Introduce SSH cert support

adamlazik1 · adamlazik1 · commit 5e673ed813f0 · 2025-07-14T17:05:31.000+02:00
diff --git a/manifests/plugin/ansible.pp b/manifests/plugin/ansible.pp
@@ -50,14 +50,6 @@
   $foreman_ssl_key = pick($foreman_proxy::foreman_ssl_key, $foreman_proxy::ssl_key)
   $foreman_ssl_ca = pick($foreman_proxy::foreman_ssl_ca, $foreman_proxy::ssl_ca)
 
-  file { "${foreman_proxy::config_dir}/ansible.env":
-    ensure  => file,
-    content => template('foreman_proxy/plugin/ansible.env.erb'),
-    owner   => 'root',
-    group   => $foreman_proxy::user,
-    mode    => '0640',
-  }
-
   if ($facts['os']['family'] in ['RedHat', 'Debian'] and $foreman_proxy::plugin::ansible::callback == 'theforeman.foreman.foreman') {
     stdlib::ensure_packages(['ansible-collection-theforeman-foreman'])
   }
@@ -68,6 +60,24 @@
     include foreman_proxy::plugin::ansible::runner
   }
 
+  $certificate_file_option = $foreman_proxy::plugin::remote_execution::script::ssh_user_ca_public_key_file ? {
+    undef   => '',
+    default => " -o CertificateFile=${foreman_proxy::plugin::remote_execution::script::ssh_identity_path}-cert.pub",
+  }
+  $host_ca_options = $foreman_proxy::plugin::remote_execution::script::ssh_host_ca_public_key ? {
+    undef   => '',
+    default => " -o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_ca_known_hosts_file} -o StrictHostKeyChecking=yes",
+  }
+  $ansible_ssh_args = "${ssh_args}${certificate_file_option}${host_ca_options}"
+
+  file { "${foreman_proxy::config_dir}/ansible.env":
+    ensure  => file,
+    content => template('foreman_proxy/plugin/ansible.env.erb'),
+    owner   => 'root',
+    group   => $foreman_proxy::user,
+    mode    => '0640',
+  }
+
   foreman_proxy::plugin::module { 'ansible':
     enabled   => $enabled,
     listen_on => $listen_on,
diff --git a/manifests/plugin/remote_execution/script.pp b/manifests/plugin/remote_execution/script.pp
@@ -4,42 +4,45 @@
 #
 # === Parameters:
 #
-# $mode::                Operation Mode of the plugin.
+# $mode::                         Operation Mode of the plugin.
 #
-# $cockpit_integration:: Enables/disables Cockpit integration
+# $cockpit_integration::          Enables/disables Cockpit integration
 #
 # === SSH parameters:
 #
-# $generate_keys::      Automatically generate SSH keys
+# $generate_keys::                Automatically generate SSH keys
 #
-# $install_key::        Automatically install generated SSH key to root authorized keys
-#                       which allows managing this host through Remote Execution
+# $install_key::                  Automatically install generated SSH key to root authorized keys which allows managing this host through Remote Execution
 #
-# $ssh_identity_dir::   Directory where SSH keys are stored
+# $ssh_identity_dir::             Directory where SSH keys are stored
 #
-# $ssh_identity_file::  Provide an alternative name for the SSH keys
+# $ssh_identity_file::            Provide an alternative name for the SSH keys
 #
-# $ssh_keygen::         Location of the ssh-keygen binary
+# $ssh_user_ca_public_key_file::  Public key file for the SSH CA certificate
 #
-# $ssh_kerberos_auth::  Enable kerberos authentication for SSH
+# $ssh_host_ca_public_key::       Trusted host CA public key
 #
-# $local_working_dir::  Local working directory on the smart proxy
+# $ssh_keygen::                   Location of the ssh-keygen binary
 #
-# $remote_working_dir:: Remote working directory on clients
+# $ssh_kerberos_auth::            Enable kerberos authentication for SSH
 #
-# $ssh_log_level::      Configure ssh client LogLevel
+# $local_working_dir::            Local working directory on the smart proxy
+#
+# $remote_working_dir::           Remote working directory on clients
+#
+# $ssh_log_level::                Configure ssh client LogLevel
 #
 # === Advanced parameters:
 #
-# $enabled::            Enables/disables the plugin
+# $enabled::                      Enables/disables the plugin
 #
-# $listen_on::          Proxy feature listens on https, http, or both
+# $listen_on::                    Proxy feature listens on https, http, or both
 #
-# $mqtt_ttl::           Time interval in seconds given to the host to pick up the job before considering the job undelivered.
+# $mqtt_ttl::                     Time interval in seconds given to the host to pick up the job before considering the job undelivered.
 #
-# $mqtt_rate_limit::    Number of jobs that are allowed to run at the same time
+# $mqtt_rate_limit::              Number of jobs that are allowed to run at the same time
 #
-# $mqtt_resend_interval:: Time interval in seconds at which the notification should be re-sent to the host until the job is picked up or canceleld
+# $mqtt_resend_interval::         Time interval in seconds at which the notification should be re-sent to the host until the job is picked up or canceleld
 #
 class foreman_proxy::plugin::remote_execution::script (
   Boolean $enabled = true,
@@ -48,6 +51,8 @@
   Boolean $install_key = false,
   Stdlib::Absolutepath $ssh_identity_dir = '/var/lib/foreman-proxy/ssh',
   String $ssh_identity_file = 'id_rsa_foreman_proxy',
+  Optional[Stdlib::Absolutepath] $ssh_user_ca_public_key_file = undef,
+  Optional[String] $ssh_host_ca_public_key = undef,
   String $ssh_keygen = '/usr/bin/ssh-keygen',
   Stdlib::Absolutepath $local_working_dir = '/var/tmp',
   Stdlib::Absolutepath $remote_working_dir = '/var/tmp',
@@ -59,6 +64,7 @@
   Optional[Integer] $mqtt_rate_limit = undef,
   Optional[Integer] $mqtt_resend_interval = undef,
 ) {
+  $ssh_ca_known_hosts_file = "${ssh_identity_dir}/foreman_known_hosts_ca"
   $ssh_identity_path = "${ssh_identity_dir}/${ssh_identity_file}"
 
   include foreman_proxy
@@ -87,5 +93,19 @@
     ssl_key  => $foreman_proxy::ssl_key,
   }
 
+  if $ssh_host_ca_public_key {
+    file { $ssh_ca_known_hosts_file:
+      ensure  => file,
+      owner   => $foreman_proxy::user,
+      group   => $foreman_proxy::group,
+      mode    => '0600',
+      content => "@cert-autority * ${ssh_host_ca_public_key}\n",
+    }
+  } else {
+    file { $ssh_ca_known_hosts_file:
+      ensure => absent,
+    }
+  }
+
   Class['foreman_proxy::config'] ~> Class['foreman_proxy::plugin::remote_execution::mosquitto']
 }
diff --git a/templates/plugin/ansible.env.erb b/templates/plugin/ansible.env.erb
@@ -10,4 +10,4 @@ export FOREMAN_SSL_CERT="<%= @foreman_ssl_cert %>"
 export FOREMAN_SSL_KEY="<%= @foreman_ssl_key %>"
 export FOREMAN_SSL_VERIFY="<%= @foreman_ssl_ca %>"
 
-export ANSIBLE_SSH_ARGS="<%= @ssh_args %>"
+export ANSIBLE_SSH_ARGS="<%= @ansible_ssh_args %>"
diff --git a/templates/plugin/remote_execution_ssh.yml.erb b/templates/plugin/remote_execution_ssh.yml.erb
@@ -10,6 +10,13 @@
 
 :cockpit_integration: <%= scope.lookupvar('::foreman_proxy::plugin::remote_execution::script::cockpit_integration') %>
 
+<% if ssh_user_ca_public_key_file = scope.lookupvar('::foreman_proxy::plugin::remote_execution::script::ssh_user_ca_public_key_file') -%>
+:ssh_user_ca_public_key_file: <%= ssh_user_ca_public_key_file %>
+<% end -%>
+<% if ssh_ca_known_hosts_file = scope.lookupvar('::foreman_proxy::plugin::remote_execution::script::ssh_ca_known_hosts_file') -%>
+:ssh_ca_known_hosts_file: <%= ssh_ca_known_hosts_file %>
+<% end -%>
+
 # Whether to run remote execution jobs asynchronously
 :mode: <%= scope.lookupvar("::foreman_proxy::plugin::remote_execution::script::mode") %>
 <% if scope.lookupvar("::foreman_proxy::plugin::remote_execution::script::mode") == 'pull-mqtt' -%>

Original file line number	Diff line number	Diff line change
`@@ -4,42 +4,45 @@`
`4`	`4`	`#`
`5`	`5`	`# === Parameters:`
`6`	`6`	`#`
`7`		`-# $mode:: Operation Mode of the plugin.`
	`7`	`+# $mode:: Operation Mode of the plugin.`
`8`	`8`	`#`
`9`		`-# $cockpit_integration:: Enables/disables Cockpit integration`
	`9`	`+# $cockpit_integration:: Enables/disables Cockpit integration`
`10`	`10`	`#`
`11`	`11`	`# === SSH parameters:`
`12`	`12`	`#`
`13`		`-# $generate_keys:: Automatically generate SSH keys`
	`13`	`+# $generate_keys:: Automatically generate SSH keys`
`14`	`14`	`#`
`15`		`-# $install_key:: Automatically install generated SSH key to root authorized keys`
`16`		`-# which allows managing this host through Remote Execution`
	`15`	`+# $install_key:: Automatically install generated SSH key to root authorized keys which allows managing this host through Remote Execution`
`17`	`16`	`#`
`18`		`-# $ssh_identity_dir:: Directory where SSH keys are stored`
	`17`	`+# $ssh_identity_dir:: Directory where SSH keys are stored`
`19`	`18`	`#`
`20`		`-# $ssh_identity_file:: Provide an alternative name for the SSH keys`
	`19`	`+# $ssh_identity_file:: Provide an alternative name for the SSH keys`
`21`	`20`	`#`
`22`		`-# $ssh_keygen:: Location of the ssh-keygen binary`
	`21`	`+# $ssh_user_ca_public_key_file:: Public key file for the SSH CA certificate`
`23`	`22`	`#`
`24`		`-# $ssh_kerberos_auth:: Enable kerberos authentication for SSH`
	`23`	`+# $ssh_host_ca_public_key:: Trusted host CA public key`
`25`	`24`	`#`
`26`		`-# $local_working_dir:: Local working directory on the smart proxy`
	`25`	`+# $ssh_keygen:: Location of the ssh-keygen binary`
`27`	`26`	`#`
`28`		`-# $remote_working_dir:: Remote working directory on clients`
	`27`	`+# $ssh_kerberos_auth:: Enable kerberos authentication for SSH`
`29`	`28`	`#`
`30`		`-# $ssh_log_level:: Configure ssh client LogLevel`
	`29`	`+# $local_working_dir:: Local working directory on the smart proxy`
	`30`	`+#`
	`31`	`+# $remote_working_dir:: Remote working directory on clients`
	`32`	`+#`
	`33`	`+# $ssh_log_level:: Configure ssh client LogLevel`
`31`	`34`	`#`
`32`	`35`	`# === Advanced parameters:`
`33`	`36`	`#`
`34`		`-# $enabled:: Enables/disables the plugin`
	`37`	`+# $enabled:: Enables/disables the plugin`
`35`	`38`	`#`
`36`		`-# $listen_on:: Proxy feature listens on https, http, or both`
	`39`	`+# $listen_on:: Proxy feature listens on https, http, or both`
`37`	`40`	`#`
`38`		`-# $mqtt_ttl:: Time interval in seconds given to the host to pick up the job before considering the job undelivered.`
	`41`	`+# $mqtt_ttl:: Time interval in seconds given to the host to pick up the job before considering the job undelivered.`
`39`	`42`	`#`
`40`		`-# $mqtt_rate_limit:: Number of jobs that are allowed to run at the same time`
	`43`	`+# $mqtt_rate_limit:: Number of jobs that are allowed to run at the same time`
`41`	`44`	`#`
`42`		`-# $mqtt_resend_interval:: Time interval in seconds at which the notification should be re-sent to the host until the job is picked up or canceleld`
	`45`	`+# $mqtt_resend_interval:: Time interval in seconds at which the notification should be re-sent to the host until the job is picked up or canceleld`
`43`	`46`	`#`
`44`	`47`	`class foreman_proxy::plugin::remote_execution::script (`
`45`	`48`	`Boolean $enabled = true,`
`@@ -48,6 +51,8 @@`
`48`	`51`	`Boolean $install_key = false,`
`49`	`52`	`Stdlib::Absolutepath $ssh_identity_dir = '/var/lib/foreman-proxy/ssh',`
`50`	`53`	`String $ssh_identity_file = 'id_rsa_foreman_proxy',`
	`54`	`+ Optional[Stdlib::Absolutepath] $ssh_user_ca_public_key_file = undef,`
	`55`	`+ Optional[String] $ssh_host_ca_public_key = undef,`
`51`	`56`	`String $ssh_keygen = '/usr/bin/ssh-keygen',`
`52`	`57`	`Stdlib::Absolutepath $local_working_dir = '/var/tmp',`
`53`	`58`	`Stdlib::Absolutepath $remote_working_dir = '/var/tmp',`
`@@ -59,6 +64,7 @@`
`59`	`64`	`Optional[Integer] $mqtt_rate_limit = undef,`
`60`	`65`	`Optional[Integer] $mqtt_resend_interval = undef,`
`61`	`66`	`) {`
	`67`	`+ $ssh_ca_known_hosts_file = "${ssh_identity_dir}/foreman_known_hosts_ca"`
`62`	`68`	`$ssh_identity_path = "${ssh_identity_dir}/${ssh_identity_file}"`
`63`	`69`
`64`	`70`	`include foreman_proxy`
`@@ -87,5 +93,19 @@`
`87`	`93`	`ssl_key => $foreman_proxy::ssl_key,`
`88`	`94`	`}`
`89`	`95`
	`96`	`+ if $ssh_host_ca_public_key {`
	`97`	`+ file { $ssh_ca_known_hosts_file:`
	`98`	`+ ensure => file,`
	`99`	`+ owner => $foreman_proxy::user,`
	`100`	`+ group => $foreman_proxy::group,`
	`101`	`+ mode => '0600',`
	`102`	`+ content => "@cert-autority * ${ssh_host_ca_public_key}\n",`
	`103`	`+ }`
	`104`	`+ } else {`
	`105`	`+ file { $ssh_ca_known_hosts_file:`
	`106`	`+ ensure => absent,`
	`107`	`+ }`
	`108`	`+ }`
	`109`	`+`
`90`	`110`	`Class['foreman_proxy::config'] ~> Class['foreman_proxy::plugin::remote_execution::mosquitto']`
`91`	`111`	`}`