PR#303: docstranslation: git ssh key moved to /srv/private on batcave - fedora-infra/ansible

fedora-infra / ansible

#303 docstranslation: git ssh key moved to /srv/private on batcave

Merged 3 years ago by kevin. Opened 3 years ago by darknao.

fedora-infra/ darknao/ansible master into master

docstranslation: drop ssh key generation

Francois Andrieu • 3 years ago

d6678d0

docstranslation: git ssh key moved to /srv/private on batcave

Francois Andrieu • 3 years ago

2e8857c

playbooks/openshift-apps/docstranslation.yml

file modified

+3 -20

		`@@ -4,6 +4,7 @@`
		`gather_facts: False`
		`vars:`
		`app: docstranslation`
		`+ ssh_key_path: "{{ private }}/files/docstranslation/id_rsa_docstrans_{{ env_short }}"`
		`vars_files:`
		`- /srv/web/infra/ansible/vars/global.yml`
		`- "/srv/private/ansible/vars.yml"`
		`@@ -23,19 +24,6 @@`
		`tags:`
		`- apply-appowners`

		`- - name: Generate ssh keypair, if none exist`
		`- openssh_keypair:`
		`- path: "/etc/openshift_apps/{{ app }}/id_rsa_docs_trans"`
		`- mode: "600"`
		`- type: rsa`
		`- size: 4096`
		`- register: r_ssh_key`
		`-`
		`- - name: Retrieve ssh priv key`
		`- slurp:`
		`- path: r_ssh_key.filename`
		`- register: r_docs_priv_key`
		`-`
		`- name: Define imagestream`
		`include_role:`
		`name: openshift/imagestream`
		`@@ -47,7 +35,7 @@`
		`name: openshift/object`
		`vars:`
		`objectname: buildconfig.yml`
		`- file: buildconfig.yml`
		`+ template: buildconfig.yml`

		`- name: Start build`
		`include_role:`
		`@@ -68,7 +56,7 @@`
		`include_role:`
		`name: openshift/object`
		`vars:`
		`- file: cron.yml`
		`+ template: cron.yml`
		`objectname: cron.yml`
		`tags:`
		`- deploy-cronjob`
		`@@ -86,8 +74,3 @@`
		`tags:`
		`- never`
		`- delete`
		`-`
		`- post_tasks:`
		`- - name: Display git ssh key for adding in pagure`
		`- debug:`
		`- msg: "{{ r_ssh_key.public_key }}"`

roles/openshift-apps/docstranslation/templates/buildconfig.yml ~~roles/openshift-apps/docstranslation/files/buildconfig.yml~~

file renamed

		`@@ -11,7 +11,11 @@`
		`source:`
		`git:`
		`uri: "https://pagure.io/fedora-docs/translations-scripts.git"`
		`+ {% if env == 'staging' %}`
		`+ ref: staging`
		`+ {% else %}`
		`ref: master`
		`+ {% endif %}`
		`strategy:`
		`type: Docker`
		`output:`

roles/openshift-apps/docstranslation/templates/cron.yml ~~roles/openshift-apps/docstranslation/files/cron.yml~~

file renamed

+4 -2

		`@@ -19,10 +19,12 @@`
		`- /workspace/build.py`
		`- "--clone_sources"`
		`- "true"`
		`+ {# Both environment get commit disabled for safety reasons for now`
		`+ TODO: Set these to true on production when old app is removed from sundries #}`
		`- "--commit_l10n"`
		`- - "true"`
		`+ - "{% if env == 'staging' %}false{% else %}false{% endif %}"`
		`- "--commit_tsources"`
		`- - "true"`
		`+ - "{% if env == 'staging' %}false{% else %}false{% endif %}"`
		`- "--clone-po4a"`
		`env: []`
		`volumeMounts:`

roles/openshift-apps/docstranslation/templates/secrets.yml

file modified

+5 -5

		`@@ -7,9 +7,9 @@`
		`app: docstranslation`
		`stringData:`
		`id_rsa_docs_trans: \|-`
		`- {{ r_docs_priv_key.content \| b64decode \| indent(4) }}`
		`+ {{ lookup('file', ssh_key_path) \| indent(4) }}`
		`config: \|-`
		`- Host pagure.io`
		`- User git`
		`- IdentityFile /workspace/.ssh/id_rsa_docs_trans`
		`- StrictHostKeyChecking no`
		`+ Host pagure.io`
		`+ User git`
		`+ IdentityFile /workspace/.ssh/id_rsa_docs_trans`
		`+ StrictHostKeyChecking no`

darknao commented 3 years ago

Ok, let's try this again.
The ssh key is now moved to /srv/private/ansible/id_rsa_docstrans_[prod|stg] on batcave.
For production, I intend to reuse the ssh key from sundries, but otherwise the play will handle creating a new keypair.
Hopefully, that should solve our previous issues.

kevin commented 3 years ago

Can you just drop the generation part of this?

I can generate and place a key(s) in the private repo... you can't do this from a playbook as that is a git repo, and with the next commit things would break because it couldn't sync the checkout.

and lets say they should be under a 'files/docstranslation/' dir?
ie, "/srv/private/ansible/files/docstranslation/id_rsa_docstrans_[prod|stg]"

rebased onto 8bfc9b8ad1acf1e5c3e390905f519f92ed6ac2be

3 years ago

darknao commented 3 years ago

and done ;)