Add ssh config and key capability to showroom (#7286)

redhat-cop · Nov 1, 2023 · 3ffdebe · 3ffdebe
1 parent 9573502
commit 3ffdebe
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 8 deletions.
diff --git a/ansible/roles/showroom/defaults/main.yml b/ansible/roles/showroom/defaults/main.yml
@@ -27,9 +27,13 @@ showroom_user_content_dir: "{{ showroom_user_home_dir }}/content"
 # Some labs and demos require only root user access
 # ssh setup
 
-showroom_ssh_method: password         # password | sshkey
+showroom_ssh_method: password         # password | config (ie via config && ssh key)
+showroom_ssh_key_type: ed25519        # ed25519 | rsa
+
 showroom_enable_root_ssh: false
   # showroom_default_ssh_user:
+showroom_lab_users:
+  - "{{ showroom_default_ssh_user | default('student') }}"
 
 showroom_container_compose_template: compose_default_template.j2
 
@@ -55,10 +59,3 @@ showroom_pip_packages:
 showroom_work_dirs:
   - "{{ showroom_user_home_dir }}/content"               # The showroom repo itself, asciidoc source e.g. Antora
   - "{{ showroom_user_home_dir }}/orchestration"         # compose, kube files etc
-
-    # TODO: Legacy vars from running antora via node.
-    # Remove once validated no longer used:
-
-# showroom_npm_packages:
-#   - antora
-#   - "@antora/[email protected]"
diff --git a/ansible/roles/showroom/tasks/22-showroom-users-security.yml b/ansible/roles/showroom/tasks/22-showroom-users-security.yml
@@ -0,0 +1,38 @@
+---
+
+- name: Implement internal sshkeys and configs for showroom access
+  when: showroom_ssh_method == "sshkey"
+  block:
+
+    - name: Setup showroom user .ssh directory
+      ansible.builtin.file:
+        path: "{{ showroom_user_home_dir }}/.ssh"
+        state: directory
+        owner: "{{ showroom_user | default('showroom') }}"
+        group: "{{ showroom_user_group | default('showroom') }}"
+        mode: u=rwx,g-rwx,o-rwx
+
+    - name: Generate an ed25519 OpenSSH keypair for showroom
+      community.crypto.openssh_keypair:
+        path: "{{ showroom_user_home_dir }}/.ssh/id_ed25519"
+        type: ed25519
+        comment: "{{ showroom_user }}@localhost.com"
+      become_user: "{{ showroom_user }}"
+      register: r_ssh_key
+
+    - name: Inject sshkey into the showroom_lab_users authorized_keys
+      ansible.posix.authorized_key:
+        user: "{{ __showroom_lab_user }}"
+        state: present
+        key: "{{ r_ssh_key.public_key }}"
+      loop: "{{ showroom_lab_users }}"
+      loop_control:
+        loop_var: __showroom_lab_user
+
+    - name: Generate SSH config file for the showroom user
+      ansible.builtin.template:
+        src: ssh_config.j2
+        dest: "{{ showroom_user_home_dir }}/.ssh/config"
+        owner: "{{ showroom_user }}"
+        group: "{{ showroom_user_group }}"
+        mode: u=rw,g-rwx,o-rwx
diff --git a/ansible/roles/showroom/tasks/main.yml b/ansible/roles/showroom/tasks/main.yml
@@ -16,6 +16,12 @@
       tags:
         - showroom-user-setup
 
+    - name: Setup ssh config and other security measures for lab accounts
+      ansible.builtin.include_tasks:
+        file: 22-showroom-users-security.yml
+      tags:
+        - showroom-user-security
+
     - name: Clone primary showroom repo and inject externals (vars, html templates)
       ansible.builtin.include_tasks:
         file: 30-showroom-clone-and-inject.yml

diff --git a/ansible/roles/showroom/templates/service_single_terminal/service_single_terminal.j2 b/ansible/roles/showroom/templates/service_single_terminal/service_single_terminal.j2
@@ -2,13 +2,23 @@ terminal-01:
   image: docker.io/wettyoss/wetty
   container_name: terminal-01
   hostname: terminal-01
+{% if showroom_ssh_method == 'sshkey' %}
+  volumes:
+    - "{{ showroom_user_home_dir }}/.ssh:{{ showroom_user_home_dir }}/.ssh"
+{% endif %}
   command:
+{% if showroom_ssh_method == 'sshkey' %}
+    - "--ssh-config={{ showroom_user_home_dir }}/.ssh/config"
+    - "--ssh-key={{ showroom_user_home_dir }}/.ssh/id_{{ showroom_ssh_key_type }}"
+    - "--ssh-auth=publickey"
 {% if showroom_enable_root_ssh %}
     - "--ssh-user=root"
 {% else %}
     - "--ssh-user={{ showroom_ssh_username | default(f_user_data.default_ssh_username) | default(f_user_data.ssh_username) }}"
 {% endif %}
+{% elif showroom_ssh_method == 'password' %}
     - "--ssh-pass={{ showroom_ssh_password | default(f_user_data.default_ssh_password) | default(f_user_data.ssh_password) }}"
+{% endif %}
     - "--ssh-host={{ showroom_ssh_host | default(f_user_data.targethost) }}"
     - "--ssh-port={{ showroom_ssh_port | default(f_user_data.targetport) | default(22) }}"
     - "--allow-iframe=true"

diff --git a/ansible/roles/showroom/templates/ssh_config.j2 b/ansible/roles/showroom/templates/ssh_config.j2
@@ -0,0 +1,11 @@
+{% for user in showroom_lab_users %}
+# Entry for connecting as {{ user }}
+Host {{ user }}
+  HostName {{ showroom_host | default('bastion') }}
+  User {{ user }}
+  IdentityFile {{ showroom_user_home_dir }}/.ssh/id_ed25519
+  Port 22
+  UserKnownHostsFile /dev/null
+  StrictHostKeyChecking no
+
+{% endfor %}