From 92c11ecef456dfe22f1c0e60b54b9d15651e6add Mon Sep 17 00:00:00 2001 From: Sven Ketelsen Date: Fri, 18 Mar 2022 11:44:49 +0100 Subject: [PATCH] bugfix: ansible user for awx --- .gitlab-ci.yml | 14 ++++++------ group_vars/all/plain.yml | 15 +++++++----- roles/common/tasks/main.yml | 2 ++ roles/kubernetes/awx/defaults/main.yml | 2 ++ roles/kubernetes/awx/tasks/awx-config.yml | 28 ++++++++--------------- users/awx/ssh.pub | 1 + 6 files changed, 31 insertions(+), 31 deletions(-) create mode 100644 users/awx/ssh.pub diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6ca0683..4cb8956 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -95,7 +95,7 @@ ansible-run-setup-2-qa: after_script: - rm /tmp/vault-pass only: - - master + - qa - schedules tags: - dind @@ -118,7 +118,7 @@ ansible-run-setup-3-prodnso: after_script: - rm /tmp/vault-pass only: - - master + - prodnso - schedules tags: - dind @@ -139,7 +139,7 @@ ansible-run-setup-3-prodnso: ansible-run-kubernetes-1-dev: image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest - stage: ansible-run-setup + stage: ansible-run-kubernetes before_script: - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' - eval $(ssh-agent -s) @@ -163,7 +163,7 @@ ansible-run-kubernetes-1-dev: ansible-run-kubernetes-2-qa: image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest - stage: ansible-run-setup + stage: ansible-run-kubernetes before_script: - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' - eval $(ssh-agent -s) @@ -177,7 +177,7 @@ ansible-run-kubernetes-2-qa: after_script: - rm /tmp/vault-pass only: - - master + - qa - schedules tags: - dind @@ -186,7 +186,7 @@ ansible-run-kubernetes-2-qa: ansible-run-kubernetes-3-prodnso: image: $AWX_EE_DOCKER_IMAGE_EXTERN:latest - stage: ansible-run-setup + stage: ansible-run-kubernetes before_script: - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )' - eval $(ssh-agent -s) @@ -200,7 +200,7 @@ ansible-run-kubernetes-3-prodnso: after_script: - rm /tmp/vault-pass only: - - master + - prodnso - schedules tags: - dind diff --git a/group_vars/all/plain.yml b/group_vars/all/plain.yml index 8bc18dc..38659ec 100644 --- a/group_vars/all/plain.yml +++ b/group_vars/all/plain.yml @@ -60,7 +60,7 @@ hetzner_server_image: ubuntu-20.04 # Used for root-access hetzner_ssh_keys: - - ansible@smardigo.digital + - gitlabci@git.dev-at.de - sven.ketelsen@netgo.de - peter.heise@netgo.de - claus.paetow@netgo.de @@ -91,10 +91,12 @@ sudo_group: "{{ sudo_groups | first | replace('.','-') }}" +awx_ansible_user_name: "awx" +awx_ansible_user_ssh_key_private: "{{ ansible_ssh_key_private_vault }}" + +# whitelist for outdated user detection - they wont't be deleted at all default_plattform_users: - 'nobody' - - 'vagrant' - - 'ansible' - 'elastic' - 'postgres' - 'administrator' @@ -102,11 +104,12 @@ default_plattform_users: - '{{ backupuser_username }}' smardigo_plattform_users: - - 'gitlabci' # needed for periodic ansible run - - 'sven.ketelsen' - - 'peter.heise' + - 'gitlabci' - 'claus.paetow' - 'friedrich.goerz' + - 'peter.heise' + - 'sven.ketelsen' + - '{{ awx_ansible_user_name }}' ip_whitelist_admins: - "79.215.10.239/32" # sven diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7703f57..1459b16 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -113,6 +113,8 @@ when: - inventory_hostname in groups['postgres'] or inventory_hostname in groups['maria'] + tags: + - users - name: "Ensure docker configuration directory exists" file: diff --git a/roles/kubernetes/awx/defaults/main.yml b/roles/kubernetes/awx/defaults/main.yml index b4a99e8..059fae1 100644 --- a/roles/kubernetes/awx/defaults/main.yml +++ b/roles/kubernetes/awx/defaults/main.yml @@ -5,6 +5,8 @@ awx_admin_password: "{{ awx_admin_password_vault }}" awx_ansible_username: ansible awx_ansible_password: ansible +awx_credential_machine_hetzner_name: hetzner-ansible-ssh + # TODO # reason: IT DOES NOT SCALE!!!! # plz move it so separate DIR and do a lookup for all file in $DIR diff --git a/roles/kubernetes/awx/tasks/awx-config.yml b/roles/kubernetes/awx/tasks/awx-config.yml index d93585d..c8b9d65 100644 --- a/roles/kubernetes/awx/tasks/awx-config.yml +++ b/roles/kubernetes/awx/tasks/awx-config.yml @@ -5,14 +5,6 @@ awx_rest_api_type: job_templates when: (awx_hetzner_ansible_project_id is not defined) -- name: "Printing..." - debug: - msg: "{{ ansible_ssh_key_private_vault }}" - delegate_to: 127.0.0.1 - become: false - when: - - debug - - name: "Search user <{{ awx_ansible_username }}>" include_tasks: awx-config-get-typ-id.yml vars: @@ -80,12 +72,12 @@ when: - awx_type_id != "None" -- name: "Search credentials " +- name: "Search credentials <{{ awx_credential_machine_hetzner_name }}>" include_tasks: awx-config-get-typ-id.yml vars: awx_rest_api_type: credentials awx_search_key: name - awx_search_name: "hetzner-ansible-ssh" + awx_search_name: "{{ awx_credential_machine_hetzner_name }}" - name: "Update awx_credential_hetzner_ansible_id" set_fact: @@ -93,14 +85,14 @@ when: - awx_type_id != "None" -- name: "Create json object for credentials " +- name: "Create json object for credentials <{{ awx_credential_machine_hetzner_name }}>" vars: - name: "hetzner-ansible-ssh" + name: "{{ awx_credential_machine_hetzner_name }}" credential_type_id: "{{ awx_credential_type_machine_id }}" credential_type_name: "Machine" - username: "Ansible" - ssh_public_key_data: "{{ lookup('file', '{{ playbook_dir }}/users/ansible/ssh.pub') }}" - ssh_key_data: "{{ ansible_ssh_key_private_vault | replace('\n','\\n') }}" + username: "{{ awx_ansible_user_name }}" + ssh_public_key_data: "{{ lookup('file', '{{ playbook_dir }}/users/{{ awx_ansible_user_name }}/ssh.pub') }}" + ssh_key_data: "{{ awx_ansible_user_ssh_key_private | replace('\n','\\n') }}" set_fact: machine_creds: "{{ lookup('template','awx-create-credential.json.j2') }}" when: awx_credential_hetzner_ansible_id is not defined @@ -112,7 +104,7 @@ when: - debug -- name: "Add credentials with user: {{ ansible_awx_user_id }}" +- name: "Add credentials <{{ awx_credential_machine_hetzner_name }}> with user: {{ ansible_awx_user_id }}" delegate_to: localhost uri: url: "{{ awx_base_url }}/api/v2/credentials/" @@ -131,12 +123,12 @@ changed_when: response.status == 201 when: awx_credential_hetzner_ansible_id is not defined -- name: "Search credentials " +- name: "Search credentials <{{ awx_credential_machine_hetzner_name }}>" include_tasks: awx-config-get-typ-id.yml vars: awx_rest_api_type: credentials awx_search_key: name - awx_search_name: "hetzner-ansible-ssh" + awx_search_name: "{{ awx_credential_machine_hetzner_name }}" when: awx_credential_hetzner_ansible_id is not defined - name: "Update awx_credential_hetzner_ansible_id" diff --git a/users/awx/ssh.pub b/users/awx/ssh.pub new file mode 100644 index 0000000..6234265 --- /dev/null +++ b/users/awx/ssh.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNLUecch9TFY4feiE+4Scq7at7JLkIPnQIbwFMjUrYEsuHIQlyWuxfiUtCcTYRcS7eDSk0gPyAADPAkDSHpeOtF9CXAISWm4kORu9S3lgIm7113QT2xGdyag19G/Qrm0RHzujaBbAuRh4R7OK93+l2GqxBrL5ryHVDquTPoNxtBBCEfvAsEEoC2wRjyvWKfR6/rl8wTAOD+1Sty8iixUg6IVABOBN6ZjbSZ8WoWIqwgvZ5P55TkfSyQSbXArM8yqLRwHEHsSBZ0lCJmNS+Y6003dkjvY8UDAu4/VPhETH6l7kzvXNty64AjQGqbj569KtvBJINt7GtuwXq3bFzdRf61mSOfx+JAIzmJYCr0VrqOgTUhrnW9QY31FXUxr97nJRCa7s6E6+r4og0QkatLfLqnoCdJ/V+rK/TzUtywDWeTCInzHOEZgd2K/Rin3vnKFGpsPLZasVNS1KR3m/+r4BqCEO2/D/8xoV3Z8fegyBczrxn8cXpuUp7kIro5p2xpZ8= awx@netgo.de