openstack/openstack-ansible-os_octavia
Code Issues Proposed changes

Provide better flexability for SSH keypair options

Browse Source 
At the moment we do generate SSH keypairs for octavia with pre-defined
options for backwards compatability.
In the meanwhile it might not make much sense for new deployments,
though there's no clear way to overrride these options.]

With that we implement a bunch of new variables that allows to tune
properties for the SSH key to be used.

Change-Id: I5c4c20e7375b2471cc47ac628e007d6297bdeb7e
This commit is contained in:
Dmitriy Rabotyagov 2024-09-02 12:59:57 +02:00
parent 689aa04a20
commit f976e5fd28
3 changed files with 40 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
defaults/main.yml
View File

@ -341,9 +341,22 @@ octavia_security_group_name: octavia_sec_grp
octavia_security_group_additional_rules: [] octavia_security_group_additional_rules: []
# Restrict access to only authorized hosts # Restrict access to only authorized hosts
octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}" octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}"
octavia_resources_deploy_host: localhost
octavia_resources_deploy_python_interpreter: "{{ ansible_playbook_python }}"
# ssh enabled - switch to True if you need ssh access to the amphora # ssh enabled - switch to True if you need ssh access to the amphora
octavia_ssh_enabled: False octavia_ssh_enabled: False
octavia_ssh_key_manage: True
octavia_ssh_key_name: octavia_key octavia_ssh_key_name: octavia_key
octavia_ssh_key_dir: "{{ lookup('env', 'HOME') ~ '/.ssh' }}"
# SSH Key variables below are set to "old" values for backwards compatability
# of how Nova used to generate keypairs.
octavia_ssh_key_comment: Generated-by-Nova
# Options: ssh, pkcs1 and pkcs8
octavia_ssh_key_format: ssh
# Options: rsa, dsa, rsa1, ecdsa, ed25519
octavia_ssh_key_type: rsa
octavia_ssh_key_size: 2048
# port the agent listens on # port the agent listens on
octavia_agent_port: "9443" octavia_agent_port: "9443"
octavia_health_manager_port: 5555 octavia_health_manager_port: 5555

16
releasenotes/notes/octavia_ssh_keypair_options-a6f9cfeb51bdfefa.yaml Normal file
View File

@ -0,0 +1,16 @@
---
features:
- |
Added variables to better control SSH keypair generation for Octavia:
* ``octavia_ssh_key_manage`` (True): Enables an Octavia role to generate
and manage SSH keypair to be used for Amphoras.
* ``octavia_resources_deploy_host`` (localhost): The host on which SSH key will be
created.
* ``octavia_ssh_key_dir`` (${HOME}/.ssh): Directory under which keypair
will be created on the ``octavia_resources_deploy_host``
* ``octavia_ssh_key_comment`` (Generated-by-Nova): Comment for the keypair.
* ``octavia_ssh_key_format`` (ssh): Format for the stored private key
* ``octavia_ssh_key_type`` (rsa): Type of the SSH keypair generated
* ``octavia_ssh_key_size`` (2048): Private key length.

19
tasks/octavia_resources.yml
View File

@ -29,6 +29,8 @@
vars: vars:
openstack_resources_setup_host: "{{ octavia_service_setup_host }}" openstack_resources_setup_host: "{{ octavia_service_setup_host }}"
openstack_resources_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}" openstack_resources_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}"
openstack_resources_deploy_host: "{{ octavia_resources_deploy_host }}"
openstack_resources_deploy_python_interpreter: "{{ octavia_resources_deploy_python_interpreter }}"
openstack_resources_image: "{{ (octavia_download_artefact | bool) | ternary({'images': octavia_amp_image_resource}, {}) }}" openstack_resources_image: "{{ (octavia_download_artefact | bool) | ternary({'images': octavia_amp_image_resource}, {}) }}"
openstack_resources_identity: openstack_resources_identity:
quotas: quotas:
@ -116,15 +118,13 @@
extra_specs: "{{ octavia_amp_extra_specs | default({}) }}" extra_specs: "{{ octavia_amp_extra_specs | default({}) }}"
_octavia_keypairs: _octavia_keypairs:
keypairs: keypairs:
# NOTE(noonedeadpunk): We define old/short keypair algorythms for backwards compatibiltiy with
# previous keypair generation which was handled by Nova:
# https://opendev.org/openstack/nova/src/commit/7e8e0dd1ab2e46c6f95746b47189e81b5a228c69/nova/crypto.py#L97
- name: "{{ octavia_ssh_key_name }}" - name: "{{ octavia_ssh_key_name }}"
path: "{{ octavia_ssh_key_dir | default(lookup('env', 'HOME') ~ '/.ssh') }}/{{ octavia_ssh_key_name }}" path: "{{ octavia_ssh_key_dir }}/{{ octavia_ssh_key_name }}"
state: "{{ (octavia_ssh_enabled | bool) | ternary('present', 'absent') }}" state: "{{ (octavia_ssh_enabled | bool) | ternary('present', 'absent') }}"
private_key_format: ssh private_key_format: "{{ octavia_ssh_key_format }}"
size: 2048 size: "{{ octavia_ssh_key_size }}"
comment: Generated-by-Nova comment: "{{ octavia_ssh_key_comment }}"
type: "{{ octavia_ssh_key_type }}"
auth: auth:
auth_url: "{{ keystone_service_adminurl }}" auth_url: "{{ keystone_service_adminurl }}"
username: "{{ octavia_service_user_name }}" username: "{{ octavia_service_user_name }}"
@ -134,7 +134,10 @@
project_domain_name: "{{ octavia_service_project_domain_id }}" project_domain_name: "{{ octavia_service_project_domain_id }}"
openstack_resources_compute: |- openstack_resources_compute: |-
{% set compute_resources = _octavia_keypairs %} {% set compute_resources = {} %}
{% if octavia_ssh_key_manage %}
{% set _ = compute_resources.update(_octavia_keypairs) %}
{% endif %}
{% if octavia_nova_flavor_uuid is not defined %} {% if octavia_nova_flavor_uuid is not defined %}
{% set _ = compute_resources.update(_octavia_flavors) %} {% set _ = compute_resources.update(_octavia_flavors) %}
{% endif %} {% endif %}