theforeman · adamlazik1 · Jun 26, 2025 · adamlazik1 · Jul 21, 2025 · lhellebr
diff --git a/manifests/plugin/ansible.pp b/manifests/plugin/ansible.pp
@@ -50,14 +50,6 @@
   $foreman_ssl_key = pick($foreman_proxy::foreman_ssl_key, $foreman_proxy::ssl_key)
   $foreman_ssl_ca = pick($foreman_proxy::foreman_ssl_ca, $foreman_proxy::ssl_ca)
 
-  file { "${foreman_proxy::config_dir}/ansible.env":
-    ensure  => file,
-    content => template('foreman_proxy/plugin/ansible.env.erb'),
-    owner   => 'root',
-    group   => $foreman_proxy::user,
-    mode    => '0640',
-  }
-
   if ($facts['os']['family'] in ['RedHat', 'Debian'] and $foreman_proxy::plugin::ansible::callback == 'theforeman.foreman.foreman') {
     stdlib::ensure_packages(['ansible-collection-theforeman-foreman'])
   }
@@ -68,6 +60,24 @@
     include foreman_proxy::plugin::ansible::runner
   }
 
+  $certificate_file_option = $foreman_proxy::plugin::remote_execution::script::ssh_user_ca_public_key_file ? {
+    undef   => '',
+    default => " -o CertificateFile=${foreman_proxy::plugin::remote_execution::script::ssh_identity_path}-cert.pub",
+  }
+  $host_ca_options = $foreman_proxy::plugin::remote_execution::script::ssh_host_ca_public_key ? {
+    undef   => '',
+    default => " -o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_ca_known_hosts_file} -o StrictHostKeyChecking=yes",
+  }
+  $ansible_ssh_args = "${ssh_args}${certificate_file_option}${host_ca_options}"
+
+  file { "${foreman_proxy::config_dir}/ansible.env":
+    ensure  => file,
+    content => template('foreman_proxy/plugin/ansible.env.erb'),
+    owner   => 'root',
+    group   => $foreman_proxy::user,
+    mode    => '0640',
+  }
+
   foreman_proxy::plugin::module { 'ansible':
     enabled   => $enabled,
     listen_on => $listen_on,

diff --git a/manifests/plugin/remote_execution/script.pp b/manifests/plugin/remote_execution/script.pp
@@ -4,42 +4,46 @@
 #
 # === Parameters:
 #
-# $mode::                Operation Mode of the plugin.
+# $mode::                         Operation Mode of the plugin.
 #
-# $cockpit_integration:: Enables/disables Cockpit integration
+# $cockpit_integration::          Enables/disables Cockpit integration
 #
 # === SSH parameters:
 #
-# $generate_keys::      Automatically generate SSH keys
+# $generate_keys::                Automatically generate SSH keys
 #
-# $install_key::        Automatically install generated SSH key to root authorized keys
-#                       which allows managing this host through Remote Execution
+# $install_key::                  Automatically install generated SSH key to root authorized keys
+#                                 which allows managing this host through Remote Execution
 #
-# $ssh_identity_dir::   Directory where SSH keys are stored
+# $ssh_identity_dir::             Directory where SSH keys are stored
 #
-# $ssh_identity_file::  Provide an alternative name for the SSH keys
+# $ssh_identity_file::            Provide an alternative name for the SSH keys
 #
-# $ssh_keygen::         Location of the ssh-keygen binary
+# $ssh_user_ca_public_key_file::  Public key file for the SSH CA certificate
 #
-# $ssh_kerberos_auth::  Enable kerberos authentication for SSH
+# $ssh_host_ca_public_key::       Trusted host CA public key
 #
-# $local_working_dir::  Local working directory on the smart proxy
+# $ssh_keygen::                   Location of the ssh-keygen binary
 #
-# $remote_working_dir:: Remote working directory on clients
+# $ssh_kerberos_auth::            Enable kerberos authentication for SSH
 #
-# $ssh_log_level::      Configure ssh client LogLevel
+# $local_working_dir::            Local working directory on the smart proxy
+#
+# $remote_working_dir::           Remote working directory on clients
+#
+# $ssh_log_level::                Configure ssh client LogLevel
 #
 # === Advanced parameters:
 #
-# $enabled::            Enables/disables the plugin
+# $enabled::                      Enables/disables the plugin
 #
-# $listen_on::          Proxy feature listens on https, http, or both
+# $listen_on::                    Proxy feature listens on https, http, or both
 #
-# $mqtt_ttl::           Time interval in seconds given to the host to pick up the job before considering the job undelivered.
+# $mqtt_ttl::                     Time interval in seconds given to the host to pick up the job before considering the job undelivered.
 #
-# $mqtt_rate_limit::    Number of jobs that are allowed to run at the same time
+# $mqtt_rate_limit::              Number of jobs that are allowed to run at the same time
 #
-# $mqtt_resend_interval:: Time interval in seconds at which the notification should be re-sent to the host until the job is picked up or canceleld
+# $mqtt_resend_interval::         Time interval in seconds at which the notification should be re-sent to the host until the job is picked up or canceleld
 #
 class foreman_proxy::plugin::remote_execution::script (
   Boolean $enabled = true,
@@ -48,6 +52,8 @@
   Boolean $install_key = false,
   Stdlib::Absolutepath $ssh_identity_dir = '/var/lib/foreman-proxy/ssh',
   String $ssh_identity_file = 'id_rsa_foreman_proxy',
+  Optional[Stdlib::Absolutepath] $ssh_user_ca_public_key_file = undef,
+  Optional[String] $ssh_host_ca_public_key = undef,
   String $ssh_keygen = '/usr/bin/ssh-keygen',
   Stdlib::Absolutepath $local_working_dir = '/var/tmp',
   Stdlib::Absolutepath $remote_working_dir = '/var/tmp',
@@ -59,6 +65,7 @@
   Optional[Integer] $mqtt_rate_limit = undef,
   Optional[Integer] $mqtt_resend_interval = undef,
 ) {
+  $ssh_ca_known_hosts_file = "${ssh_identity_dir}/foreman_known_hosts_ca"
   $ssh_identity_path = "${ssh_identity_dir}/${ssh_identity_file}"
 
   include foreman_proxy
@@ -87,5 +94,19 @@
     ssl_key  => $foreman_proxy::ssl_key,
   }
 
+  if $ssh_host_ca_public_key {
+    file { $ssh_ca_known_hosts_file:
+      ensure  => file,
+      owner   => $foreman_proxy::user,
+      group   => $foreman_proxy::group,
+      mode    => '0600',
+      content => "@cert-autority * ${ssh_host_ca_public_key}\n",
+    }
+  } else {
+    file { $ssh_ca_known_hosts_file:
+      ensure => absent,
+    }
+  }
+
   Class['foreman_proxy::config'] ~> Class['foreman_proxy::plugin::remote_execution::mosquitto']
 }
diff --git a/templates/plugin/ansible.env.erb b/templates/plugin/ansible.env.erb
@@ -10,4 +10,4 @@ export FOREMAN_SSL_CERT="<%= @foreman_ssl_cert %>"
 export FOREMAN_SSL_KEY="<%= @foreman_ssl_key %>"
 export FOREMAN_SSL_VERIFY="<%= @foreman_ssl_ca %>"
 
-export ANSIBLE_SSH_ARGS="<%= @ssh_args %>"
+export ANSIBLE_SSH_ARGS="<%= @ansible_ssh_args %>"
diff --git a/templates/plugin/remote_execution_ssh.yml.erb b/templates/plugin/remote_execution_ssh.yml.erb
@@ -10,6 +10,13 @@
 
 :cockpit_integration: <%= scope.lookupvar('::foreman_proxy::plugin::remote_execution::script::cockpit_integration') %>
 
+<% if ssh_user_ca_public_key_file = scope.lookupvar('::foreman_proxy::plugin::remote_execution::script::ssh_user_ca_public_key_file') -%>
+:ssh_user_ca_public_key_file: <%= ssh_user_ca_public_key_file %>
+<% end -%>
+<% if ssh_ca_known_hosts_file = scope.lookupvar('::foreman_proxy::plugin::remote_execution::script::ssh_ca_known_hosts_file') -%>
+:ssh_ca_known_hosts_file: <%= ssh_ca_known_hosts_file %>
+<% end -%>
+
 # Whether to run remote execution jobs asynchronously
 :mode: <%= scope.lookupvar("::foreman_proxy::plugin::remote_execution::script::mode") %>
 <% if scope.lookupvar("::foreman_proxy::plugin::remote_execution::script::mode") == 'pull-mqtt' -%>