maint: initial commit
This commit is contained in:
7
Dockerfile
Normal file
7
Dockerfile
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
FROM alpine:3.22
|
||||||
|
RUN apk update && \
|
||||||
|
apk add bash py3-pip step-cli && \
|
||||||
|
pip3 install ansible
|
||||||
|
|
||||||
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
2
README.md
Normal file
2
README.md
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
# KraussNet Ansible Runner Action
|
||||||
|
Runs Ansible playbooks on KraussNet hosts utilizing SSH certificates provisioned by the KraussNet PKI.
|
||||||
56
action.yml
Normal file
56
action.yml
Normal file
@@ -0,0 +1,56 @@
|
|||||||
|
name: Run Ansible Playbook on KraussNet Servers
|
||||||
|
description: Runs an Ansible playbook using KraussNet PKI for SSH access
|
||||||
|
inputs:
|
||||||
|
pki_ca_url:
|
||||||
|
description: The PKI certificate authority base URL
|
||||||
|
required: true
|
||||||
|
pki_fingerprint:
|
||||||
|
description: The PKI certificate authority fingerprint
|
||||||
|
required: true
|
||||||
|
pki_key_subject:
|
||||||
|
description: The subject of the SSH certificate
|
||||||
|
required: false
|
||||||
|
pki_provisioner_name:
|
||||||
|
description: The PKI provisioner name (defaults to "ansible")
|
||||||
|
required: false
|
||||||
|
pki_provisioner_password:
|
||||||
|
description: The PKI provisioner password
|
||||||
|
required: true
|
||||||
|
playbook:
|
||||||
|
description: Ansible playbook filepath
|
||||||
|
required: true
|
||||||
|
inventory:
|
||||||
|
description: Ansible inventory filepath
|
||||||
|
required: true
|
||||||
|
requirements:
|
||||||
|
description: Ansible Galaxy requirements filepath
|
||||||
|
required: false
|
||||||
|
directory:
|
||||||
|
description: Root directory of Ansible project (defaults to current)
|
||||||
|
required: false
|
||||||
|
configuration:
|
||||||
|
description: Ansible configuration file content (ansible.cfg)
|
||||||
|
required: false
|
||||||
|
vault_password:
|
||||||
|
description: The password used for decrypting vaulted files
|
||||||
|
required: false
|
||||||
|
private_key:
|
||||||
|
description: SSH private key used to connect to the host
|
||||||
|
required: false
|
||||||
|
known_hosts:
|
||||||
|
description: Contents of SSH known_hosts file
|
||||||
|
required: false
|
||||||
|
options:
|
||||||
|
description: Extra options that should be passed to ansible-playbook command
|
||||||
|
required: false
|
||||||
|
become:
|
||||||
|
description: Set to "true" if root is required for running your playbook
|
||||||
|
required: false
|
||||||
|
default: false
|
||||||
|
check_mode:
|
||||||
|
description: Set to "true" to enable check (dry-run) mode
|
||||||
|
required: false
|
||||||
|
default: false
|
||||||
|
runs:
|
||||||
|
using: docker
|
||||||
|
image: Dockerfile
|
||||||
57
entrypoint.sh
Normal file
57
entrypoint.sh
Normal file
@@ -0,0 +1,57 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# KraussNet Ansible Playbook Runner Action Entrypoint
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
if [ -z "${INPUT_PKI_CA_URL:-}" ] ; then
|
||||||
|
echo "Missing required input parameter 'pki_ca_url'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "${INPUT_PKI_FINGERPRINT:-}" ] ; then
|
||||||
|
echo "Missing required input parameter 'pki_fingerprint'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "${INPUT_PKI_PROVISIONER_PASSWORD:-}" ] ; then
|
||||||
|
echo "Missing required input parameter 'pki_provisioner_password'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "${INPUT_PLAYBOOK:-}" ] ; then
|
||||||
|
echo "Missing required input parameter 'playbook'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "${INPUT_INVENTORY:-}" ] ; then
|
||||||
|
echo "Missing required input parameter 'inventory'"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Setup Variables
|
||||||
|
provisioner_name=${INPUT_PKI_PROVISIONER_NAME:-"ansible"}
|
||||||
|
provisioner_password=${INPUT_PKI_PROVISIONER_PASSWORD}
|
||||||
|
default_cert_subject="ansible-kraussnet-action-runner@$(hostname -f)"
|
||||||
|
user_cert_subject=${INPUT_SUBJECT:-"$default_cert_subject"}
|
||||||
|
|
||||||
|
# Bootstrap the PKI Certificate Authority
|
||||||
|
step ca bootstrap \
|
||||||
|
--ca-url "${INPUT_PKI_CA_URL}" \
|
||||||
|
--fingerprint "${INPUT_PKI_FINGERPRINT}"
|
||||||
|
echo "Bootstrapped PKI at ${INPUT_PKI_CA_URL}"
|
||||||
|
|
||||||
|
# Obtain the Host Certificate
|
||||||
|
[ ! -d ~/.ssh ] && mkdir ~/.ssh
|
||||||
|
echo "@cert-authority *.kraussnet.com $(step ssh config --host --roots)" > ~/.ssh/known_hosts
|
||||||
|
echo "Obtained SSH Host Certificate Authority"
|
||||||
|
|
||||||
|
# Obtain a User Certificate for Ansible
|
||||||
|
token=$(step ca token "${user_cert_subject}" --ssh --provisioner "${provisioner_name}" --provisioner-password-file <(printf "${provisioner_password}"))
|
||||||
|
echo "Obtained User Token from CA"
|
||||||
|
echo $token | step crypto jwt inspect --insecure
|
||||||
|
|
||||||
|
[ ! -f ~/.ssh/id_ecdsa ] && ssh-keygen -t ecdsa -f ~/.ssh/id_ecdsa -N ''
|
||||||
|
[ -f ~/.ssh/id_ecdsa-cert.pub ] && rm ~/.ssh/id_ecdsa-cert.pub
|
||||||
|
step ssh certificate "${user_cert_subject}" ~/.ssh/id_ecdsa.pub --sign --provisioner "${provisioner_name}" --token $token
|
||||||
|
echo "Obtained User Certificate from CA"
|
||||||
|
ssh-keygen -L -f ~/.ssh/id_ecdsa-cert.pub
|
||||||
|
|
||||||
|
# Run a test command (will be replaced with the Ansible command)
|
||||||
|
ssh ansible@rpi-ns1.lan.kraussnet.com 'echo "Hello from $(hostname -f)"'
|
||||||
Reference in New Issue
Block a user