Playbook #5
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml
Execution
Date 15 Dec 2025 10:19:13 +0000
Duration 00:23:12.82
Controller aio1.openstack.local
User root
Versions
Ansible 2.18.6
ara 1.7.4 / 1.7.4
Python 3.12.3
Summary
9 Hosts
618 Tasks
960 Results
108 Plays
456 Files
0 Records
check:False tags:all

File: /etc/ansible/ansible_collections/openstack/osa/roles/ssh_keypairs/tasks/standalone/install_ssh_ca.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
---
# Copyright 2022, BBC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Ensure trusted CA directory is present
  ansible.builtin.file:
    path: "/etc/ssh/trusted_ca.d"
    state: directory
    mode: "0700"

- name: Slurp up SSH CA certificates from keypair setup host ({{ ssh_keypairs_setup_host }})
  delegate_to: "{{ ssh_keypairs_setup_host }}"
  ansible.builtin.slurp:
    src: "{{ item.src | default(ssh_keypairs_dir ~ '/' ~ item.name ~ '.pub') }}"
  register: _ssh_ca_slurp
  when:
    - (item.condition is defined and item.condition | bool) or (item.condition is not defined)
  loop: "{{ ssh_keypairs_install_ca }}"
  ignore_errors: "{{ ansible_check_mode }}"

- name: Create sshd trusted certificate config files
  ansible.builtin.template:
    src: "ssh_ca.j2"
    dest: "/etc/ssh/trusted_ca.d/{{ item.item.name }}"
    mode: "0644"
  with_items: "{{ _ssh_ca_slurp.results }}"
  ignore_errors: "{{ ansible_check_mode }}"
  when:
    - item.item.state is not defined or item.item.state != 'absent'
  notify:
    - Regenerate trusted_ca file

- name: Remove sshd trusted authorities for absent CA
  ansible.builtin.file:
    path: "/etc/sshd/trusted_ca.d/{{ item.item.name }}"
    state: absent
  with_items: "{{ _ssh_ca_slurp.results }}"
  ignore_errors: "{{ ansible_check_mode }}"
  when:
    - item.item.state is defined
    - item.item.state == 'absent'
  notify:
    - Regenerate trusted_ca file

- name: Write sshd trusted authorities config fragement
  ansible.builtin.template:
    src: ssh_ca_config.j2
    dest: "/etc/ssh/sshd_config.d/{{ ssh_keypairs_trusted_ca_config_file }}"
    mode: "0644"
  notify:
    - Reload sshd

- name: Ensure authorized principals directory is present
  ansible.builtin.file:
    path: "{{ ssh_keypairs_authorized_principals_file | dirname }}"
    state: directory
    mode: "0755"

- name: Create sshd certificate principals config files
  ansible.builtin.template:
    src: "ssh_principal.j2"
    dest: "{{ (ssh_keypairs_authorized_principals_file | dirname) ~ '/' ~ item.user ~ '_principals' }}"
    mode: "0644"
  with_items: "{{ ssh_keypairs_principals }}"
  when:
    - item.state is not defined or item.state != 'absent'
    - (item.condition is defined and item.condition | bool) or (item.condition is not defined)
  notify:
    - Reload sshd

- name: Remove sshd certificate principals which are absent
  ansible.builtin.file:
    path: "{{ (ssh_keypairs_authorized_principals_file | dirname) ~ '/' ~ item.user ~ '_principals' }}"
    state: absent
  with_items: "{{ ssh_keypairs_principals }}"
  when:
    - item.item.state is defined
    - item.item.state == 'absent'
    - (item.condition is defined and item.condition | bool) or (item.condition is not defined)