From 11677d6177900334275890bc6a80b51dcd20113e Mon Sep 17 00:00:00 2001
From: Teoman ONAY <tonay@redhat.com>
Date: Mon, 7 Feb 2022 14:23:49 +0100
Subject: [PATCH] Enable user to change the account used for ssh connection

By default cephadm uses root account to connect remotely
to other nodes in the cluster. This change allows to choose
another account.
This commit also allows to use a dedicated subnet for cephadm mgmt.

Signed-off-by: Teoman ONAY <tonay@redhat.com>
(cherry picked from commit da42f3d139e595d09edfb30334fbc7ce17ffa3fe)
(cherry picked from commit c3ce6fc41ad146c118916d3f0e5819f3519f4f65)
---
 group_vars/all.yml.sample                  |  5 ++
 group_vars/rhcs.yml.sample                 |  5 ++
 infrastructure-playbooks/cephadm-adopt.yml | 54 ++++++++++++++++++----
 roles/ceph-defaults/defaults/main.yml      |  5 ++
 4 files changed, 61 insertions(+), 8 deletions(-)

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index da518f57d..e3a1950cc 100644
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -74,6 +74,11 @@ dummy:
 #ceph_dashboard_firewall_zone: public
 #ceph_rgwloadbalancer_firewall_zone: public
 
+# cephadm account for remote connections
+#cephadm_ssh_user: root
+#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
+#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
+#cephadm_mgmt_network: "{{ public_network }}"
 
 ############
 # PACKAGES #
diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index ff4953e02..febf4133e 100644
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -74,6 +74,11 @@ dummy:
 #ceph_dashboard_firewall_zone: public
 #ceph_rgwloadbalancer_firewall_zone: public
 
+# cephadm account for remote connections
+#cephadm_ssh_user: root
+#cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
+#cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
+#cephadm_mgmt_network: "{{ public_network }}"
 
 ############
 # PACKAGES #
diff --git a/infrastructure-playbooks/cephadm-adopt.yml b/infrastructure-playbooks/cephadm-adopt.yml
index 24ed0632d..1a2973160 100644
--- a/infrastructure-playbooks/cephadm-adopt.yml
+++ b/infrastructure-playbooks/cephadm-adopt.yml
@@ -249,12 +249,50 @@
       run_once: true
       delegate_to: '{{ groups[mon_group_name][0] }}'
 
-    - name: generate cephadm ssh key
-      command: "{{ ceph_cmd }} cephadm generate-key"
+    - name: check if there is an existing ssh keypair
+      stat:
+        path: "{{ item }}"
+      loop:
+        - "{{ cephadm_ssh_priv_key_path }}"
+        - "{{ cephadm_ssh_pub_key_path }}"
+      register: ssh_keys
       changed_when: false
       run_once: true
       delegate_to: '{{ groups[mon_group_name][0] }}'
 
+    - name: set fact
+      set_fact:
+        stat_ssh_key_pair: "{{ ssh_keys.results | map(attribute='stat.exists') | list }}"
+
+    - name: fail if either ssh public or private key is missing
+      fail:
+        msg: "One part of the ssh keypair of user {{ cephadm_ssh_user }} is missing"
+      when:
+        - false in stat_ssh_key_pair
+        - true in stat_ssh_key_pair
+
+    - name: generate cephadm ssh key if there is none
+      command: "{{ ceph_cmd }} cephadm generate-key"
+      when: not true in stat_ssh_key_pair
+      changed_when: false
+      run_once: true
+      delegate_to: '{{ groups[mon_group_name][0] }}'
+
+    - name: use existing user keypair for remote connections
+      when: not false in stat_ssh_key_pair
+      delegate_to: "{{ groups[mon_group_name][0] }}"
+      run_once: true
+      command: >
+        {{ container_binary + ' run --rm --net=host --security-opt label=disable
+        -v /etc/ceph:/etc/ceph:z
+        -v /var/lib/ceph:/var/lib/ceph:ro
+        -v /var/run/ceph:/var/run/ceph:z
+        -v ' + item.1 + ':/etc/ceph/cephadm.' + item.0 + ':ro --entrypoint=ceph '+ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else 'ceph' }}
+        --cluster {{ cluster }} config-key set mgr/cephadm/ssh_identity_{{ item.0 }} -i /etc/ceph/cephadm.{{ item.0 }}
+      with_together:
+        - [ 'pub', 'key' ]
+        - [ '{{ cephadm_ssh_pub_key_path }}', '{{ cephadm_ssh_priv_key_path }}' ]
+
     - name: get the cephadm ssh pub key
       command: "{{ ceph_cmd }} cephadm get-pub-key"
       changed_when: false
@@ -262,13 +300,13 @@
       register: cephadm_pubpkey
       delegate_to: '{{ groups[mon_group_name][0] }}'
 
-    - name: allow cephadm key for {{ cephadm_ssh_user | default('root') }} account
+    - name: allow cephadm key for {{ cephadm_ssh_user }} account
       authorized_key:
-        user: "{{ cephadm_ssh_user | default('root') }}"
+        user: "{{ cephadm_ssh_user }}"
         key: '{{ cephadm_pubpkey.stdout }}'
 
-    - name: set cephadm ssh user to {{ cephadm_ssh_user | default('root') }}
-      command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user | default('root') }}"
+    - name: set cephadm ssh user to {{ cephadm_ssh_user }}
+      command: "{{ ceph_cmd }} cephadm set-user {{ cephadm_ssh_user }}"
       changed_when: false
       run_once: true
       delegate_to: "{{ groups[mon_group_name][0] }}"
@@ -323,13 +361,13 @@
       when: is_hci | bool
 
     - name: manage nodes with cephadm - ipv4
-      command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(public_network.split(',')) | first }} {{ group_names | join(' ') }}"
+      command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv4_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | first }} {{ group_names | join(' ') }}"
       changed_when: false
       delegate_to: '{{ groups[mon_group_name][0] }}'
       when: ip_version == 'ipv4'
 
     - name: manage nodes with cephadm - ipv6
-      command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(public_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}"
+      command: "{{ ceph_cmd }} orch host add {{ ansible_facts['nodename'] }} {{ ansible_facts['all_ipv6_addresses'] | ips_in_ranges(cephadm_mgmt_network.split(',')) | last | ipwrap }} {{ group_names | join(' ') }}"
       changed_when: false
       delegate_to: '{{ groups[mon_group_name][0] }}'
       when: ip_version == 'ipv6'
diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index 23770f3a1..7ebc0c613 100644
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -66,6 +66,11 @@ ceph_iscsi_firewall_zone: public
 ceph_dashboard_firewall_zone: public
 ceph_rgwloadbalancer_firewall_zone: public
 
+# cephadm account for remote connections
+cephadm_ssh_user: root
+cephadm_ssh_priv_key_path: "/home/{{ cephadm_ssh_user }}/.ssh/id_rsa"
+cephadm_ssh_pub_key_path: "{{ cephadm_ssh_priv_key_path }}.pub"
+cephadm_mgmt_network: "{{ public_network }}"
 
 ############
 # PACKAGES #