc
2019-11-20 14:22:28 +11:00 · 2019-11-20 14:22:28 +11:00 · 3153f27c24
commit 3153f27c24
parent 5a9ad025d9
3 changed files with 14 additions and 7 deletions
--- a/playbooks/group_vars/afs.yaml
+++ b/playbooks/group_vars/afs.yaml
@ -1 +1,6 @@
 iptables_extra_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
+
+# we allow a special key deployed on the mirror-update hosts to run a
+# restricted script that runs "vos release" with localauth
+# permissions, to avoid timeouts.  See vos-release role.
+bastion_key_exclusive: false
--- a/playbooks/roles/vos-release/README.rst
+++ b/playbooks/roles/vos-release/README.rst
@ -5,10 +5,10 @@ Install a user and script to do remote ``vos release`` with
 timeouts.

 This relies on ``vos_release_keypair`` which is expected to be a
-single keypair from the mirror-update host.  It will allow that
-keypair to run ``/usr/local/bin/vos_release.sh``, which filters the
-incoming command.  Releases are expected to be triggered on the update
-host with::
+single keypair set previously by hosts in the "mirror-update" group.
+It will allow that keypair to run ``/usr/local/bin/vos_release.sh``,
+which filters the incoming command.  Releases are expected to be
+triggered on the update host with::

  ssh -i /root/.ssh/id_vos_release afs01.dfw.openstack.org vos release <mirror>.<volume>

--- a/playbooks/roles/vos-release/tasks/main.yaml
+++ b/playbooks/roles/vos-release/tasks/main.yaml
@ -9,11 +9,13 @@
 - name: Ensure update key
  assert:
    that:
-      - vos_release_keypair is defined
+      - hostvars[item]['vos_release_keypair'] is defined
+  with_inventory_hostnames: mirror-update

 - name: Install vos release key
  authorized_key:
    user: 'root'
    state: present
-    key: '{{ vos_release_keypair["public_key"] }}'
-    key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'
+    key: '{{ hostvars[item]["vos_release_keypair"]["public_key"] }}'
+    key_options: 'command="/usr/local/bin/vos_release.sh",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty'
+  with_inventory_hostnames: mirror-update