24a1528fac
This is related to the work in I0823c09165c445e9178c75ac5083f1988e8d3055 to deploy the host keys from inventory to the bastion host. As noted inline, there's really no reason this host should be connecting anywhere that isn't in the inventory. So caching values can only hide that we might have missed something there. Disable user known_hosts globally. Change-Id: I6d74df90db856cf7773698e3a06180986a531322
41 lines
1.3 KiB
YAML
41 lines
1.3 KiB
YAML
- name: Load the current inventory from bridge
|
|
slurp:
|
|
src: '/home/zuul/src/opendev.org/opendev/system-config/inventory/base/hosts.yaml'
|
|
register: _bridge_inventory_encoded
|
|
|
|
- name: Turn inventory into variable
|
|
set_fact:
|
|
_bridge_inventory: '{{ _bridge_inventory_encoded.content | b64decode | from_yaml }}'
|
|
|
|
- name: Build known_hosts list
|
|
set_fact:
|
|
bastion_known_hosts: >-
|
|
[
|
|
{%- for host, values in _bridge_inventory['all']['hosts'].items() -%}
|
|
{% for key in values['host_keys'] %}
|
|
'{{ host }},{{ values.public_v4 }}{{ "," + values.public_v6 if 'public_v6' in values}} {{ key }}',
|
|
{% endfor %}
|
|
{%- endfor -%}
|
|
]
|
|
|
|
- name: Write out values to /etc/ssh/ssh_known_hosts
|
|
blockinfile:
|
|
path: '/etc/ssh/ssh_known_hosts'
|
|
block: |
|
|
{% for entry in bastion_known_hosts %}
|
|
{{ entry }}
|
|
{% endfor %}
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
create: yes
|
|
|
|
# Disable writing out known_hosts globally on the bastion host.
|
|
# Nothing on this host should be connecting to somewhere not codified
|
|
# above; this prevents us possibly hiding that by caching values.
|
|
- name: Disable known_hosts caching
|
|
lineinfile:
|
|
path: /etc/ssh/ssh_config
|
|
regexp: 'UserKnownHostsFile'
|
|
line: ' UserKnownHostsFile /dev/null'
|