From cf4a143e1bebf1aa2017c147a9b630d558db3e49 Mon Sep 17 00:00:00 2001
From: Vladimir Kozhukalov <kozhukalov@gmail.com>
Date: Tue, 25 Jun 2024 07:05:35 -0500
Subject: [PATCH] Setup passwordless ssh from primary to cluster nodes

Here we add Ansible tasks to the deploy-env role
to setup passwordless ssh from the primary node
to K8s cluster nodes. This is necessary for some
test scripts like for example Ceph migration script.

Change-Id: I1cae1777d51635a19406ea054f4d83972e5fe43c
---
 roles/deploy-env/defaults/main.yaml           |  3 +-
 roles/deploy-env/files/ssh_config             |  1 +
 .../deploy-env/tasks/client_cluster_ssh.yaml  | 68 +++++++++++++++++++
 roles/deploy-env/tasks/main.yaml              |  5 ++
 4 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 roles/deploy-env/files/ssh_config
 create mode 100644 roles/deploy-env/tasks/client_cluster_ssh.yaml

diff --git a/roles/deploy-env/defaults/main.yaml b/roles/deploy-env/defaults/main.yaml
index 70c83f43c..563aef9b1 100644
--- a/roles/deploy-env/defaults/main.yaml
+++ b/roles/deploy-env/defaults/main.yaml
@@ -45,9 +45,8 @@ metallb_setup: false
 metallb_pool_cidr: "172.24.128.0/24"
 metallb_openstack_endpoint_cidr: "172.24.128.100/24"
 
+client_cluster_ssh_setup: true
 client_ssh_user: zuul
-client_ssh_key_file: /home/zuul/.ssh/id_rsa
-
 cluster_ssh_user: zuul
 
 openstack_provider_gateway_setup: false
diff --git a/roles/deploy-env/files/ssh_config b/roles/deploy-env/files/ssh_config
new file mode 100644
index 000000000..a9ecad07c
--- /dev/null
+++ b/roles/deploy-env/files/ssh_config
@@ -0,0 +1 @@
+StrictHostKeyChecking no
diff --git a/roles/deploy-env/tasks/client_cluster_ssh.yaml b/roles/deploy-env/tasks/client_cluster_ssh.yaml
new file mode 100644
index 000000000..f1c09980b
--- /dev/null
+++ b/roles/deploy-env/tasks/client_cluster_ssh.yaml
@@ -0,0 +1,68 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+- name: Setup passwordless ssh from primary and cluster nodes
+  block:
+    - name: Set client user home directory
+      set_fact:
+        client_user_home_directory: /home/{{ client_ssh_user }}
+      when: client_ssh_user != "root"
+
+    - name: Set client user home directory
+      set_fact:
+        client_user_home_directory: /root
+      when: client_ssh_user == "root"
+
+    - name: Set cluster user home directory
+      set_fact:
+        cluster_user_home_directory: /home/{{ cluster_ssh_user }}
+      when: cluster_ssh_user != "root"
+
+    - name: Set cluster user home directory
+      set_fact:
+        cluster_user_home_directory: /root
+      when: cluster_ssh_user == "root"
+
+    - name: Generate ssh key pair
+      shell: |
+        ssh-keygen -t ed25519 -q -N "" -f {{ client_user_home_directory }}/.ssh/id_ed25519
+      args:
+        creates: "{{ client_user_home_directory }}/.ssh/id_ed25519.pub"
+      when: (inventory_hostname in (groups['primary'] | default([])))
+
+    - name: Read ssh public key
+      command: cat "{{ client_user_home_directory }}/.ssh/id_ed25519.pub"
+      register: ssh_public_key
+      when: (inventory_hostname in (groups['primary'] | default([])))
+
+    - name: Set primary wireguard public key
+      set_fact:
+        client_ssh_public_key: "{{ (groups['primary'] | map('extract', hostvars, ['ssh_public_key', 'stdout']))[0] }}"
+      when: inventory_hostname in (groups['k8s_cluster'] | default([]))
+
+    - name: Put keys to .ssh/authorized_keys
+      lineinfile:
+        path: "{{ cluster_user_home_directory }}/.ssh/authorized_keys"
+        state: present
+        line: "{{ client_ssh_public_key }}"
+      when: inventory_hostname in (groups['k8s_cluster'] | default([]))
+
+    - name: Disable strict host key checking
+      template:
+        src: "files/ssh_config"
+        dest: "{{ client_user_home_directory }}/.ssh/config"
+        owner: "{{ client_ssh_user }}"
+        mode: 0644
+        backup: true
+      when: (inventory_hostname in (groups['primary'] | default([])))
+...
diff --git a/roles/deploy-env/tasks/main.yaml b/roles/deploy-env/tasks/main.yaml
index b1c9d5502..3d30421ad 100644
--- a/roles/deploy-env/tasks/main.yaml
+++ b/roles/deploy-env/tasks/main.yaml
@@ -80,4 +80,9 @@
   include_tasks:
     file: client_cluster_tunnel.yaml
   when: (groups['primary'] | difference(groups['k8s_control_plane']) | length > 0)
+
+- name: Include client-to-cluster ssh key tasks
+  include_tasks:
+    file: client_cluster_ssh.yaml
+  when: client_cluster_ssh_setup
 ...