diff --git a/inventory/group_vars/all/ssh.yml b/inventory/group_vars/all/ssh.yml new file mode 100644 index 0000000000..8d785c91fb --- /dev/null +++ b/inventory/group_vars/all/ssh.yml @@ -0,0 +1,30 @@ +--- +# Copyright 2022, BBC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +#the name for the SSH signing key +openstack_ssh_signing_key: "OpenStack-Ansible-SSH-Signing-Key" + +#override the setup host with this variable +#when not defined the default is 'localhost' +#openstack_ssh_keypairs_setup_host: 'my-ssh-setup-host' + +#directory on the ssh setup host to store ssh keypairs +openstack_ssh_keypairs_dir: "{{ openstack_config_dir }}/ssh_keypairs" + +#SSH signing key authority to create on the ssh setup host +openstack_ssh_keypairs_authorities: + - name: "{{ openstack_ssh_signing_key }}" + diff --git a/playbooks/certificate-ssh-authority.yml b/playbooks/certificate-ssh-authority.yml new file mode 100644 index 0000000000..f1c56fde9a --- /dev/null +++ b/playbooks/certificate-ssh-authority.yml @@ -0,0 +1,31 @@ +# Copyright 2022, BBC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Create SSHD CA + hosts: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" + gather_facts: "{{ osa_gather_facts | default(True) }}" + tags: + - always + - sshd-ca + tasks: + - name: "Create SSHD certificate authority" + include_role: + name: openstack.osa.ssh_keypairs + vars: + ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host | default('localhost') }}" + ssh_keypairs_dir: "{{ openstack_ssh_keypairs_dir }}" + ssh_keypairs: "{{ openstack_ssh_keypairs_authorities }}" + ssh_keypairs_install_authorities: false + ssh_keypairs_install_keypairs: false + ssh_keypairs_install_authorized_keys: false diff --git a/playbooks/setup-hosts.yml b/playbooks/setup-hosts.yml index 48aaef9efc..ea6f607861 100644 --- a/playbooks/setup-hosts.yml +++ b/playbooks/setup-hosts.yml @@ -14,6 +14,7 @@ # limitations under the License. - import_playbook: certificate-authority.yml +- import_playbook: certificate-ssh-authority.yml - import_playbook: certificate-generate.yml - import_playbook: openstack-hosts-setup.yml - import_playbook: containers-deploy.yml