Add support for adding a user account for SSH access

This requires us to use a bootstrap user account to add the Kayobe user
and group with an authorised SSH key. All subsequent SSH access uses this
new user.

ansible/group_vars/all/controllers

@@ -0,0 +1,7 @@
+---
+###############################################################################
+# Controller node configuration.
+
+# User with which to access the controllers via SSH during bootstrap, in order
+# to setup the Kayobe user account.
+controller_bootstrap_user: "{{ lookup('env', 'USER') }}"

ansible/group_vars/all/globals

@@ -12,3 +12,7 @@ image_cache_path: "{{ ansible_user_dir ~ '/kayobe-image-cache' }}"
 
 # Path on which to checkout source code repositories.
 source_checkout_path: "{{ ansible_user_dir ~ '/kayobe-source' }}"
+
+# User with which to access seed and controller nodes. This user will be
+# created if it does not exist.
+kayobe_ansible_user: "stack"

ansible/group_vars/all/seed-vm

@@ -52,3 +52,7 @@ seed_vm_data_capacity: 100G
 
 # Format of the seed VM data volume.
 seed_vm_data_format: qcow2
+
+# User with which to access the seed VM via SSH during bootstrap, in order to
+# setup the Kayobe user account.
+seed_vm_bootstrap_user: "{{ lookup('env', 'USER') }}"

ansible/group_vars/controllers/ansible-user

@@ -0,0 +1,3 @@
+---
+# User with which to access the controllers via SSH.
+ansible_user: "{{ kayobe_ansible_user }}"

ansible/group_vars/seed/ansible-user

@@ -0,0 +1,3 @@
+---
+# User with which to access the seed VM via SSH.
+ansible_user: "{{ kayobe_ansible_user }}"

ansible/kayobe-ansible-user.yml

@@ -0,0 +1,32 @@
+---
+- name: Ensure the Kayobe Ansible user account exists
+  hosts: seed:controllers
+  vars:
+    ansible_user: "{{ seed_vm_bootstrap_user if inventory_hostname in groups['seed'] else controller_bootstrap_user }}"
+  tasks:
+    - name: Ensure the Kayobe Ansible group exists
+      group:
+        name: "{{ kayobe_ansible_user }}"
+        state: present
+      become: True
+
+    - name: Ensure the Kayobe Ansible user account exists
+      user:
+        name: "{{ kayobe_ansible_user }}"
+        group: "{{ kayobe_ansible_user }}"
+        comment: "Kayobe Ansible SSH access"
+        state: present
+      become: True
+
+    - name: Ensure the Kayobe Ansible user has passwordless sudo
+      copy:
+        content: "{{ kayobe_ansible_user }} ALL=(ALL) NOPASSWD: ALL"
+        dest: "/etc/sudoers.d/kayobe-ansible-user"
+        mode: 0440
+      become: True
+
+    - name: Ensure the Kayobe Ansible user has authorized our SSH key
+      authorized_key:
+        user: "{{ kayobe_ansible_user }}"
+        key: "{{ lookup('file', ssh_public_key_path) }}"
+      become: True

deploy-overcloud.sh

@@ -8,8 +8,9 @@ function run_playbook {
     test -e ${KAYOBE_CONFIG_PATH}/inventory
     ansible-playbook \
         -i ${KAYOBE_CONFIG_PATH}/inventory \
-        -e @${KAYOBE_CONFIG_PATH}/globals.yml \
+        -e @${KAYOBE_CONFIG_PATH}/controllers.yml \
         -e @${KAYOBE_CONFIG_PATH}/dns.yml \
+        -e @${KAYOBE_CONFIG_PATH}/globals.yml \
         -e @${KAYOBE_CONFIG_PATH}/kolla.yml \
         -e @${KAYOBE_CONFIG_PATH}/networks.yml \
         -e @${KAYOBE_CONFIG_PATH}/network-allocation.yml \
@@ -34,12 +35,14 @@ function run_kolla_ansible {
 }
 
 function configure_os {
+    ansible_user=$(./kayobe-config-dump -e dump_hosts=controllers[0] -e dump_var_name=kayobe_ansible_user | head -n -1)
     run_playbook ansible/ip-allocation.yml -l controllers
     run_playbook ansible/ssh-known-host.yml -l controllers
+    run_playbook ansible/kayobe-ansible-user.yml -l controllers
     run_playbook ansible/disable-selinux.yml -l controllers
     run_playbook ansible/network.yml -l controllers
     run_playbook ansible/ntp.yml -l controllers
-    run_kolla_ansible bootstrap-servers -e ansible_user=${USER}
+    run_kolla_ansible bootstrap-servers -e ansible_user=${ansible_user}
     run_playbook ansible/kolla-host.yml -l controllers
     run_playbook ansible/docker.yml -l controllers
 }

deploy-seed.sh

@@ -36,12 +36,14 @@ function run_kolla_ansible {
 }
 
 function configure_os {
+    ansible_user=$(./kayobe-config-dump -e dump_hosts=seed -e dump_var_name=kayobe_ansible_user | head -n -1)
     run_playbook ansible/ip-allocation.yml -l seed
     run_playbook ansible/ssh-known-host.yml -l seed
+    run_playbook ansible/kayobe-ansible-user.yml -l seed
     run_playbook ansible/disable-selinux.yml -l seed
     run_playbook ansible/network.yml -l seed
     run_playbook ansible/ntp.yml -l seed
-    run_kolla_ansible bootstrap-servers -e ansible_user=${USER}
+    run_kolla_ansible bootstrap-servers -e ansible_user=${ansible_user}
     run_playbook ansible/kolla-host.yml -l seed
     run_playbook ansible/docker.yml -l seed
 }

etc/kayobe/controllers.yml

@@ -0,0 +1,11 @@
+---
+###############################################################################
+# Controller node configuration.
+
+# User with which to access the controllers via SSH during bootstrap, in order
+# to setup the Kayobe user account.
+#controller_bootstrap_user:
+
+###############################################################################
+# Dummy variable to allow Ansible to accept this file.
+workaround_ansible_issue_8743: yes

etc/kayobe/globals.yml

@@ -13,6 +13,10 @@
 # Path on which to checkout source code repositories.
 #source_checkout_path:
 
+# User with which to access seed and controller nodes. This user will be
+# created if it does not exist.
+#kayobe_ansible_user:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes

etc/kayobe/seed-vm.yml

@@ -29,6 +29,10 @@
 # Base image for the seed VM root volume.
 #seed_vm_root_image:
 
+# User with which to access the seed VM via SSH during bootstrap, in order to
+# setup the Kayobe user account.
+#seed_vm_bootstrap_user:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes

kayobe-playbook

@@ -9,6 +9,7 @@ test -e ${KAYOBE_CONFIG_PATH}/inventory
 exec ansible-playbook \
   -i ${KAYOBE_CONFIG_PATH}/inventory \
   -e @${KAYOBE_CONFIG_PATH}/bifrost.yml \
+  -e @${KAYOBE_CONFIG_PATH}/controllers.yml \
   -e @${KAYOBE_CONFIG_PATH}/dns.yml \
   -e @${KAYOBE_CONFIG_PATH}/globals.yml \
   -e @${KAYOBE_CONFIG_PATH}/kolla.yml \