Make cluster deploy SSH keys more flexible

Add a cluster_deploy_ssh_additional_public_keys variable for adding
a list of SSH keys to the rocky user. Create a deploy SSH key if
cluster_ssh_private_key_file isn't provided and make the private
part available in Terraform output.

Author: m-bull

roles/cluster_infra/defaults/main.yml

@@ -50,3 +50,12 @@ cluster_groups_validation:
 cluster_groups_zenith:
   # Any hosts in the grafana and openondemand groups should go in the zenith group
   zenith: [grafana, openondemand]
+
+# Deploy user SSH keys
+cluster_deploy_ssh_keys: >-
+  {{
+     cluster_deploy_ssh_additional_public_keys | default([]) +
+     ( [cluster_deploy_ssh_public_key]
+     if cluster_deploy_ssh_public_key is defined
+     else [] )
+  }}

roles/cluster_infra/templates/outputs.tf.j2

@@ -3,6 +3,13 @@ output "cluster_gateway_ip" {
   value       =  openstack_compute_floatingip_associate_v2.login_floatingip_assoc.floating_ip
 }
 
+{% if cluster_ssh_private_key_file is not defined %}
+output "cluster_ssh_private_key" {
+  description = "The private component of the keypair generated on cluster provision"
+  value = openstack_compute_keypair_v2.cluster_keypair.private_key
+}
+{% endif %}
+
 output "cluster_nodes" {
   description = "A list of the nodes in the cluster from which an Ansible inventory will be populated"
   value       = concat(

roles/cluster_infra/templates/resources.tf.j2

@@ -1,3 +1,4 @@
+#jinja2: trim_blocks:False
 #####
 ##### The identity scope we are operating in
 ##### Used to output the OpenStack project ID as a fact for provisioned hosts
@@ -233,6 +234,14 @@ resource "openstack_networking_port_v2" "{{ partition.name }}" {
 
 {% endfor %}
 
+#####
+##### Deploy key
+#####
+{% if cluster_ssh_private_key_file is not defined %}
+resource "openstack_compute_keypair_v2" "cluster_keypair" {
+  name = "{{ cluster_name }}-deploy-key"
+}
+{% endif %}
 
 #####
 ##### Cluster nodes
@@ -255,8 +264,12 @@ resource "openstack_compute_instance_v2" "login" {
   user_data = <<-EOF
     #cloud-config
     ssh_authorized_keys:
-      - {{ cluster_deploy_ssh_public_key }}
-      - {{ cluster_user_ssh_public_key }}
+    {%- if cluster_ssh_private_key_file is not defined %}
+      - "${openstack_compute_keypair_v2.cluster_keypair.public_key}"
+    {%- endif %}
+    {%- for ssh_key in cluster_deploy_ssh_keys %}
+      - {{ ssh_key }}
+    {%- endfor %}
   EOF
 }
 
@@ -302,8 +315,12 @@ resource "openstack_compute_instance_v2" "control" {
   user_data = <<-EOF
     #cloud-config
     ssh_authorized_keys:
-      - {{ cluster_deploy_ssh_public_key }}
-      - {{ cluster_user_ssh_public_key }}
+    {%- if cluster_ssh_private_key_file is not defined %}
+      - "${openstack_compute_keypair_v2.cluster_keypair.public_key}"
+    {%- endif %}
+    {%- for ssh_key in cluster_deploy_ssh_keys %}
+      - {{ ssh_key }}
+    {%- endfor %}
     fs_setup:
       - label: state
         filesystem: ext4
@@ -335,10 +352,15 @@ resource "openstack_compute_instance_v2" "{{ partition.name }}" {
   user_data = <<-EOF
     #cloud-config
     ssh_authorized_keys:
-      - {{ cluster_deploy_ssh_public_key }}
-      - {{ cluster_user_ssh_public_key }}
+    {%- if cluster_ssh_private_key_file is not defined %}
+      - "${openstack_compute_keypair_v2.cluster_keypair.public_key}"
+    {%- endif %}
+    {%- for ssh_key in cluster_deploy_ssh_keys %}
+      - {{ ssh_key }}
+    {%- endfor %}
   EOF
 }
+
 {% endfor %}
 
 #####