#!/bin/bash # # KraussNet Ansible Playbook Runner Action Entrypoint set -euo pipefail if [ -z "${INPUT_PKI_CA_URL:-}" ] ; then echo "Missing required input parameter 'pki_ca_url'" exit 1 fi if [ -z "${INPUT_PKI_FINGERPRINT:-}" ] ; then echo "Missing required input parameter 'pki_fingerprint'" exit 1 fi if [ -z "${INPUT_PKI_PROVISIONER_PASSWORD:-}" ] ; then echo "Missing required input parameter 'pki_provisioner_password'" exit 1 fi if [ -z "${INPUT_PLAYBOOK:-}" ] ; then echo "Missing required input parameter 'playbook'" exit 1 fi if [ -z "${INPUT_INVENTORY:-}" ] ; then echo "Missing required input parameter 'inventory'" exit 1 fi # Setup Variables provisioner_name=${INPUT_PKI_PROVISIONER_NAME:-"ansible"} provisioner_password=${INPUT_PKI_PROVISIONER_PASSWORD} default_cert_subject="ansible-kraussnet-action-runner@$(hostname -f)" user_cert_subject=${INPUT_SUBJECT:-"$default_cert_subject"} # Bootstrap the PKI Certificate Authority step ca bootstrap \ --ca-url "${INPUT_PKI_CA_URL}" \ --fingerprint "${INPUT_PKI_FINGERPRINT}" echo "Bootstrapped PKI at ${INPUT_PKI_CA_URL}" # Obtain the Host Certificate [ ! -d ~/.ssh ] && mkdir ~/.ssh echo "@cert-authority *.kraussnet.com $(step ssh config --host --roots)" > ~/.ssh/known_hosts echo "Obtained SSH Host Certificate Authority" # Obtain a User Certificate for Ansible token=$(step ca token "${user_cert_subject}" --ssh --provisioner "${provisioner_name}" --provisioner-password-file <(printf "${provisioner_password}")) echo "Obtained User Token from CA" echo $token | step crypto jwt inspect --insecure [ ! -f ~/.ssh/id_ecdsa ] && ssh-keygen -t ecdsa -f ~/.ssh/id_ecdsa -N '' [ -f ~/.ssh/id_ecdsa-cert.pub ] && rm ~/.ssh/id_ecdsa-cert.pub step ssh certificate "${user_cert_subject}" ~/.ssh/id_ecdsa.pub --sign --provisioner "${provisioner_name}" --token $token echo "Obtained User Certificate from CA" ssh-keygen -L -f ~/.ssh/id_ecdsa-cert.pub # Run a test command (will be replaced with the Ansible command) ssh ansible@rpi-ns1.lan.kraussnet.com 'echo "Hello from $(hostname -f)"'