Allow Zuul to log into bridge

Allow post-review jobs running under system-config and project-config
to ssh into bridge in order to run Ansible.

Change-Id: I841f87425349722ee69e2f4265b99b5ee0b5a2c8
This commit is contained in:
James E. Blair 2018-09-12 10:16:56 -06:00
parent 9b12ffa25e
commit c49d5d6f2b
6 changed files with 26 additions and 2 deletions

View File

@ -7,3 +7,12 @@
- root-keys - root-keys
- ansible-cron - ansible-cron
- cloud-launcher-cron - cloud-launcher-cron
tasks:
- name: Allow Zuul to trigger Ansible
authorized_key:
state: present
user: root
key: "{{ item }}"
loop:
- "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/system-config.pub"
- "https://zuul.openstack.org/api/project-ssh-key/openstack-infra/project-config.pub"

View File

@ -1 +1,2 @@
ansible_python_interpreter: python3 ansible_python_interpreter: python3
bastion_key_exclusive: false

View File

@ -2,4 +2,8 @@ Basic common server configuration
**Role Variables** **Role Variables**
* None .. zuul:rolevar:: bastion_key_exclusive
:default: True
Whether the bastion ssh key is the only key allowed to ssh in as
root.

View File

@ -1,6 +1,7 @@
bastion_ipv4: 23.253.245.198,23.253.234.219 bastion_ipv4: 23.253.245.198,23.253.234.219
bastion_ipv6: 2001:4800:7818:101:3c21:a454:23ed:4072,2001:4800:7817:103:be76:4eff:fe04:5a1d bastion_ipv6: 2001:4800:7818:101:3c21:a454:23ed:4072,2001:4800:7817:103:be76:4eff:fe04:5a1d
bastion_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp puppet-remote-2014-09-15 bastion_public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSLlN41ftgxkNeUi/kATYPwMPjJdMaSbgokSb9PSkRPZE7GeNai60BCfhu+ky8h5eMe70Bpwb7mQ7GAtHGXPNU1SRBPhMuVN9EYrQbt5KSiwuiTXtQHsWyYrSKtB+XGbl2PhpMQ/TPVtFoL5usxu/MYaakVkCEbt5IbPYNg88/NKPixicJuhi0qsd+l1X1zoc1+Fn87PlwMoIgfLIktwaL8hw9mzqr+pPcDIjCFQQWnjqJVEObOcMstBT20XwKj/ymiH+6p123nnlIHilACJzXhmIZIZO+EGkNF7KyXpcBSfv9efPI+VCE2TOv/scJFdEHtDFkl2kdUBYPC0wQ92rp puppet-remote-2014-09-15
bastion_key_exclusive: true
base_packages: base_packages:
- at - at
- git - git

View File

@ -33,7 +33,7 @@
authorized_key: authorized_key:
state: present state: present
user: root user: root
exclusive: yes exclusive: "{{ bastion_key_exclusive }}"
key: "{{ bastion_public_key }}" key: "{{ bastion_public_key }}"
key_options: | key_options: |
from="{{ bastion_ipv4 }},{{ bastion_ipv6 }},localhost" from="{{ bastion_ipv4 }},{{ bastion_ipv6 }},localhost"

View File

@ -49,3 +49,12 @@ def test_cloud_launcher_cron(host):
with host.sudo(): with host.sudo():
crontab = host.check_output('crontab -l') crontab = host.check_output('crontab -l')
assert 'run_cloud_launcher.sh' in crontab assert 'run_cloud_launcher.sh' in crontab
def test_authorized_keys(host):
authorized_keys = host.file('/root/.ssh/authorized_keys')
assert authorized_keys.exists
content = authorized_keys.content.decode('utf8')
lines = content.split('\n')
assert len(lines) >= 3