Merge pull request #535 from bogdando/bastion_inventory

Options for bastion, SSH config, static inventory autogeneration
author: Bogdan Dobrelya <bdobreli@redhat.com> 2017-07-27 15:39:42 +0200
committer: GitHub <noreply@github.com> 2017-07-27 15:39:42 +0200
commit: 1b76aeba44ce8cb1120a6659c375fe8b4c87f919 (patch)
tree: 4c43dfdfefcc139249458606c9c4edefc1c38c32 /roles/static_inventory
parent: 5cbcfd231054b0f64d9bc70064ecdb892cfbaec5 (diff)
parent: df8f5f0e251a014ab30dabd62c17e151b7fe36e8 (diff)
download: openshift-1b76aeba44ce8cb1120a6659c375fe8b4c87f919.tar.gz
openshift-1b76aeba44ce8cb1120a6659c375fe8b4c87f919.tar.bz2
openshift-1b76aeba44ce8cb1120a6659c375fe8b4c87f919.tar.xz
openshift-1b76aeba44ce8cb1120a6659c375fe8b4c87f919.zip
6 files changed, 78 insertions, 6 deletions
diff --git a/roles/static_inventory/defaults/main.yml b/roles/static_inventory/defaults/main.yml
index 315965cde..63de45646 100644
--- a/roles/static_inventory/defaults/main.yml
+++ b/roles/static_inventory/defaults/main.yml
@@ -4,5 +4,18 @@ refresh_inventory: True
 inventory: static
 inventory_path: ~/openstack-inventory
 
+# Either to configure bastion
+use_bastion: true
+
+# SSH user/key/options to access hosts via bastion
+ssh_user: openshift
+ssh_options: >-
+  -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
+  -o ConnectTimeout=90 -o ControlMaster=auto -o ControlPersist=270s
+  -o ServerAliveInterval=30 -o GSSAPIAuthentication=no
+
 # SSH key to access nodes
 private_ssh_key: ~/.ssh/openshift
+
+# The patch to store the generated config to access bastion/hosts
+ssh_config_path: /tmp/ssh.config.ansible
diff --git a/roles/static_inventory/tasks/main.yml b/roles/static_inventory/tasks/main.yml
index 15c81690e..b58866017 100644
--- a/roles/static_inventory/tasks/main.yml
+++ b/roles/static_inventory/tasks/main.yml
@@ -4,3 +4,7 @@
 
 - name: Checkpoint in-memory data into a static inventory
   include: checkpoint.yml
+
+- name: Generate SSH config for accessing hosts via bastion
+  include: sshconfig.yml
+  when: use_bastion|bool
diff --git a/roles/static_inventory/tasks/openstack.yml b/roles/static_inventory/tasks/openstack.yml
index a25502835..499adf08c 100644
--- a/roles/static_inventory/tasks/openstack.yml
+++ b/roles/static_inventory/tasks/openstack.yml
@@ -16,6 +16,7 @@
 
     - name: set_fact for openstack inventory nodes
       set_fact:
+        registered_bastion_nodes: "{{ (registered_nodes_output.stdout | from_json) | json_query(q) }}"
         registered_nodes_floating: "{{ (registered_nodes_output.stdout | from_json) | json_query(q2) }}"
       vars:
         q: "[] | [?metadata.group=='infra.{{stack_name}}']"
@@ -24,24 +25,41 @@
         - refresh_inventory|bool
 
     - name: Add cluster nodes w/o floating IPs to inventory
-      with_items: "{{ registered_nodes }}"
-      when: not item in registered_nodes_floating
+      with_items: "{{ registered_nodes|difference(registered_nodes_floating) }}"
       add_host:
         name: '{{ item.name }}'
         groups: '{{ item.metadata.group }}'
-        ansible_host: '{{ item.private_v4 }}'
+        ansible_host: "{% if use_bastion|bool %}{{ item.name }}{% else %}{{ item.private_v4 }}{% endif %}"
         ansible_fqdn: '{{ item.name }}'
+        ansible_user: '{{ ssh_user }}'
         ansible_private_key_file: '{{ private_ssh_key }}'
+        ansible_ssh_extra_args: '-F {{ ssh_config_path }}'
         private_v4: '{{ item.private_v4 }}'
 
     - name: Add cluster nodes with floating IPs to inventory
       with_items: "{{ registered_nodes_floating }}"
-      when: item in registered_nodes_floating
       add_host:
         name: '{{ item.name }}'
         groups: '{{ item.metadata.group }}'
-        ansible_host: '{{ item.public_v4 }}'
+        ansible_host: "{% if use_bastion|bool %}{{ item.name }}{% else %}{{ item.public_v4 }}{% endif %}"
         ansible_fqdn: '{{ item.name }}'
+        ansible_user: '{{ ssh_user }}'
         ansible_private_key_file: '{{ private_ssh_key }}'
+        ansible_ssh_extra_args: '-F {{ ssh_config_path }}'
         private_v4: '{{ item.private_v4 }}'
         public_v4: '{{ item.public_v4 }}'
+
+    - name: Add bastion node to inventory
+      add_host:
+        name: bastion
+        groups: bastions
+        ansible_host: '{{ registered_bastion_nodes[0].public_v4 }}'
+        ansible_fqdn: '{{ registered_bastion_nodes[0].name }}'
+        ansible_user: '{{ ssh_user }}'
+        ansible_private_key_file: '{{ private_ssh_key }}'
+        ansible_ssh_extra_args: '-F {{ ssh_config_path }}'
+        private_v4: '{{ registered_bastion_nodes[0].private_v4 }}'
+        public_v4: '{{ registered_bastion_nodes[0].public_v4 }}'
+      when:
+        - registered_bastion_nodes is defined
+        - use_bastion|bool
diff --git a/roles/static_inventory/tasks/sshconfig.yml b/roles/static_inventory/tasks/sshconfig.yml
new file mode 100644
index 000000000..7119fe6ff
--- /dev/null
+++ b/roles/static_inventory/tasks/sshconfig.yml
@@ -0,0 +1,13 @@
+---
+- name: set ssh proxy command prefix for accessing nodes via bastion
+  set_fact:
+    ssh_proxy_command: >-
+      ssh {{ ssh_options }}
+      -i {{ private_ssh_key }}
+      {{ ssh_user }}@{{ hostvars['bastion'].ansible_host }}
+
+- name: regenerate ssh config
+  template:
+    src: openstack_ssh_config.j2
+    dest: "{{ ssh_config_path }}"
+    mode: 0644
diff --git a/roles/static_inventory/templates/inventory.j2 b/roles/static_inventory/templates/inventory.j2
index 464726a0b..24dc9d4a8 100644
--- a/roles/static_inventory/templates/inventory.j2
+++ b/roles/static_inventory/templates/inventory.j2
@@ -10,9 +10,12 @@
 %} private_v4={{ hostvars[host]['private_v4'] }}{% endif %}
 {% if 'public_v4' in hostvars[host]
 %} public_v4={{ hostvars[host]['public_v4'] }}{% endif %}
+{% if 'ansible_user' in hostvars[host]
+%} ansible_user={{ hostvars[host]['ansible_user'] }}{% endif %}
 {% if 'ansible_private_key_file' in hostvars[host]
 %} ansible_private_key_file={{ hostvars[host]['ansible_private_key_file'] }}{% endif %}
- openshift_hostname={{ host }}
+{% if use_bastion|bool and 'ansible_ssh_extra_args' in hostvars[host]
+%} ansible_ssh_extra_args={{ hostvars[host]['ansible_ssh_extra_args']|quote }}{% endif %} openshift_hostname={{ host }}
 
 {% endif %}
 {% endfor %}
diff --git a/roles/static_inventory/templates/openstack_ssh_config.j2 b/roles/static_inventory/templates/openstack_ssh_config.j2
new file mode 100644
index 000000000..ad5d1253a
--- /dev/null
+++ b/roles/static_inventory/templates/openstack_ssh_config.j2
@@ -0,0 +1,21 @@
+Host *
+    IdentitiesOnly yes
+
+Host bastion
+    Hostname {{ hostvars['bastion'].ansible_host }}
+    IdentityFile {{ hostvars['bastion'].ansible_private_key_file }}
+    User {{ ssh_user }}
+    StrictHostKeyChecking no
+    UserKnownHostsFile=/dev/null
+
+{% for host in groups['all'] | difference(groups['bastions'][0]) %}
+
+Host {{ host }}
+    Hostname {{ hostvars[host].ansible_host }}
+    ProxyCommand {{ ssh_proxy_command  }} -W {{ hostvars[host].private_v4 }}:22
+    IdentityFile {{ hostvars[host].ansible_private_key_file }}
+    User {{ ssh_user }}
+    StrictHostKeyChecking no
+    UserKnownHostsFile=/dev/null
+
+{% endfor %}
author	Bogdan Dobrelya <bdobreli@redhat.com>	2017-07-27 15:39:42 +0200
committer	GitHub <noreply@github.com>	2017-07-27 15:39:42 +0200
commit	1b76aeba44ce8cb1120a6659c375fe8b4c87f919 (patch)
tree	4c43dfdfefcc139249458606c9c4edefc1c38c32 /roles/static_inventory
parent	5cbcfd231054b0f64d9bc70064ecdb892cfbaec5 (diff)
parent	df8f5f0e251a014ab30dabd62c17e151b7fe36e8 (diff)
download	openshift-1b76aeba44ce8cb1120a6659c375fe8b4c87f919.tar.gz openshift-1b76aeba44ce8cb1120a6659c375fe8b4c87f919.tar.bz2 openshift-1b76aeba44ce8cb1120a6659c375fe8b4c87f919.tar.xz openshift-1b76aeba44ce8cb1120a6659c375fe8b4c87f919.zip