From c11b8403b65de75fb59026490e67be41882dc8f2 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 11 Apr 2025 13:43:18 -0700
Subject: [PATCH] Manage gerrit's ecdsa and ed25519 hostkeys

This came up as something that was missing while we bootstrapped a new
gerrit server. The rsa hostkey is managed but none of the three ecdsa
keys or the ed25519 key is. Fix that by managing these keys in the same
manner we manager the RSA key.

Change-Id: Iaf58543b6833273ca45fa5c359dc88eaf64d7a03
---
 playbooks/roles/gerrit/tasks/main.yaml        | 70 ++++++++++++++++++-
 .../host_vars/review99.opendev.org.yaml.j2    | 50 +++++++++++++
 2 files changed, 117 insertions(+), 3 deletions(-)

diff --git a/playbooks/roles/gerrit/tasks/main.yaml b/playbooks/roles/gerrit/tasks/main.yaml
index 1ccf6dc7aa..fa2f0ce8ac 100644
--- a/playbooks/roles/gerrit/tasks/main.yaml
+++ b/playbooks/roles/gerrit/tasks/main.yaml
@@ -96,8 +96,8 @@
     group: "{{ gerrit_user_name }}"
     mode: 0644
 
-# Server host key for SSH service on port 29418
-- name: Write Gerrit SSH host private key
+# Server host keys for SSH service on port 29418
+- name: Write Gerrit SSH RSA host private key
   copy:
     content: "{{ gerrit_ssh_rsa_key_contents }}"
     dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key"
@@ -105,7 +105,7 @@
     group: "{{ gerrit_user_name }}"
     mode: 0600
 
-- name: Write Gerrit SSH host public key
+- name: Write Gerrit SSH RSA host public key
   copy:
     content: "{{ gerrit_ssh_rsa_pubkey_contents }}"
     dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key.pub"
@@ -113,6 +113,70 @@
     group: "{{ gerrit_user_name }}"
     mode: 0644
 
+- name: Write Gerrit SSH ECDSA host private key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_key_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_key"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0600
+
+- name: Write Gerrit SSH ECDSA host public key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_pubkey_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_key.pub"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0644
+
+- name: Write Gerrit SSH ECDSA 384 host private key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_384_key_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_384_key"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0600
+
+- name: Write Gerrit SSH ECDSA 384 host public key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_384_pubkey_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_384_key.pub"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0644
+
+- name: Write Gerrit SSH ECDSA 521 host private key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_521_key_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_521_key"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0600
+
+- name: Write Gerrit SSH ECDSA 521 host public key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_521_pubkey_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_521_key.pub"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0644
+
+- name: Write Gerrit SSH ED25519 host private key
+  copy:
+    content: "{{ gerrit_ssh_ed25519_key_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ed25519_key"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0600
+
+- name: Write Gerrit SSH ED25519 host public key
+  copy:
+    content: "{{ gerrit_ssh_ed25519_pubkey_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ed25519_key.pub"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0644
+
 # Private key for openstack-project-creator user
 - name: Write Gerrit SSH project private key
   copy:
diff --git a/playbooks/zuul/templates/host_vars/review99.opendev.org.yaml.j2 b/playbooks/zuul/templates/host_vars/review99.opendev.org.yaml.j2
index 8907652e56..68dfd1b67f 100644
--- a/playbooks/zuul/templates/host_vars/review99.opendev.org.yaml.j2
+++ b/playbooks/zuul/templates/host_vars/review99.opendev.org.yaml.j2
@@ -29,6 +29,56 @@ gerrit_ssh_rsa_key_contents: |
   -----END RSA PRIVATE KEY-----
 gerrit_ssh_rsa_pubkey_contents: |
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pCQlTAQYmCrOY6aPbvbyKQDcOCXibPNGIjnPPMuEItCS0vtRnqEBz7znWZS5Drq9yKpROh6uFF01ao2VnNjw6f+NdRNV19RWVe6mYN+qa2VrH2caLwBrKPiH0Xc/eK41D55dZU7IWwKYAw/NpiBaBfHavFwipI+rmEb68MH2hcimDdr/bji+0hkh3X+42dkNvmMdtkuCW6nKdAEhnXaHZc5SJR/EvzgRCfB8vbML13p46O9xhoJgn7ZWvMb3vaR5jxIkQwstUR36raEVhttBDEuWasWnHYbrM1zd3ooudbTEQf5vXISZKFygHyJFFqb4iQ76i+hDlb0VQKZCdaol test-gerrit-hostkey
+gerrit_ssh_ecdsa_key_contents: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+  1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRZtjWNgtRszhwwxbDSHL2ufeD4TeeT
+  V6KmRH5UcPAvOoNo3//q5mWPUDrrFDK1OlfgxIUdcp3vSvCLIKVVc44kAAAAqLihL2q4oS
+  9qAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFm2NY2C1GzOHDDF
+  sNIcva594PhN55NXoqZEflRw8C86g2jf/+rmZY9QOusUMrU6V+DEhR1yne9K8IsgpVVzji
+  QAAAAgVf9XXCDp1ydUD64uMquWwJSYUMPi63zGfMtVejAGyKUAAAANY2xhcmtAdG9hc3Rl
+  cgECAw==
+  -----END OPENSSH PRIVATE KEY-----
+gerrit_ssh_ecdsa_pubkey_contents: |
+  ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFm2NY2C1GzOHDDFsNIcva594PhN55NXoqZEflRw8C86g2jf/+rmZY9QOusUMrU6V+DEhR1yne9K8IsgpVVzjiQ= test-gerrit-hostkey
+gerrit_ssh_ecdsa_384_key_contents: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAiAAAABNlY2RzYS
+  1zaGEyLW5pc3RwMzg0AAAACG5pc3RwMzg0AAAAYQRjTpPwkO7rGhGVJCMWUrAcIMpGec34
+  0ti6MQ6m/XvfWxYvZ6cIOES1CcFwZrzJ8ImJpb3+tOGg5iGFkKVWFMrDJUPLcrrdgYmMAg
+  AoLsN3RlNohXf3UvGj//8gRs/lLxQAAADYLkUkxi5FJMYAAAATZWNkc2Etc2hhMi1uaXN0
+  cDM4NAAAAAhuaXN0cDM4NAAAAGEEY06T8JDu6xoRlSQjFlKwHCDKRnnN+NLYujEOpv1731
+  sWL2enCDhEtQnBcGa8yfCJiaW9/rThoOYhhZClVhTKwyVDy3K63YGJjAIAKC7Dd0ZTaIV3
+  91Lxo///IEbP5S8UAAAAMG2QdS4dTlRTeMHsw6le5MrI2pcJM+DDF791jn/GOh+0lFWV2H
+  qdHPhs8Cl5wEjOWwAAAA1jbGFya0B0b2FzdGVyAQID
+  -----END OPENSSH PRIVATE KEY-----
+gerrit_ssh_ecdsa_384_pubkey_contents: |
+  ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGNOk/CQ7usaEZUkIxZSsBwgykZ5zfjS2LoxDqb9e99bFi9npwg4RLUJwXBmvMnwiYmlvf604aDmIYWQpVYUysMlQ8tyut2BiYwCACguw3dGU2iFd/dS8aP//yBGz+UvFA== test-gerrit-hostkey
+gerrit_ssh_ecdsa_521_key_contents: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAArAAAABNlY2RzYS
+  1zaGEyLW5pc3RwNTIxAAAACG5pc3RwNTIxAAAAhQQBaJa5U2SwgWTRis4ixQ5Y0F+SL7eL
+  eFPLfukKQ5g+4U3R7/f10k+4YweOuA+aP9PEy0IUixSbdUM8vlydJ0L3jPcA1vDSJ3Vm7S
+  lD5wbDwq/htBU0jKlCsd4Hre2TWlPcl/6rxz9mqNu06XriO2kz5iAOREastwDx3OqGW9QD
+  GoceWVcAAAEQkQYD25EGA9sAAAATZWNkc2Etc2hhMi1uaXN0cDUyMQAAAAhuaXN0cDUyMQ
+  AAAIUEAWiWuVNksIFk0YrOIsUOWNBfki+3i3hTy37pCkOYPuFN0e/39dJPuGMHjrgPmj/T
+  xMtCFIsUm3VDPL5cnSdC94z3ANbw0id1Zu0pQ+cGw8Kv4bQVNIypQrHeB63tk1pT3Jf+q8
+  c/ZqjbtOl64jtpM+YgDkRGrLcA8dzqhlvUAxqHHllXAAAAQgCAYxTk0LklOsGyS/iRfFDy
+  7RGJ6hoTRf6M8FIH5KS9l6++dL66T9Z4T/x/o2U6cBVCBy/ZAFi0Mi7s9KZMdlOlQAAAAA
+  1jbGFya0B0b2FzdGVyAQIDBAU=
+  -----END OPENSSH PRIVATE KEY-----
+gerrit_ssh_ecdsa_521_pubkey_contents: |
+  ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFolrlTZLCBZNGKziLFDljQX5Ivt4t4U8t+6QpDmD7hTdHv9/XST7hjB464D5o/08TLQhSLFJt1Qzy+XJ0nQveM9wDW8NIndWbtKUPnBsPCr+G0FTSMqUKx3get7ZNaU9yX/qvHP2ao27TpeuI7aTPmIA5ERqy3APHc6oZb1AMahx5ZVw== test-gerrit-hostkey
+gerrit_ssh_ed25519_key_contents: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+  QyNTUxOQAAACBSWYNC/4rHZ6+8MiQ41Xi8A7BWm2/Ze2U3tVqwLY3lvwAAAJDVdmJE1XZi
+  RAAAAAtzc2gtZWQyNTUxOQAAACBSWYNC/4rHZ6+8MiQ41Xi8A7BWm2/Ze2U3tVqwLY3lvw
+  AAAEDdfaDmCCWyXyX9ewHOeMWwR7aTUcRQmbYy52gjaLcn91JZg0L/isdnr7wyJDjVeLwD
+  sFabb9l7ZTe1WrAtjeW/AAAADWNsYXJrQHRvYXN0ZXI=
+  -----END OPENSSH PRIVATE KEY-----
+gerrit_ssh_ed25519_pubkey_contents: |
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFJZg0L/isdnr7wyJDjVeLwDsFabb9l7ZTe1WrAtjeW/ test-gerrit-hostkey
 gerrit_known_hosts_keys:
   '[{% raw %}{{ gerrit_vhost_name }}{% endraw %}]:29418': |
     [{% raw %}{{ gerrit_vhost_name }}{% endraw %}]:29418,[localhost]:29418,[127.0.0.1]:29418,[::1]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pCQlTAQYmCrOY6aPbvbyKQDcOCXibPNGIjnPPMuEItCS0vtRnqEBz7znWZS5Drq9yKpROh6uFF01ao2VnNjw6f+NdRNV19RWVe6mYN+qa2VrH2caLwBrKPiH0Xc/eK41D55dZU7IWwKYAw/NpiBaBfHavFwipI+rmEb68MH2hcimDdr/bji+0hkh3X+42dkNvmMdtkuCW6nKdAEhnXaHZc5SJR/EvzgRCfB8vbML13p46O9xhoJgn7ZWvMb3vaR5jxIkQwstUR36raEVhttBDEuWasWnHYbrM1zd3ooudbTEQf5vXISZKFygHyJFFqb4iQ76i+hDlb0VQKZCdaol