From 6aa50cbc290d06c000e59d51c29c8b4652b823f9 Mon Sep 17 00:00:00 2001 From: Christian Berendt Date: Mon, 9 Oct 2023 13:08:45 +0200 Subject: [PATCH] manager: do not use the private key for operator play when a password should be used (#367) Signed-off-by: Christian Berendt --- environments/manager/run.sh | 32 +++++++++++++++---- ...orce-use-of-password-0e13e16fe99251b1.yaml | 5 +++ 2 files changed, 30 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/manager-enforce-use-of-password-0e13e16fe99251b1.yaml diff --git a/environments/manager/run.sh b/environments/manager/run.sh index 1324ecb..cbc2098 100755 --- a/environments/manager/run.sh +++ b/environments/manager/run.sh @@ -50,7 +50,6 @@ if [[ $INSTALL_ANSIBLE_ROLES == "true" ]]; then fi if [[ ! -e id_rsa.operator ]]; then - ansible-playbook \ -i localhost, \ -e @../secrets.yml \ @@ -59,7 +58,6 @@ if [[ ! -e id_rsa.operator ]]; then fi if [[ $playbook == "k8s" || $playbook == "netbox" || $playbook == "traefik" ]]; then - ansible-playbook \ --private-key id_rsa.operator \ -i hosts \ @@ -74,9 +72,32 @@ if [[ $playbook == "k8s" || $playbook == "netbox" || $playbook == "traefik" ]]; -e @secrets.yml \ -u "$ANSIBLE_USER" \ osism.manager."$playbook" "$@" - +elif [[ $playbook == "operator" ]]; then + if [[ $ANSIBLE_ASK_PASS == "True" ]]; then + ansible-playbook \ + -i hosts \ + -e @../images.yml \ + -e @../configuration.yml \ + -e @../secrets.yml \ + -e @images.yml \ + -e @configuration.yml \ + -e @secrets.yml \ + -u "$ANSIBLE_USER" \ + osism.manager."$playbook" "$@" + else + ansible-playbook \ + --private-key id_rsa.operator \ + -i hosts \ + -e @../images.yml \ + -e @../configuration.yml \ + -e @../secrets.yml \ + -e @images.yml \ + -e @configuration.yml \ + -e @secrets.yml \ + -u "$ANSIBLE_USER" \ + osism.manager."$playbook" "$@" + fi else - ansible-playbook \ --private-key id_rsa.operator \ -i hosts \ @@ -88,12 +109,9 @@ else -e @secrets.yml \ -u "$ANSIBLE_USER" \ osism.manager."$playbook" "$@" - fi if [[ $CLEANUP == "true" ]]; then - rm id_rsa.operator rm -rf "$VENV_PATH" - fi diff --git a/releasenotes/notes/manager-enforce-use-of-password-0e13e16fe99251b1.yaml b/releasenotes/notes/manager-enforce-use-of-password-0e13e16fe99251b1.yaml new file mode 100644 index 0000000..3752918 --- /dev/null +++ b/releasenotes/notes/manager-enforce-use-of-password-0e13e16fe99251b1.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + In the `run.sh` script of the manager environment it is now ensured that the private key is + not used when a password is used to create the operator user.