Add zuul user to bridge.openstack.org
We want to trigger ansible runs on bridge.o.o from zuul jobs. First iteration of this tried to login as root but this is not allowed by our ssh config. That config seems reasonable so we add a zuul user instead which we can ssh in as then run things as root from zuul jobs. This makes use of our existing user management system. Change-Id: I257ebb6ffbade4eb645a08d3602a7024069e60b3
This commit is contained in:
Clark Boylan
parent
e29a62d87f
commit
9342c2aa6d
@ -24,12 +24,3 @@
|
|||||||
- ansible-cron
|
- ansible-cron
|
||||||
- cloud-launcher-cron
|
- cloud-launcher-cron
|
||||||
- edit-secrets-script
|
- edit-secrets-script
|
||||||
tasks:
|
|
||||||
- name: Allow Zuul to trigger Ansible
|
|
||||||
authorized_key:
|
|
||||||
state: present
|
|
||||||
user: root
|
|
||||||
key: "{{ item }}"
|
|
||||||
loop:
|
|
||||||
- "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/system-config.pub"
|
|
||||||
- "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/project-config.pub"
|
|
||||||
|
|||||||
@ -156,6 +156,14 @@ all_users:
|
|||||||
uid: 2030
|
uid: 2030
|
||||||
gid: 2030
|
gid: 2030
|
||||||
|
|
||||||
|
zuulcd:
|
||||||
|
comment: Zuul CICD
|
||||||
|
key: |
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcXd/QJDEprSLh6N6bULnhchf9M+uzYBEJ2b51Au67FON+5M6VEj5Ut+DlkEPhabOP+tSv9Cn1HpmpBjdEOXdmBj6JS7G/gBb4w28oZDyNjrPT2ebpRw/XnVEkGfikR2J+j3o7CV+ybhLDalXm2TUDReVXnONUq3YzZbjRzoYs0xxrxyss47vZP0xFpsAt9jCMAJW2k6H589VUY38k9LFyhZUZ72FB6eJ68B9GN0TimBYm2DqvupBGQrRhkP8OZ0WoBV8PulKXaHVFdmfBNHB7E7FLlZKuiM6nkV4bOWMGOB/TF++wXBK86t9po3pWCM7+kr72xGRTE+6LuZ2z1K+h zuul-system-config-20180924
|
||||||
|
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQbidZ1wW8moNtPGBhZ3oDm1kcDtiAemI51euL6KZslwpG8CKMT0KBSYw1vpCYc5dYCerq63dQtg2Bm1rhc2gC/U2bbMlvnNPwlkS7eykVfrPDfJHVbff+qHv7l1e1ZoCVAEvVxXG/FgFUiqIKwEhMqG/Etegw07H7vERNETGE5RyRA8cMnK9Cj4oL0OUpZAv7o1a+A+gXRv1EMdWL7g9M6OImikO48w+ZSLOA8uD+0MmN23nh335k2VG609u+ZxTkZAB4GtW0HSCTFu5MCmJFaY1+5cCNedsC9O4ekaXNQxYelFxasN5Qe7miRWcR+Ax8g3HjHpG3Hc1LSc/6XVcj zuul-project-config-20180924
|
||||||
|
uid: 2031
|
||||||
|
gid: 2031
|
||||||
|
|
||||||
# List of users to install on all hosts
|
# List of users to install on all hosts
|
||||||
base_users:
|
base_users:
|
||||||
- mordred
|
- mordred
|
||||||
|
|||||||
@ -1,3 +1,5 @@
|
|||||||
ansible_python_interpreter: python3
|
ansible_python_interpreter: python3
|
||||||
bastion_key_exclusive: false
|
bastion_key_exclusive: false
|
||||||
kube_config_template: clouds/bridge_kube_config.yaml.j2
|
kube_config_template: clouds/bridge_kube_config.yaml.j2
|
||||||
|
extra_users:
|
||||||
|
- zuulcd
|
||||||
|
|||||||
@ -3,9 +3,17 @@
|
|||||||
- name: Add bridge.o.o to inventory
|
- name: Add bridge.o.o to inventory
|
||||||
add_host:
|
add_host:
|
||||||
name: bridge.openstack.org
|
name: bridge.openstack.org
|
||||||
ansible_user: root
|
ansible_user: zuulcd
|
||||||
|
|
||||||
|
- hosts: localhost
|
||||||
|
tasks:
|
||||||
|
- name: Add bridge.o.o hostkey to known hosts
|
||||||
|
known_hosts:
|
||||||
|
name: bridge.openstack.org
|
||||||
|
key: "bridge.openstack.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxRzDkWvvVQtsLTAqAwedRWA84/42KKVdFS0QP8lZFsMpgTXUhjipJ7VcFun5gM87tnt0J71rlN+ospBh0/1wfp2jASEskUyGhXAa5xHjnJN7veUyW+AggEosK/OTunvZgf54p1sQg45Sq/uCjc0Ua0fRMOq2o5z/mgpl6rSjLOlWi9wKA/6axnUbs9w4iD5esyBQ+VcISSJOTqhAo/3UG0NwCU+6Ggwwhg0nl5iCMpQfq4A207IbJ72MkJzlQgW3edsRb5POzdZcGxkTYvVdP3kgHP4Bof3MFFZjBUMz6SuRQyNV5poysMtbtlO0SvgAJNhXr6Vn0GA9XhqFP6+HT"
|
||||||
|
|
||||||
- hosts: bridge.openstack.org
|
- hosts: bridge.openstack.org
|
||||||
tasks:
|
tasks:
|
||||||
- name: Run specified playbook on bridge.o.o
|
- name: Run specified playbook on bridge.o.o
|
||||||
|
become: yes
|
||||||
command: ansible-playbook -f {{ ansible_forks }} /opt/system-config/playbooks/{{ playbook_name }}
|
command: ansible-playbook -f {{ ansible_forks }} /opt/system-config/playbooks/{{ playbook_name }}
|
||||||
|
|||||||
@ -51,13 +51,13 @@ def test_cloud_launcher_cron(host):
|
|||||||
assert 'run_cloud_launcher.sh' in crontab
|
assert 'run_cloud_launcher.sh' in crontab
|
||||||
|
|
||||||
|
|
||||||
def test_authorized_keys(host):
|
def test_root_authorized_keys(host):
|
||||||
authorized_keys = host.file('/root/.ssh/authorized_keys')
|
authorized_keys = host.file('/root/.ssh/authorized_keys')
|
||||||
assert authorized_keys.exists
|
assert authorized_keys.exists
|
||||||
|
|
||||||
content = authorized_keys.content.decode('utf8')
|
content = authorized_keys.content.decode('utf8')
|
||||||
lines = content.split('\n')
|
lines = content.split('\n')
|
||||||
assert len(lines) >= 3
|
assert len(lines) >= 2
|
||||||
|
|
||||||
|
|
||||||
def test_ara(host):
|
def test_ara(host):
|
||||||
@ -77,3 +77,16 @@ def test_kube_config(host):
|
|||||||
def test_kubectl(host):
|
def test_kubectl(host):
|
||||||
kube = host.run('kubectl help')
|
kube = host.run('kubectl help')
|
||||||
assert kube.rc == 0
|
assert kube.rc == 0
|
||||||
|
|
||||||
|
|
||||||
|
def test_zuulcd_authorized_keys(host):
|
||||||
|
authorized_keys = host.file('/home/zuulcd/.ssh/authorized_keys')
|
||||||
|
assert authorized_keys.exists
|
||||||
|
|
||||||
|
content = authorized_keys.content.decode('utf8')
|
||||||
|
lines = content.split('\n')
|
||||||
|
# Remove empty lines
|
||||||
|
keys = list(filter(None, lines))
|
||||||
|
assert len(keys) >= 2
|
||||||
|
for key in keys:
|
||||||
|
assert 'ssh-rsa' in key
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user