From d03f4b1f226915fd22b09455b4cc2c68c79acfdb Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Thu, 27 Oct 2022 11:35:39 +1100
Subject: [PATCH] bastion host: add global known_hosts values

Write out the ssh host keys from the inventory as part of the bastion
host bootstrap.

Change-Id: I0823c09165c445e9178c75ac5083f1988e8d3055
---
 playbooks/bootstrap-bridge.yaml               |  4 +++
 .../add-inventory-known-hosts/README.rst      |  1 +
 .../add-inventory-known-hosts/tasks/main.yaml | 31 +++++++++++++++++++
 testinfra/test_bridge.py                      | 14 +++++++++
 4 files changed, 50 insertions(+)
 create mode 100644 playbooks/roles/add-inventory-known-hosts/README.rst
 create mode 100644 playbooks/roles/add-inventory-known-hosts/tasks/main.yaml

diff --git a/playbooks/bootstrap-bridge.yaml b/playbooks/bootstrap-bridge.yaml
index 8191e2ad9c..97d89f6636 100644
--- a/playbooks/bootstrap-bridge.yaml
+++ b/playbooks/bootstrap-bridge.yaml
@@ -97,3 +97,7 @@
         BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
         ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
       no_log: true
+
+    - name: Setup global known_hosts
+      include_role:
+        name: add-inventory-known-hosts
diff --git a/playbooks/roles/add-inventory-known-hosts/README.rst b/playbooks/roles/add-inventory-known-hosts/README.rst
new file mode 100644
index 0000000000..c283a86f2f
--- /dev/null
+++ b/playbooks/roles/add-inventory-known-hosts/README.rst
@@ -0,0 +1 @@
+Add the host keys from inventory to global known_hosts
diff --git a/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
new file mode 100644
index 0000000000..e8dbb24aa8
--- /dev/null
+++ b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
@@ -0,0 +1,31 @@
+- name: Load the current inventory from bridge
+  slurp:
+    src: '/home/zuul/src/opendev.org/opendev/system-config/inventory/base/hosts.yaml'
+  register: _bridge_inventory_encoded
+
+- name: Turn inventory into variable
+  set_fact:
+    _bridge_inventory: '{{ _bridge_inventory_encoded.content | b64decode | from_yaml }}'
+
+- name: Build known_hosts list
+  set_fact:
+    bastion_known_hosts: >-
+        [
+        {%- for host, values in _bridge_inventory['all']['hosts'].items() -%}
+        {%   for key in values['host_keys'] %}
+        '{{ host }},{{ values.public_v4 }}{{ "," + values.public_v6 if 'public_v6' in values}} {{ key }}',
+        {%   endfor %}
+        {%- endfor -%}
+        ]
+
+- name: Write out values to /etc/ssh/ssh_known_hosts
+  blockinfile:
+    path: '/etc/ssh/ssh_known_hosts'
+    block: |
+      {% for entry in bastion_known_hosts %}
+      {{ entry }}
+      {% endfor %}
+    owner: root
+    group: root
+    mode: 0644
+    create: yes
diff --git a/testinfra/test_bridge.py b/testinfra/test_bridge.py
index 5e82fc2d39..41dd6aea06 100644
--- a/testinfra/test_bridge.py
+++ b/testinfra/test_bridge.py
@@ -102,3 +102,17 @@ def test_rax_dns_backup(host):
 
     output_dir = host.file('/var/lib/rax-dns-backup')
     assert output_dir.exists
+
+
+def test_ssh_known_hosts(host):
+    f = host.file('/etc/ssh/ssh_known_hosts')
+
+    assert f.exists
+    assert f.is_file
+    assert f.user == 'root'
+    assert f.group == 'root'
+    assert f.mode == 0o644
+
+    # Nothing special about this host, just testing it has an entry we
+    # expect.
+    assert b'bridge01.opendev.org,104.130.253.34,2001:4800:7818:103:be76:4eff:fe04:48c1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGG6WTR3dkhn766C69IRcLNN1Oxx7WMrcNsN03r+uZbU' in f.content