|
1 | 1 | --- |
| 2 | +# Playbook to rotate SSH keys across the cloud. By default it will rotate the |
| 3 | +# standard keys used by kayobe/kolla-ansible, but it can be configured for any |
| 4 | +# keys. |
| 5 | + |
2 | 6 | - name: Rekey hosts |
3 | 7 | hosts: overcloud,seed,seed-hypervisor,infra-vms |
4 | 8 | gather_facts: false |
5 | 9 | vars: |
6 | 10 | ansible_ssh_common_args: "-o StrictHostKeyChecking=no" |
| 11 | + existing_private_key_path: "{{ ssh_private_key_path }}" |
| 12 | + existing_public_key_path: "{{ ssh_public_key_path }}" |
| 13 | + new_private_key_path: "{{ ssh_private_key_path }}" |
| 14 | + new_public_key_path: "{{ ssh_public_key_path }}" |
| 15 | + new_key_type: "{{ ssh_key_type }}" |
7 | 16 | rekey_users: |
8 | 17 | - stack |
9 | 18 | - kolla |
10 | 19 | rekey_remove_existing_key: false |
11 | 20 | tasks: |
12 | 21 | - name: Stat existing private key file |
13 | 22 | ansible.builtin.stat: |
14 | | - path: "{{ ssh_private_key_path }}" |
| 23 | + path: "{{ existing_private_key_path }}" |
15 | 24 | register: stat_result |
16 | 25 | delegate_to: localhost |
17 | 26 | run_once: true |
18 | 27 |
|
19 | 28 | - name: Fail when existing private key does not exist |
20 | 29 | ansible.builtin.fail: |
21 | | - msg: "No existing private key file found. Check ssh_private_key_path and is set correctly." |
| 30 | + msg: "No existing private key file found. Check existing_private_key_path is set correctly." |
22 | 31 | when: |
23 | 32 | - not stat_result.stat.exists |
24 | 33 | delegate_to: localhost |
25 | 34 | run_once: true |
26 | 35 |
|
27 | 36 | - name: Stat existing public key file |
28 | 37 | ansible.builtin.stat: |
29 | | - path: "{{ ssh_public_key_path }}" |
| 38 | + path: "{{ existing_public_key_path }}" |
30 | 39 | register: stat_result |
31 | 40 | delegate_to: localhost |
32 | 41 | run_once: true |
33 | 42 |
|
34 | 43 | - name: Fail when existing public key does not exist |
35 | 44 | ansible.builtin.fail: |
36 | | - msg: "No existing public key file found. Check ssh_public_key_path and is set correctly." |
| 45 | + msg: "No existing public key file found. Check existing_public_key_path is set correctly." |
37 | 46 | when: |
38 | 47 | - not stat_result.stat.exists |
39 | 48 | delegate_to: localhost |
40 | 49 | run_once: true |
41 | 50 |
|
42 | 51 | - name: Generate a new SSH key |
43 | 52 | community.crypto.openssh_keypair: |
44 | | - path: "{{ ssh_private_key_path }}_new" |
45 | | - type: "{{ ssh_key_type }}" |
| 53 | + path: "{{ existing_private_key_path }}_new" |
| 54 | + type: "{{ new_key_type }}" |
46 | 55 | delegate_to: localhost |
47 | 56 | run_once: true |
48 | 57 |
|
49 | 58 | - name: Set new authorized keys |
50 | 59 | vars: |
51 | | - lookup_path: "{{ ssh_private_key_path }}_new.pub" |
| 60 | + lookup_path: "{{ existing_private_key_path }}_new.pub" |
52 | 61 | ansible.posix.authorized_key: |
53 | 62 | user: "{{ item }}" |
54 | 63 | state: present |
|
57 | 66 | become: true |
58 | 67 |
|
59 | 68 | - name: Locally deprecate existing key (private) |
60 | | - command: "mv {{ ssh_private_key_path }} {{ ssh_private_key_path }}_old" |
| 69 | + command: "mv {{ existing_private_key_path }} {{ existing_public_key_path }}_old" |
61 | 70 | delegate_to: localhost |
62 | 71 | run_once: true |
63 | 72 |
|
64 | 73 | - name: Locally deprecate existing key (public) |
65 | | - command: "mv {{ ssh_public_key_path }} {{ ssh_public_key_path }}_old" |
| 74 | + command: "mv {{ existing_public_key_path }} {{ existing_public_key_path }}_old" |
66 | 75 | delegate_to: localhost |
67 | 76 | run_once: true |
68 | 77 |
|
69 | 78 | - name: Locally promote new key (private) |
70 | | - command: "mv {{ ssh_private_key_path }}_new {{ ssh_private_key_path }}" |
| 79 | + command: "mv {{ existing_private_key_path }}_new {{ new_private_key_path }}" |
71 | 80 | delegate_to: localhost |
72 | 81 | run_once: true |
73 | 82 |
|
74 | 83 | - name: Locally promote new key (public) |
75 | | - command: "mv {{ ssh_private_key_path }}_new.pub {{ ssh_public_key_path }}" |
| 84 | + command: "mv {{ existing_private_key_path }}_new.pub {{ new_public_key_path }}" |
76 | 85 | delegate_to: localhost |
77 | 86 | run_once: true |
78 | 87 |
|
79 | 88 | - name: Remove old key from hosts |
80 | 89 | vars: |
81 | | - lookup_path: "{{ ssh_public_key_path }}_old" |
| 90 | + lookup_path: "{{ existing_public_key_path }}_old" |
82 | 91 | ansible.posix.authorized_key: |
83 | 92 | user: "{{ item }}" |
84 | 93 | state: absent |
85 | 94 | key: "{{ lookup('file', lookup_path) }}" |
86 | 95 | loop: "{{ rekey_users }}" |
87 | 96 | become: true |
88 | | - when: rekey_remove_existing_key |
| 97 | + when: rekey_remove_existing_key | bool |
0 commit comments