bugfix: ansible user for awx

4 years ago · 92c11ecef4
parent 81d9923332
commit 92c11ecef4
6 changed files with 31 additions and 31 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -95,7 +95,7 @@ ansible-run-setup-2-qa:
  after_script:
    - rm /tmp/vault-pass
  only:
-    - master
+    - qa
    - schedules
  tags:
    - dind
@ -118,7 +118,7 @@ ansible-run-setup-3-prodnso:
  after_script:
    - rm /tmp/vault-pass
  only:
-    - master
+    - prodnso
    - schedules
  tags:
    - dind
@ -139,7 +139,7 @@ ansible-run-setup-3-prodnso:

 ansible-run-kubernetes-1-dev:
  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-setup
+  stage: ansible-run-kubernetes
  before_script:
    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s)
@ -163,7 +163,7 @@ ansible-run-kubernetes-1-dev:

 ansible-run-kubernetes-2-qa:
  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-setup
+  stage: ansible-run-kubernetes
  before_script:
    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s)
@ -177,7 +177,7 @@ ansible-run-kubernetes-2-qa:
  after_script:
    - rm /tmp/vault-pass
  only:
-    - master
+    - qa
    - schedules
  tags:
    - dind
@ -186,7 +186,7 @@ ansible-run-kubernetes-2-qa:

 ansible-run-kubernetes-3-prodnso:
  image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest
-  stage: ansible-run-setup
+  stage: ansible-run-kubernetes
  before_script:
    - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
    - eval $(ssh-agent -s)
@ -200,7 +200,7 @@ ansible-run-kubernetes-3-prodnso:
  after_script:
    - rm /tmp/vault-pass
  only:
-    - master
+    - prodnso
    - schedules
  tags:
    - dind
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@ -60,7 +60,7 @@ hetzner_server_image: ubuntu-20.04

 # Used for root-access
 hetzner_ssh_keys:
-  - ansible@smardigo.digital
+  - gitlabci@git.dev-at.de
  - sven.ketelsen@netgo.de
  - peter.heise@netgo.de
  - claus.paetow@netgo.de
@ -91,10 +91,12 @@ sudo_group: "{{ sudo_groups
  | first
  | replace('.','-') }}"

+awx_ansible_user_name: "awx"
+awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}"
+
+# whitelist for outdated user detection - they wont't be deleted at all
 default_plattform_users:
  - 'nobody'
-  - 'vagrant'
-  - 'ansible'
  - 'elastic'
  - 'postgres'
  - 'administrator'
@ -102,11 +104,12 @@ default_plattform_users:
  - '{{ backupuser_username }}'

 smardigo_plattform_users:
-  - 'gitlabci' # needed for periodic ansible run
-  - 'sven.ketelsen'
-  - 'peter.heise'
+  - 'gitlabci'
  - 'claus.paetow'
  - 'friedrich.goerz'
+  - 'peter.heise'
+  - 'sven.ketelsen'
+  - '{{ awx_ansible_user_name }}'

 ip_whitelist_admins:
  - "79.215.10.239/32" # sven
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -113,6 +113,8 @@
  when:
    - inventory_hostname in groups['postgres'] or
      inventory_hostname in groups['maria']
+  tags:
+    - users

 - name: "Ensure docker configuration directory exists"
  file:
--- a/roles/kubernetes/awx/defaults/main.yml
+++ b/roles/kubernetes/awx/defaults/main.yml
@ -5,6 +5,8 @@ awx_admin_password: "{{ awx_admin_password_vault }}"
 awx_ansible_username: ansible
 awx_ansible_password: ansible

+awx_credential_machine_hetzner_name: hetzner-ansible-ssh
+
 # TODO
 # reason: IT DOES NOT SCALE!!!!
 # plz move it so separate DIR and do a lookup for all file in $DIR
--- a/roles/kubernetes/awx/tasks/awx-config.yml
+++ b/roles/kubernetes/awx/tasks/awx-config.yml
@ -5,14 +5,6 @@
    awx_rest_api_type: job_templates
  when: (awx_hetzner_ansible_project_id is not defined)

- name: "Printing..."
-  debug:
-    msg: "{{ ansible_ssh_key_private_vault }}"
-  delegate_to: 127.0.0.1
-  become: false
-  when:
-   - debug
-
 - name: "Search user <{{ awx_ansible_username }}>"
  include_tasks: awx-config-get-typ-id.yml
  vars:
@ -80,12 +72,12 @@
  when:
    - awx_type_id != "None"

- name: "Search <Machine> credentials <hetzner-ansible-ssh>"
+- name: "Search <Machine> credentials <{{ awx_credential_machine_hetzner_name }}>"
  include_tasks: awx-config-get-typ-id.yml
  vars:
    awx_rest_api_type: credentials
    awx_search_key: name
-    awx_search_name: "hetzner-ansible-ssh"
+    awx_search_name: "{{ awx_credential_machine_hetzner_name }}"

 - name: "Update awx_credential_hetzner_ansible_id"
  set_fact:
@ -93,14 +85,14 @@
  when:
    - awx_type_id != "None"

- name: "Create json object for <Machine> credentials <hetzner-ansible-ssh>"
+- name: "Create json object for <Machine> credentials <{{ awx_credential_machine_hetzner_name }}>"
  vars:
-    name: "hetzner-ansible-ssh"
+    name: "{{ awx_credential_machine_hetzner_name }}"
    credential_type_id: "{{ awx_credential_type_machine_id }}"
    credential_type_name: "Machine"
-    username: "Ansible"
-    ssh_public_key_data: "{{ lookup('file', '{{ playbook_dir }}/users/ansible/ssh.pub') }}"
-    ssh_key_data: "{{ ansible_ssh_key_private_vault | replace('\n','\\n') }}"
+    username: "{{ awx_ansible_user_name }}"
+    ssh_public_key_data: "{{ lookup('file', '{{ playbook_dir }}/users/{{ awx_ansible_user_name }}/ssh.pub') }}"
+    ssh_key_data: "{{ awx_ansible_user_ssh_key_private | replace('\n','\\n') }}"
  set_fact:
    machine_creds: "{{ lookup('template','awx-create-credential.json.j2') }}"
  when: awx_credential_hetzner_ansible_id is not defined
@ -112,7 +104,7 @@
  when:
   - debug

- name: "Add <Machine> credentials <hetzner-ansible-ssh> with user: {{ ansible_awx_user_id }}"
+- name: "Add <Machine> credentials <{{ awx_credential_machine_hetzner_name }}> with user: {{ ansible_awx_user_id }}"
  delegate_to: localhost
  uri:
    url: "{{ awx_base_url }}/api/v2/credentials/"
@ -131,12 +123,12 @@
  changed_when: response.status == 201
  when: awx_credential_hetzner_ansible_id is not defined

- name: "Search <Machine> credentials <hetzner-ansible-ssh>"
+- name: "Search <Machine> credentials <{{ awx_credential_machine_hetzner_name }}>"
  include_tasks: awx-config-get-typ-id.yml
  vars:
    awx_rest_api_type: credentials
    awx_search_key: name
-    awx_search_name:  "hetzner-ansible-ssh"
+    awx_search_name:  "{{ awx_credential_machine_hetzner_name }}"
  when: awx_credential_hetzner_ansible_id is not defined

 - name: "Update awx_credential_hetzner_ansible_id"
--- a/users/awx/ssh.pub
+++ b/users/awx/ssh.pub
@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNLUecch9TFY4feiE+4Scq7at7JLkIPnQIbwFMjUrYEsuHIQlyWuxfiUtCcTYRcS7eDSk0gPyAADPAkDSHpeOtF9CXAISWm4kORu9S3lgIm7113QT2xGdyag19G/Qrm0RHzujaBbAuRh4R7OK93+l2GqxBrL5ryHVDquTPoNxtBBCEfvAsEEoC2wRjyvWKfR6/rl8wTAOD+1Sty8iixUg6IVABOBN6ZjbSZ8WoWIqwgvZ5P55TkfSyQSbXArM8yqLRwHEHsSBZ0lCJmNS+Y6003dkjvY8UDAu4/VPhETH6l7kzvXNty64AjQGqbj569KtvBJINt7GtuwXq3bFzdRf61mSOfx+JAIzmJYCr0VrqOgTUhrnW9QY31FXUxr97nJRCa7s6E6+r4og0QkatLfLqnoCdJ/V+rK/TzUtywDWeTCInzHOEZgd2K/Rin3vnKFGpsPLZasVNS1KR3m/+r4BqCEO2/D/8xoV3Z8fegyBczrxn8cXpuUp7kIro5p2xpZ8= awx@netgo.de
				`@ -0,0 +1 @@`
				ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNLUecch9TFY4feiE+4Scq7at7JLkIPnQIbwFMjUrYEsuHIQlyWuxfiUtCcTYRcS7eDSk0gPyAADPAkDSHpeOtF9CXAISWm4kORu9S3lgIm7113QT2xGdyag19G/Qrm0RHzujaBbAuRh4R7OK93+l2GqxBrL5ryHVDquTPoNxtBBCEfvAsEEoC2wRjyvWKfR6/rl8wTAOD+1Sty8iixUg6IVABOBN6ZjbSZ8WoWIqwgvZ5P55TkfSyQSbXArM8yqLRwHEHsSBZ0lCJmNS+Y6003dkjvY8UDAu4/VPhETH6l7kzvXNty64AjQGqbj569KtvBJINt7GtuwXq3bFzdRf61mSOfx+JAIzmJYCr0VrqOgTUhrnW9QY31FXUxr97nJRCa7s6E6+r4og0QkatLfLqnoCdJ/V+rK/TzUtywDWeTCInzHOEZgd2K/Rin3vnKFGpsPLZasVNS1KR3m/+r4BqCEO2/D/8xoV3Z8fegyBczrxn8cXpuUp7kIro5p2xpZ8= awx@netgo.de