PR#282: docstranslation: generate ssh key & add missing secrets - fedora-infra/ansible

fedora-infra / ansible

#282 docstranslation: generate ssh key & add missing secrets

Merged 3 years ago by kevin. Opened 3 years ago by darknao.

fedora-infra/ darknao/ansible master into master

docstranslation: generate ssh key & add missing secrets

Francois Andrieu • 3 years ago

6738554

playbooks/openshift-apps/docstranslation.yml

file modified

+60 -29

		`@@ -2,41 +2,64 @@`
		`hosts: os_masters[0]:os_masters_stg[0]`
		`user: root`
		`gather_facts: False`
		`-`
		`+ vars:`
		`+ app: docstranslation`
		`vars_files:`
		`- /srv/web/infra/ansible/vars/global.yml`
		`- "/srv/private/ansible/vars.yml"`
		`- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml`

		`- roles:`
		`- - role: openshift/project`
		`- app: docstranslation`
		`- description: Documentation translation`
		`- appowners:`
		`- - asamalik`
		`- - darknao`
		`- - jibecfed`
		`- - misc`
		`+ tasks:`
		`+ - import_role:`
		`+ name: openshift/project`
		`+ vars:`
		`+ description: Documentation translation`
		`+ appowners:`
		`+ - asamalik`
		`+ - darknao`
		`+ - jibecfed`
		`+ - misc`
		`tags:`
		`- apply-appowners`

		`- - role: openshift/imagestream`
		`- app: docstranslation`
		`- imagename: builder`
		`+ - name: Generate ssh keypair, if none exist`
		`+ openssh_keypair:`
		`+ path: "/etc/openshift_apps/{{ app }}/id_rsa_docs_trans"`
		`+ mode: 0600`
		`+ regenerate: never`
		`+ type: rsa`
		`+ size: 4096`
		`+ register: r_ssh_key`

		`- - role: openshift/object`
		`- app: docstranslation`
		`- objectname: buildconfig.yml`
		`- file: buildconfig.yml`
		`+ - import_role:`
		`+ name: openshift/imagestream`
		`+ vars:`
		`+ imagename: builder`

		`- - role: openshift/start-build`
		`- app: docstranslation`
		`- buildname: docstranslation-build`
		`+ - import_role:`
		`+ name: openshift/object`
		`+ vars:`
		`+ objectname: buildconfig.yml`
		`+ file: buildconfig.yml`

		`- - role: openshift/object`
		`- app: docstranslation`
		`- file: cron.yml`
		`- objectname: cron.yml`
		`+ - import_role:`
		`+ name: openshift/start-build`
		`+ vars:`
		`+ buildname: docstranslation-build`
		`+`
		`+ - import_role:`
		`+ name: openshift/object`
		`+ vars:`
		`+ objectname: secrets.yml`
		`+ template: secrets.yml`
		`+ tags:`
		`+ - deploy-secrets`
		`+`
		`+ - import_role:`
		`+ name: openshift/object`
		`+ vars:`
		`+ file: cron.yml`
		`+ objectname: cron.yml`
		`tags:`
		`- deploy-cronjob`

		`@@ -44,8 +67,16 @@`
		`# actions to delete the project from OpenShift`
		`###############################################`
		`# to run: sudo rbac-playbook -l os_masters_stg[0] -t delete openshift-apps/docstranslation.yml`
		`- - role: openshift/object-delete`
		`- app: docstranslation`
		`- objecttype: cronjob`
		`- objectname: cron`
		`- tags: [ never, delete ]`
		`+ - import_role:`
		`+ name: openshift/object-delete`
		`+ vars:`
		`+ objecttype: cronjob`
		`+ objectname: cron`
		`+ tags:`
		`+ - never`
		`+ - delete`
		`+`
		`+ post_tasks:`
		`+ - name: Display git ssh key for adding in pagure`
		`+ debug:`
		`+ msg: "{{ r_ssh_key.public_key }}"`

roles/openshift-apps/docstranslation/templates/secrets.yml

file modified

+1 -1

		`@@ -7,7 +7,7 @@`
		`app: docstranslation`
		`stringData:`
		`id_rsa_docs_trans: \|-`
		`- {{ lookup('file', {{private}} + '/files/id_rsa_docs_trans') }}`
		`+ {{ lookup('file', '/etc/openshift_apps/{{ app }}/id_rsa_docs_trans') }}`
		`config: \|-`
		`Host pagure.io`
		`User git`

darknao commented 3 years ago

This is to run on stg first.

I've added a task to generate a new ssh key for git use, mainly for staging, but also prod if we decide to not use the old one from sundries.
And updated the secrets (which was missing in the playbook) with the new key location, which is now in /etc/openshift-apps/{{app}}/ to comply with all others openshift-apps standards.

rebased onto f5cc83168ef30e948e16edc38887adea6b06d3ed

3 years ago

rebased onto cc4ea3ff512df46815a76ecc41a44ab9c8c00bd9

3 years ago

rebased onto 6738554

3 years ago

Pull-Request has been merged by kevin

3 years ago

kevin commented 3 years ago

So, this fails on:

TASK [openshift/object : Copy template {{template}} to temporary file ({{tmpfile.path}})] **************************
Wednesday 28 October 2020  18:31:26 +0000 (0:00:00.046)       0:00:03.318 ***** 
Wednesday 28 October 2020  18:31:26 +0000 (0:00:00.046)       0:00:03.318 ***** 
[WARNING]: Unable to find '/etc/openshift_apps/docstranslation/id_rsa_docs_trans' in expected paths (use -vvvvv to
see paths)
fatal: [os-master01.stg.iad2.fedoraproject.org]: FAILED! => {"changed": false, "msg": "AnsibleError: An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /etc/openshift_apps/docstranslation/id_rsa_docs_trans"}

Looks like it's trying to use that key before it gets generated. Thoughts?

darknao commented 3 years ago

Weird :/ Do you have the full logs ? The task that generate the key is before the one that install the secrets template, so that shouldn't happen unless the openssh_keypair did nothing.

darknao commented 3 years ago

wait, are you running the playbook in check mode ? That would actually make sense then.
I can make another PR with the check_mode disabled for the ssh-keygen task if that's the case.

kevin commented 3 years ago

Nope.. not check mode. ;(

The full output is in /tmp/docstranslation.out on batcave01

darknao commented 3 years ago

Thanks for the output.
This was an unexpected behaviour of the import_role module. Fixed in #297