From f23f45791b9370fba9b03ccb2a01723d2dc848cb Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 07:04:57 -0500
Subject: [PATCH 1/8] feat: Add runtime config for ssh proxy
This will override the defaults defined during the build
---
ansible/proxy.yml | 6 ++++++
ansible/roles/ssh_proxy_config/tasks/main.yml | 13 +++++++++++++
.../templates/sshpiperd.yaml.j2 | 17 +++++++++++++++++
3 files changed, 36 insertions(+)
create mode 100644 ansible/proxy.yml
create mode 100644 ansible/roles/ssh_proxy_config/tasks/main.yml
create mode 100644 ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
diff --git a/ansible/proxy.yml b/ansible/proxy.yml
new file mode 100644
index 0000000..c0173d1
--- /dev/null
+++ b/ansible/proxy.yml
@@ -0,0 +1,6 @@
+---
+- name: Define proxy config for deploys
+ hosts: all
+ become: true
+ roles:
+ - { name: 'ssh_proxy_config', tags: 'ssh_proxy_config' }
diff --git a/ansible/roles/ssh_proxy_config/tasks/main.yml b/ansible/roles/ssh_proxy_config/tasks/main.yml
new file mode 100644
index 0000000..b64f6e3
--- /dev/null
+++ b/ansible/roles/ssh_proxy_config/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+- name: Configure sshpiper yaml plugin
+ ansible.builtin.template:
+ src: sshpiperd.yaml.j2
+ dest: "{{ sshpiper_dest_dir }}/sshpiperd.yaml"
+ backup: true
+
+- name: Enable and start sshpiper service
+ ansible.builtin.service:
+ name: sshpiperd
+ enabled: true
+ state: started
+
diff --git a/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2 b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
new file mode 100644
index 0000000..0060a97
--- /dev/null
+++ b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
@@ -0,0 +1,17 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/tg123/sshpiper/master/plugin/yaml/schema.json
+version: "1.0"
+pipes:
+{% for group in target_groups %}
+- from:
+ - groupname: "{{group.name}}"
+ authorized_keys: {{ group.authorized_keys }}
+ to:
+ host: {{ group.host }}
+ ignore_hostkey: true
+ private_key: {{ group.private_key }}
+- from:
+ - groupname: "{{group.name}}"
+ to:
+ host: {{ group.host }}
+ ignore_hostkey: true
+{% endfor %}
--
GitLab
From 5a1edcdd2fd9f80f82b98dc099664323b5adc48d Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 11:52:58 -0500
Subject: [PATCH 2/8] feat: Add default case in sshpiper template
---
.../templates/sshpiperd.yaml.j2 | 23 ++++++++++++++-----
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2 b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
index 0060a97..4597108 100644
--- a/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
+++ b/ansible/roles/ssh_proxy_config/templates/sshpiperd.yaml.j2
@@ -2,16 +2,27 @@
version: "1.0"
pipes:
{% for group in target_groups %}
+{% if not group.default %}
- from:
- - groupname: "{{group.name}}"
- authorized_keys: {{ group.authorized_keys }}
+ - groupname: "{{ group.name }}"
+ authorized_keys: "{{ group.authorized_keys }}"
to:
- host: {{ group.host }}
+ host: "{{ group.host }}"
ignore_hostkey: true
- private_key: {{ group.private_key }}
+ private_key: "{{ group.private_key }}"
- from:
- - groupname: "{{group.name}}"
+ - groupname: "{{ group.name }}"
to:
- host: {{ group.host }}
+ host: "{{ group.host }}"
ignore_hostkey: true
+{% else %}
+- from:
+ - username: ".*" # catch all
+ username_regex_match: true
+ authorized_keys: "{{ group.authorized_keys }}"
+ to:
+ host: "{{ group.host }}"
+ ignore_hostkey: true
+ private_key: "{{ group.private_key }}"
+{% endif %}
{% endfor %}
--
GitLab
From 9af20f969e3680adb5a1bfd935222bdf43b37f9e Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 11:56:07 -0500
Subject: [PATCH 3/8] feat: Change the order of the vars for the template
---
ansible/group_vars/prod | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ansible/group_vars/prod b/ansible/group_vars/prod
index 7c7964e..5c694d2 100644
--- a/ansible/group_vars/prod
+++ b/ansible/group_vars/prod
@@ -17,3 +17,8 @@
bright_openldap_path: "/cm/local/apps/openldap"
ldap_cert_path: "{{bright_openldap_path}}/etc/certs"
ldap_uri: "ldaps://ldapserver"
+
+ # proxy_config
+ target_groups:
+ - {"name": "gpfs5", "host": "login002", "default": False, "authorized_keys":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
+ - {"name": "gpfs4", "host": "login001", "default": True, "authorized_keys":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
--
GitLab
From ab146f844d7cab36a3ccb0501dbf0c9c0deb7adf Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 11:57:57 -0500
Subject: [PATCH 4/8] feat: Restart the sshpiperd after config change
---
ansible/roles/ssh_proxy_config/tasks/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ansible/roles/ssh_proxy_config/tasks/main.yml b/ansible/roles/ssh_proxy_config/tasks/main.yml
index b64f6e3..d3ec3bd 100644
--- a/ansible/roles/ssh_proxy_config/tasks/main.yml
+++ b/ansible/roles/ssh_proxy_config/tasks/main.yml
@@ -9,5 +9,5 @@
ansible.builtin.service:
name: sshpiperd
enabled: true
- state: started
+ state: restarted
--
GitLab
From 2abd3c9dbcac51f53e5bb06830cf4332a412f439 Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 12:45:37 -0500
Subject: [PATCH 5/8] feat: Add role to override sshpiper config from build
---
ansible/cluster.yml | 1 +
ansible/group_vars/prod | 1 +
ansible/proxy.yml | 6 ------
3 files changed, 2 insertions(+), 6 deletions(-)
delete mode 100644 ansible/proxy.yml
diff --git a/ansible/cluster.yml b/ansible/cluster.yml
index 609d2fa..a84fec6 100644
--- a/ansible/cluster.yml
+++ b/ansible/cluster.yml
@@ -8,3 +8,4 @@
- { name: 'ldap_config', tags: 'ldap_config' }
- { name: 'slurm_client', tags: 'slurm_client', when: enable_slurm_client }
- { name: 'ssh_host_keys', tags: 'ssh_host_keys' }
+ - { name: 'ssh_proxy_config', tags: 'ssh_proxy_config', when: enable_ssh_proxy_config }
diff --git a/ansible/group_vars/prod b/ansible/group_vars/prod
index 5c694d2..b08e50f 100644
--- a/ansible/group_vars/prod
+++ b/ansible/group_vars/prod
@@ -19,6 +19,7 @@
ldap_uri: "ldaps://ldapserver"
# proxy_config
+ enable_ssh_proxy_config: true
target_groups:
- {"name": "gpfs5", "host": "login002", "default": False, "authorized_keys":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
- {"name": "gpfs4", "host": "login001", "default": True, "authorized_keys":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
diff --git a/ansible/proxy.yml b/ansible/proxy.yml
deleted file mode 100644
index c0173d1..0000000
--- a/ansible/proxy.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-- name: Define proxy config for deploys
- hosts: all
- become: true
- roles:
- - { name: 'ssh_proxy_config', tags: 'ssh_proxy_config' }
--
GitLab
From 9b65897545ee74643cf9b7f0711080ddf3c7480f Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 12:47:57 -0500
Subject: [PATCH 6/8] feat: Change the flag to default to false
---
ansible/group_vars/prod | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ansible/group_vars/prod b/ansible/group_vars/prod
index b08e50f..05bc829 100644
--- a/ansible/group_vars/prod
+++ b/ansible/group_vars/prod
@@ -19,7 +19,7 @@
ldap_uri: "ldaps://ldapserver"
# proxy_config
- enable_ssh_proxy_config: true
+ enable_ssh_proxy_config: false
target_groups:
- {"name": "gpfs5", "host": "login002", "default": False, "authorized_keys":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
- {"name": "gpfs4", "host": "login001", "default": True, "authorized_keys":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
--
GitLab
From 8ab053e73140b22913df7e0b045f8961c0201880 Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 12:55:47 -0500
Subject: [PATCH 7/8] feat: Move the flag to group_vars/all
---
ansible/group_vars/all | 3 +++
ansible/group_vars/prod | 1 -
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 78a9c64..5d41844 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -42,3 +42,6 @@
# AWS credentials
LTS_ACCESS_KEY: ""
LTS_SECRET_KEY: ""
+
+# ssh proxy
+ enable_ssh_proxy_config: false
diff --git a/ansible/group_vars/prod b/ansible/group_vars/prod
index 05bc829..5c694d2 100644
--- a/ansible/group_vars/prod
+++ b/ansible/group_vars/prod
@@ -19,7 +19,6 @@
ldap_uri: "ldaps://ldapserver"
# proxy_config
- enable_ssh_proxy_config: false
target_groups:
- {"name": "gpfs5", "host": "login002", "default": False, "authorized_keys":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
- {"name": "gpfs4", "host": "login001", "default": True, "authorized_keys":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
--
GitLab
From b7bc7f322013d855ce08e1decb08cf9eb16dd2ea Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Wed, 27 Nov 2024 13:18:25 -0500
Subject: [PATCH 8/8] feat: Add missing var
---
ansible/group_vars/all | 1 +
1 file changed, 1 insertion(+)
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 5d41844..2e8fa6c 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -45,3 +45,4 @@
# ssh proxy
enable_ssh_proxy_config: false
+ sshpiper_dest_dir: "/opt/sshpiper"
--
GitLab