From 2a38ae7ee9e01513553823f2bdacd8e0d8a89349 Mon Sep 17 00:00:00 2001 From: sankar palanivel Date: Wed, 6 Oct 2021 13:42:41 +0100 Subject: [PATCH] Update ssh keys cleanup In this change, - Add a ansible playbook to remove ssh keys of admin user, as this playbook need to be executed separately to avoid loss of connectivity between jumphost & k8s nodes Change-Id: I8a184d8d1ffa72f7773b074768f87e1a91329513 --- infra/cleanup_admin_user_access/deploy.sh | 35 ++++++++++++++ .../playbooks/cleanup-admin-user-access.yaml | 46 +++++++++++++++++++ .../tasks/configure-jumphost.yaml | 8 ---- .../tasks/configure-targethosts.yaml | 8 ---- .../configure-k8s-admin-config/vars/main.yaml | 3 +- 5 files changed, 82 insertions(+), 18 deletions(-) create mode 100755 infra/cleanup_admin_user_access/deploy.sh create mode 100644 infra/cleanup_admin_user_access/playbooks/cleanup-admin-user-access.yaml diff --git a/infra/cleanup_admin_user_access/deploy.sh b/infra/cleanup_admin_user_access/deploy.sh new file mode 100755 index 0000000..002eb80 --- /dev/null +++ b/infra/cleanup_admin_user_access/deploy.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -o errexit +set -o nounset +set -o pipefail + +#------------------------------------------------------------------------------- +# Cleanup Admin User Access +#------------------------------------------------------------------------------- +echo "Info: Cleanup admin user access" +echo "-------------------------------------------------------------------------" + +export INVENTORY_FILE="${INVENTORY_FILE:-/tmp/inventory.ini}" + +ansible-playbook -i "$INVENTORY_FILE" playbooks/cleanup-admin-user-access.yaml + + +# vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/cleanup_admin_user_access/playbooks/cleanup-admin-user-access.yaml b/infra/cleanup_admin_user_access/playbooks/cleanup-admin-user-access.yaml new file mode 100644 index 0000000..1537806 --- /dev/null +++ b/infra/cleanup_admin_user_access/playbooks/cleanup-admin-user-access.yaml @@ -0,0 +1,46 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +- hosts: baremetal + gather_facts: true + become: false + + tasks: + - name: Remove admin user ssh keys + file: + path: /root/.ssh/{{ item }} + state: absent + with_items: + - id_rsa + - id_rsa.pub + - authorized_keys + +- hosts: jumphost + gather_facts: true + become: false + + tasks: + - name: Remove admin user ssh keys + file: + path: /root/.ssh/{{ item }} + state: absent + with_items: + - id_rsa + - id_rsa.pub + - authorized_keys diff --git a/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-jumphost.yaml b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-jumphost.yaml index af74252..6255203 100644 --- a/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-jumphost.yaml +++ b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-jumphost.yaml @@ -72,13 +72,5 @@ path: /etc/sudoers line: "{{ admin_user }} ALL=(ALL:ALL) NOPASSWD: ALL" -- name: Remove nordix ssh keys - file: - path: /root/.ssh/{{ item }} - state: absent - with_items: - - id_rsa - - id_rsa.pub - - authorized_keys # vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-targethosts.yaml b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-targethosts.yaml index 860b647..d8ac989 100644 --- a/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-targethosts.yaml +++ b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-targethosts.yaml @@ -54,13 +54,5 @@ path: /etc/sudoers line: "{{ admin_user }} ALL=(ALL:ALL) NOPASSWD: ALL" -- name: Remove nordix ssh keys - file: - path: /root/.ssh/{{ item }} - state: absent - with_items: - - id_rsa - - id_rsa.pub - - authorized_keys # vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/vars/main.yaml b/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/vars/main.yaml index ede070e..fe4b2ba 100644 --- a/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/vars/main.yaml +++ b/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/vars/main.yaml @@ -36,7 +36,6 @@ helm_client_download_url: "https://get.helm.sh/helm-{{ helm_version }}-linux-amd # ------------------------------------------------------------------------------- # Setup k8s admin config # ------------------------------------------------------------------------------- -engine_cache: '/opt/engine/.cache' -k8s_admin_conf: "{{ engine_cache }}/repos/kubespray/inventory/engine/artifacts/admin.conf" +k8s_admin_conf: "/tmp/admin.conf" admin_user: 'nordix' admin_user_kube_dir: "/home/{{ admin_user }}/.kube" \ No newline at end of file -- 2.25.1