|
7 | 7 | hosts: overcloud,seed,seed-hypervisor,infra-vms |
8 | 8 | gather_facts: false |
9 | 9 | vars: |
10 | | - ansible_ssh_common_args: "-o StrictHostKeyChecking=no" |
| 10 | + # The existing key is the key that is currently used to access overcloud hosts |
11 | 11 | existing_private_key_path: "{{ ssh_private_key_path }}" |
12 | 12 | existing_public_key_path: "{{ ssh_public_key_path }}" |
| 13 | + # The new key is the key that will be generated by this playbook |
13 | 14 | new_private_key_path: "{{ ssh_private_key_path }}" |
14 | 15 | new_public_key_path: "{{ ssh_public_key_path }}" |
15 | 16 | new_key_type: "{{ ssh_key_type }}" |
| 17 | + # The existing key will locally be moved to deprecated_key_path once it is replaced |
| 18 | + deprecated_key_path: ~/old_ssh_key |
16 | 19 | rekey_users: |
17 | 20 | - stack |
18 | 21 | - kolla |
|
66 | 69 | become: true |
67 | 70 |
|
68 | 71 | - name: Locally deprecate existing key (private) |
69 | | - command: "mv {{ existing_private_key_path }} {{ existing_public_key_path }}_old" |
| 72 | + command: "mv {{ existing_private_key_path }} {{ deprecated_key_path }}" |
70 | 73 | delegate_to: localhost |
71 | 74 | run_once: true |
72 | 75 |
|
73 | 76 | - name: Locally deprecate existing key (public) |
74 | | - command: "mv {{ existing_public_key_path }} {{ existing_public_key_path }}_old" |
| 77 | + command: "mv {{ existing_public_key_path }} {{ deprecated_key_path }}.pub" |
75 | 78 | delegate_to: localhost |
76 | 79 | run_once: true |
77 | 80 |
|
|
85 | 88 | delegate_to: localhost |
86 | 89 | run_once: true |
87 | 90 |
|
88 | | - - name: Remove old key from hosts |
89 | | - vars: |
90 | | - lookup_path: "{{ existing_public_key_path }}_old" |
91 | | - ansible.posix.authorized_key: |
92 | | - user: "{{ item }}" |
93 | | - state: absent |
94 | | - key: "{{ lookup('file', lookup_path) }}" |
95 | | - loop: "{{ rekey_users }}" |
96 | | - become: true |
| 91 | + - block: |
| 92 | + - name: Stat old key file |
| 93 | + ansible.builtin.stat: |
| 94 | + path: "{{ deprecated_key_path }}.pub" |
| 95 | + register: stat_result |
| 96 | + delegate_to: localhost |
| 97 | + run_once: true |
| 98 | + |
| 99 | + - name: Fail when deprecated public key does not exist |
| 100 | + ansible.builtin.fail: |
| 101 | + msg: "No deprecated public key file found. Check deprecated_key_path is set correctly." |
| 102 | + when: |
| 103 | + - not stat_result.stat.exists |
| 104 | + delegate_to: localhost |
| 105 | + run_once: true |
| 106 | + |
| 107 | + - name: Remove old key from hosts |
| 108 | + vars: |
| 109 | + lookup_path: "{{ deprecated_key_path }}.pub" |
| 110 | + ansible.posix.authorized_key: |
| 111 | + user: "{{ item }}" |
| 112 | + state: absent |
| 113 | + key: "{{ lookup('file', lookup_path) }}" |
| 114 | + loop: "{{ rekey_users }}" |
| 115 | + become: true |
| 116 | + tags: remove-key |
97 | 117 | when: rekey_remove_existing_key | bool |
0 commit comments