Merge pull request #29 from stackhpc/feat/ssh-key-customisation

Make cluster deploy SSH keys more flexible

Author: m-bull

group_vars/openstack.yml

@@ -19,4 +19,3 @@ cluster_ssh_user: rocky
 
 # Set the size of the state volume to metrics_db_maximum_size + 10
 state_volume_size: "{{ metrics_db_maximum_size + 10 }}"
-block_device_prefix: 'vd'

roles/cluster_infra/defaults/main.yml

@@ -50,3 +50,11 @@ cluster_groups_validation:
 cluster_groups_zenith:
   # Any hosts in the grafana and openondemand groups should go in the zenith group
   zenith: [grafana, openondemand]
+
+cluster_deploy_ssh_keys_extra: []
+
+# List of hw_scsi_models that result in block devices presenting as /dev/sdX
+# rather than /dev/vdX
+scsi_models:
+  # Ceph [https://docs.ceph.com/en/quincy/rbd/rbd-openstack/#image-properties]
+  - virtio-scsi

roles/cluster_infra/tasks/main.yml

@@ -57,6 +57,25 @@
     - terraform_state == "present"
     - cluster_upgrade_system_packages is not defined or not cluster_upgrade_system_packages
 
+- name: Detect volume device prefix from image metadata
+  block:
+    - name: Get image metadata from OpenStack API
+      openstack.cloud.image_info:
+        image: "{{ cluster_previous_image | default(cluster_image) }}"
+      register: cluster_image_info
+
+    - name: Set volume_device_prefix fact
+      set_fact:
+        block_device_prefix: >-
+           {{
+              'sd' if cluster_image_info.image.metadata.hw_scsi_model is defined and
+              cluster_image_info.image.metadata.hw_scsi_model in scsi_models
+              else 'vd'
+           }}
+  # Only run when block_device_prefix isn't set as an extravar
+  when: block_device_prefix is not defined
+
+
 - name: Template Terraform files into project directory
   template:
     src: >-

roles/cluster_infra/templates/outputs.tf.j2

@@ -3,6 +3,14 @@ output "cluster_gateway_ip" {
   value       =  openstack_compute_floatingip_associate_v2.login_floatingip_assoc.floating_ip
 }
 
+{% if cluster_ssh_private_key_file is not defined %}
+output "cluster_ssh_private_key" {
+  description = "The private component of the keypair generated on cluster provision"
+  value = openstack_compute_keypair_v2.cluster_keypair.private_key
+  sensitive   = true
+}
+{% endif %}
+
 output "cluster_nodes" {
   description = "A list of the nodes in the cluster from which an Ansible inventory will be populated"
   value       = concat(

roles/cluster_infra/templates/resources.tf.j2

@@ -1,3 +1,4 @@
+#jinja2: trim_blocks:False
 #####
 ##### The identity scope we are operating in
 ##### Used to output the OpenStack project ID as a fact for provisioned hosts
@@ -233,6 +234,14 @@ resource "openstack_networking_port_v2" "{{ partition.name }}" {
 
 {% endfor %}
 
+#####
+##### Deploy key
+#####
+{% if cluster_ssh_private_key_file is not defined %}
+resource "openstack_compute_keypair_v2" "cluster_keypair" {
+  name = "{{ cluster_name }}-deploy-key"
+}
+{% endif %}
 
 #####
 ##### Cluster nodes
@@ -255,8 +264,18 @@ resource "openstack_compute_instance_v2" "login" {
   user_data = <<-EOF
     #cloud-config
     ssh_authorized_keys:
-      - {{ cluster_deploy_ssh_public_key }}
+    {%- if cluster_user_ssh_public_key is defined %}
       - {{ cluster_user_ssh_public_key }}
+    {%- endif %}
+    {%- if cluster_deploy_ssh_public_key is defined %}
+      - {{ cluster_deploy_ssh_public_key }}
+    {%- endif %}
+    {%- if cluster_ssh_private_key_file is not defined %}
+      - "${openstack_compute_keypair_v2.cluster_keypair.public_key}"
+    {%- endif %}
+    {%- for ssh_key in cluster_deploy_ssh_keys_extra %}
+      - {{ ssh_key }}
+    {%- endfor %}
   EOF
 }
 
@@ -302,8 +321,18 @@ resource "openstack_compute_instance_v2" "control" {
   user_data = <<-EOF
     #cloud-config
     ssh_authorized_keys:
-      - {{ cluster_deploy_ssh_public_key }}
+    {%- if cluster_user_ssh_public_key is defined %}
       - {{ cluster_user_ssh_public_key }}
+    {%- endif %}
+    {%- if cluster_deploy_ssh_public_key is defined %}
+      - {{ cluster_deploy_ssh_public_key }}
+    {%- endif %}
+    {%- if cluster_ssh_private_key_file is not defined %}
+      - "${openstack_compute_keypair_v2.cluster_keypair.public_key}"
+    {%- endif %}
+    {%- for ssh_key in cluster_deploy_ssh_keys_extra %}
+      - {{ ssh_key }}
+    {%- endfor %}
     fs_setup:
       - label: state
         filesystem: ext4
@@ -335,10 +364,21 @@ resource "openstack_compute_instance_v2" "{{ partition.name }}" {
   user_data = <<-EOF
     #cloud-config
     ssh_authorized_keys:
-      - {{ cluster_deploy_ssh_public_key }}
+    {%- if cluster_user_ssh_public_key is defined %}
       - {{ cluster_user_ssh_public_key }}
+    {%- endif %}
+    {%- if cluster_deploy_ssh_public_key is defined %}
+      - {{ cluster_deploy_ssh_public_key }}
+    {%- endif %}
+    {%- if cluster_ssh_private_key_file is not defined %}
+      - "${openstack_compute_keypair_v2.cluster_keypair.public_key}"
+    {%- endif %}
+    {%- for ssh_key in cluster_deploy_ssh_keys_extra %}
+      - {{ ssh_key }}
+    {%- endfor %}
   EOF
 }
+
 {% endfor %}
 
 #####