Merge branch 'feat-override-sshproxy-config' into 'feat-hpc-factory'

feat: Add runtime config for ssh proxy See merge request !143

Merge branch 'feat-override-sshproxy-config' into 'feat-hpc-factory'
feat: Add runtime config for ssh proxy See merge request !143
e3890884 · Eesaan Atluri · cd5d9337 · 5700ab7c · e3890884 · e3890884
Commit e3890884 authored 6 months ago by Eesaan Atluri
--- a/ansible/cluster.yml
+++ b/ansible/cluster.yml
@@ -8,3 +8,4 @@
    - { name: 'ldap_config', tags: 'ldap_config' }
    - { name: 'slurm_client', tags: 'slurm_client', when: enable_slurm_client }
    - { name: 'ssh_host_keys', tags: 'ssh_host_keys' }
+    - { name: 'ssh_proxy_config', tags: 'ssh_proxy_config', when: enable_ssh_proxy_config }
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -42,3 +42,7 @@
 # AWS credentials
  LTS_ACCESS_KEY: ""
  LTS_SECRET_KEY: ""
+
+# ssh proxy
+  enable_ssh_proxy_config: false
+  sshpiper_dest_dir: "/opt/sshpiper"
--- a/ansible/group_vars/prod
+++ b/ansible/group_vars/prod
@@ -17,3 +17,8 @@
  bright_openldap_path: "/cm/local/apps/openldap"
  ldap_cert_path: "{{bright_openldap_path}}/etc/certs"
  ldap_uri: "ldaps://ldapserver"
+
+  # proxy_config
+  target_groups:
+    - {"name": "gpfs5", "host": "login002", "default": False, "authorized_keys":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
+    - {"name": "gpfs4", "host": "login001", "default": True, "authorized_keys":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
--- a/ansible/roles/ssh_proxy_config/tasks/main.yml
+++ b/ansible/roles/ssh_proxy_config/tasks/main.yml
+---
+- name: Configure sshpiper yaml plugin
+  ansible.builtin.template:
+    src: sshpiperd.yaml.j2
+    dest: "{{ sshpiper_dest_dir }}/sshpiperd.yaml"
+    backup: true
+
+- name: Enable and start sshpiper service
+  ansible.builtin.service:
+    name: sshpiperd
+    enabled: true
+    state: restarted
+
--- a/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
+++ b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
+# yaml-language-server: $schema=https://raw.githubusercontent.com/tg123/sshpiper/master/plugin/yaml/schema.json
+version: "1.0"
+pipes:
+{% for group in target_groups %}
+{% if not group.default %}
+- from:
+    - groupname: "{{ group.name }}"
+      authorized_keys: "{{ group.authorized_keys }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+    private_key: "{{ group.private_key }}"
+- from:
+    - groupname: "{{ group.name }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+{% else %}
+- from:
+    - username: ".*" # catch all
+      username_regex_match: true
+      authorized_keys: "{{ group.authorized_keys }}"
+  to:
+    host: "{{ group.host }}"
+    ignore_hostkey: true
+    private_key: "{{ group.private_key }}"
+{% endif %}
+{% endfor %}