From f6a0bf7be5b1c0f2739580394a231f57ce78b642 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Thu, 29 Jul 2021 10:26:42 -0700
Subject: [PATCH] Improve gerrit known_hosts management

Previously we were only managing root's known_hosts via ansible but even
then this wasn't happening because the gerrit_self_hostkey var wasn't
set anywhere. On top of that we need to manage multiple known_hosts
because gerrit must recognize itself and all of the gitea servers.
Update the code to take a dict of host key values and add each entry to
known_hosts for both the root and gerrit2 user.

We remove keyscans from tests to ensure that this update is actually
working.

Change-Id: If64c34322f64c1fb63bf2ebdcc04355fff6ebba2
---
 inventory/service/group_vars/all.yaml          |  5 +++++
 playbooks/roles/gerrit/tasks/main.yaml         | 18 ++++++++++++++----
 playbooks/test-review.yaml                     |  2 --
 .../zuul/templates/group_vars/review.yaml.j2   |  5 +++++
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/inventory/service/group_vars/all.yaml b/inventory/service/group_vars/all.yaml
index ce57c1530b..33114c738d 100644
--- a/inventory/service/group_vars/all.yaml
+++ b/inventory/service/group_vars/all.yaml
@@ -1 +1,6 @@
+# This value is currently set to the value we use in testing.
+# We then override this pubkey everywhere we need to in prod
+# host/group vars.
+# TODO replace this value with the prod pubkey value and force
+# testing to override rather than the other way around.
 gerrit_ssh_rsa_pubkey_contents: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pCQlTAQYmCrOY6aPbvbyKQDcOCXibPNGIjnPPMuEItCS0vtRnqEBz7znWZS5Drq9yKpROh6uFF01ao2VnNjw6f+NdRNV19RWVe6mYN+qa2VrH2caLwBrKPiH0Xc/eK41D55dZU7IWwKYAw/NpiBaBfHavFwipI+rmEb68MH2hcimDdr/bji+0hkh3X+42dkNvmMdtkuCW6nKdAEhnXaHZc5SJR/EvzgRCfB8vbML13p46O9xhoJgn7ZWvMb3vaR5jxIkQwstUR36raEVhttBDEuWasWnHYbrM1zd3ooudbTEQf5vXISZKFygHyJFFqb4iQ76i+hDlb0VQKZCdaol gerrit-code-review@829f141b0fa5
diff --git a/playbooks/roles/gerrit/tasks/main.yaml b/playbooks/roles/gerrit/tasks/main.yaml
index f5444f5b1a..bda2016672 100644
--- a/playbooks/roles/gerrit/tasks/main.yaml
+++ b/playbooks/roles/gerrit/tasks/main.yaml
@@ -237,12 +237,22 @@
     group: gerrit2
     mode: 0600
 
-- name: Accept own own hostkey
+- name: Accept own own hostkey for root
   known_hosts:
     state: present
-    key: '{{ gerrit_self_hostkey }}'
-    name: '[{{ gerrit_vhost_name }}]:29418'
-  when: gerrit_self_hostkey is defined
+    key: '{{ item.value }}'
+    name: '{{ item.key }}'
+  loop: '{{ gerrit_known_hosts_keys | dict2items }}'
+  when: gerrit_known_hosts_keys is defined
+
+- name: Accept own own hostkey for gerrit2
+  known_hosts:
+    state: present
+    key: '{{ item.value }}'
+    name: '{{ item.key }}'
+    path: '/home/gerrit2/.ssh/known_hosts'
+  loop: '{{ gerrit_known_hosts_keys | dict2items }}'
+  when: gerrit_known_hosts_keys is defined
 
 - name: Install apache2
   apt:
diff --git a/playbooks/test-review.yaml b/playbooks/test-review.yaml
index ba1a168072..0a058b2641 100644
--- a/playbooks/test-review.yaml
+++ b/playbooks/test-review.yaml
@@ -92,7 +92,6 @@
 
           ssh-keygen -t ed25519 -f /root/.ssh/id_25519 -P ""
           curl -X POST --user "admin:secret" -H "Content-Type: text/plain" -d@/root/.ssh/id_25519.pub http://localhost:8081/a/accounts/admin/sshkeys
-          ssh-keyscan -p 29418 localhost >> /root/.ssh/known_hosts
 
           git config --global user.name "Admin"
           git config --global user.email "admin@example.com"
@@ -123,7 +122,6 @@
 
           # openstack-project-creator bootstrapping
           curl -X POST --user "openstack-project-creator:secret" -H "Content-Type: text/plain" -d@/home/gerrit2/review_site/etc/ssh_project_rsa_key.pub http://localhost:8081/a/accounts/openstack-project-creator/sshkeys
-          ssh-keyscan -p 29418 localhost >> /home/gerrit2/.ssh/known_hosts
 
     # This is helpful on a held node when you're trying to fix/enhance
     # the Zuul summary plugin.  You can build it locally, scp the new
diff --git a/playbooks/zuul/templates/group_vars/review.yaml.j2 b/playbooks/zuul/templates/group_vars/review.yaml.j2
index ec83d5f4e3..260c649512 100644
--- a/playbooks/zuul/templates/group_vars/review.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/review.yaml.j2
@@ -26,6 +26,11 @@ gerrit_ssh_rsa_key_contents: |
   pHMmNylg7j2NyL/9aLKs1NzdGBxpxVa5A4vgcr1DjoS1cuRVEiQoSkI6D6DCmENA
   Pb95AevPUxqqAKNZYsj4yDsXnmbFSHARijPWcpfkCDJmVhMFPObr4OE=
   -----END RSA PRIVATE KEY-----
+gerrit_ssh_rsa_pubkey_contents: |
+  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pCQlTAQYmCrOY6aPbvbyKQDcOCXibPNGIjnPPMuEItCS0vtRnqEBz7znWZS5Drq9yKpROh6uFF01ao2VnNjw6f+NdRNV19RWVe6mYN+qa2VrH2caLwBrKPiH0Xc/eK41D55dZU7IWwKYAw/NpiBaBfHavFwipI+rmEb68MH2hcimDdr/bji+0hkh3X+42dkNvmMdtkuCW6nKdAEhnXaHZc5SJR/EvzgRCfB8vbML13p46O9xhoJgn7ZWvMb3vaR5jxIkQwstUR36raEVhttBDEuWasWnHYbrM1zd3ooudbTEQf5vXISZKFygHyJFFqb4iQ76i+hDlb0VQKZCdaol test-gerrit-hostkey
+gerrit_known_hosts_keys:
+  '[{% raw %}{{ gerrit_vhost_name }}{% endraw %}]:29418': |
+    [{% raw %}{{ gerrit_vhost_name }}{% endraw %}]:29418,[localhost]:29418,[127.0.0.1]:29418,[::1]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pCQlTAQYmCrOY6aPbvbyKQDcOCXibPNGIjnPPMuEItCS0vtRnqEBz7znWZS5Drq9yKpROh6uFF01ao2VnNjw6f+NdRNV19RWVe6mYN+qa2VrH2caLwBrKPiH0Xc/eK41D55dZU7IWwKYAw/NpiBaBfHavFwipI+rmEb68MH2hcimDdr/bji+0hkh3X+42dkNvmMdtkuCW6nKdAEhnXaHZc5SJR/EvzgRCfB8vbML13p46O9xhoJgn7ZWvMb3vaR5jxIkQwstUR36raEVhttBDEuWasWnHYbrM1zd3ooudbTEQf5vXISZKFygHyJFFqb4iQ76i+hDlb0VQKZCdaol
 gerrit_project_ssh_rsa_key_contents: |
   -----BEGIN OPENSSH PRIVATE KEY-----
   b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn