Add volume mounted SSH keys for Tower on Openshift (#587)

* Add volume mounted SSH keys for Tower on Openshift * add ldap role to openshift tower install * add key to all containers in pod * add namespace flag to set volume command * Add ssh only to ansible-tower-task container * Update defaults in README and ocp-process-ssh-key task * Fix default/required fields on dest value * Update project/namespace defaults * Update README.md Co-authored-by: Øystein Bedin <oybed@users.noreply.github.com>
redhat-cop · Mar 16, 2021 · 7905cc4 · 7905cc4
1 parent f695234
commit 7905cc4
Show file tree

Hide file tree

Showing 5 changed files with 111 additions and 2 deletions.
diff --git a/playbooks/ansible/tower/configure-ansible-tower.yml b/playbooks/ansible/tower/configure-ansible-tower.yml
@@ -13,6 +13,16 @@
   - 'never'
   - 'install'
 
+- hosts: ansible-tower
+  roles:
+  - role: ansible/tower/config-ansible-tower-ocp
+  - role: ansible/tower/config-ansible-tower-subscription-manifest
+  - role: ansible/tower/config-ansible-tower-ocp-ssh
+  - role: ansible/tower/config-ansible-tower-ldap
+  tags:
+  - 'never'
+  - 'install-tower-ocp'
+
 - hosts: tower-management-host
   roles:
   - role: ansible/tower/manage-settings

diff --git a/roles/ansible/tower/config-ansible-tower-ocp-ssh/README.md b/roles/ansible/tower/config-ansible-tower-ocp-ssh/README.md
@@ -0,0 +1,46 @@
+config-ansible-tower-ocp-ssh
+============================
+
+This role is a helper for `config-ansible-tower-ocp` to create an OpenShift secret from an SSH key, and mount it as read-only in the `awx` users $HOME/.ssh folder
+
+## Requirements
+
+  - A running OpenShift Cluster and installed 'oc' client in the Ansible host
+
+
+## Role Variables
+
+The variables used to install Ansible Tower on OpenShift are outlined in the table below. 
+
+| Variable | Description | Required | Defaults |
+|:---------|:------------|:---------|:---------|
+|ocp_ssh_private_keys.src|File path to ssh private key, for example ssh_private_key.pem|yes||
+|ocp_ssh_private_keys.dest|Path where ssh private key will be mounted on the container|no|/var/lib/awx/.ssh + src \| basename|
+|ocp_ssh_private_keys.secret_project|Openshift Project for your tower deployment|no|tower|
+|ocp_ssh_private_keys.secret_name|A name for your secret|no|src \| basename|
+|ocp_ssh_private_keys.deployment_type|One of deployment or deploymentconfig|no|deployment|
+|ocp_ssh_private_keys.deployment_name|The name of the Ansible Tower deployment|no|ansible-tower|
+
+## Example Inventory
+
+```yaml
+---
+
+ocp_ssh_private_keys:
+  - src: "{{ inventory_dir }}../files/ssh_private_key.pem"
+    dest: /var/lib/awx/.ssh/ssh_private_key.pem
+    secret_project: "{{ openshift_project }}"
+    secret_name: ssh_private_key
+    deployment_type: deployment
+    deployment_name: ansible-tower
+```
+
+## Example Playbook
+
+```yaml
+---
+
+- hosts: ansible-tower
+  roles:
+  - role: config-ansible-tower-ocp-ssh
+```
diff --git a/roles/ansible/tower/config-ansible-tower-ocp-ssh/tasks/main.yml b/roles/ansible/tower/config-ansible-tower-ocp-ssh/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Add SSH keys to OCP as secrets and mount as volumes
+  include_tasks: ocp-process-ssh-key.yml
+  loop: "{{ ocp_ssh_private_keys }}"
+  loop_control:
+    loop_var: ssh_key
+  when:
+    - ocp_ssh_private_keys is defined
+    - (ocp_ssh_private_keys | type_debug) == 'list'
diff --git a/roles/ansible/tower/config-ansible-tower-ocp-ssh/tasks/ocp-process-ssh-key.yml b/roles/ansible/tower/config-ansible-tower-ocp-ssh/tasks/ocp-process-ssh-key.yml
@@ -0,0 +1,43 @@
+---
+
+- name: Set SSH key filename
+  set_fact:
+    ssh_key_filename: "{{ ssh_key.src | basename }}"
+    ssh_key_project: "{{ ssh_key.secret_project | default(openshift_project) | default('tower') }}"
+
+- name: Check for existing secret
+  command: |
+    oc get secret {{ ssh_key.secret_name | default('ansible-tower-ssh-key') }} \
+      -o=jsonpath='{.metadata.name}' \
+      -n {{ ssh_key_project }}
+  register: secret_check
+  failed_when: secret_check.rc > 1
+
+- name: Check for existing volume mount
+  command: |
+    oc set volume {{ ssh_key.deployment_type | default('deployment')}}/{{ ssh_key.deployment_name | default('ansible-tower') }} \
+    -n {{ ssh_key_project }}
+  register: volume_check
+
+- name: Create a generic ssh key secret from file
+  command: |
+    oc create secret generic {{ ssh_key.secret_name | default('ansible-tower-ssh-key') }} \
+      --from-file={{ ssh_key.src }} \
+      -n {{ ssh_key_project }}
+  when:
+    - secret_check.rc != 0
+
+- name: Mount generic ssh key secret
+  command: |
+    oc set volume {{ ssh_key.deployment_type | default('deployment')}}/{{ ssh_key.deployment_name | default('ansible-tower') }} \
+      --add \
+      --default-mode 0600 \
+      --read-only \
+      --secret-name {{ ssh_key.secret_name | default(ssh_key_filename) }} \
+      --type {{ ssh_key.volume_type | default('secret') }} \
+      --mount-path {{ ssh_key.dest | default('/var/lib/awx/.ssh/' + ssh_key_filename) }} \
+      --sub-path {{ ssh_key_filename }} \
+      --containers ansible-tower-task \
+      -n {{ ssh_key_project }}
+  when:
+    - ssh_key.secret_name not in volume_check.stdout
diff --git a/roles/ansible/tower/config-ansible-tower-ocp/tasks/openshift_retrieve_token.yml b/roles/ansible/tower/config-ansible-tower-ocp/tasks/openshift_retrieve_token.yml
@@ -4,8 +4,8 @@
     - name: Authenticate with OpenShift via user and password
       shell: |
         oc login {{ openshift_host }} \
-          -u {{ openshift_user }} \
-          -p {{ openshift_password }} \
+          -u '{{ openshift_user }}' \
+          -p '{{ openshift_password }}' \
           --insecure-skip-tls-verify={{ openshift_skip_tls_verify | default(false) | bool }}
       no_log: true
     - name: Retrieve Access Token ...