Merge "Manage gerrit's ecdsa and ed25519 hostkeys"

2025-04-16 21:31:05 +00:00 · 2025-04-16 21:31:05 +00:00 · 15b65cbfc4
commit 15b65cbfc4
parent f1c68a0521 c11b8403b6
2 changed files with 117 additions and 3 deletions
--- a/playbooks/roles/gerrit/tasks/main.yaml
+++ b/playbooks/roles/gerrit/tasks/main.yaml
@ -96,8 +96,8 @@
    group: "{{ gerrit_user_name }}"
    mode: 0644

-# Server host key for SSH service on port 29418
- name: Write Gerrit SSH host private key
+# Server host keys for SSH service on port 29418
+- name: Write Gerrit SSH RSA host private key
  copy:
    content: "{{ gerrit_ssh_rsa_key_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key"
@ -105,7 +105,7 @@
    group: "{{ gerrit_user_name }}"
    mode: 0600

- name: Write Gerrit SSH host public key
+- name: Write Gerrit SSH RSA host public key
  copy:
    content: "{{ gerrit_ssh_rsa_pubkey_contents }}"
    dest: "{{ gerrit_site_dir }}/etc/ssh_host_rsa_key.pub"
@ -113,6 +113,70 @@
    group: "{{ gerrit_user_name }}"
    mode: 0644

+- name: Write Gerrit SSH ECDSA host private key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_key_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_key"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0600
+
+- name: Write Gerrit SSH ECDSA host public key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_pubkey_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_key.pub"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0644
+
+- name: Write Gerrit SSH ECDSA 384 host private key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_384_key_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_384_key"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0600
+
+- name: Write Gerrit SSH ECDSA 384 host public key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_384_pubkey_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_384_key.pub"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0644
+
+- name: Write Gerrit SSH ECDSA 521 host private key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_521_key_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_521_key"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0600
+
+- name: Write Gerrit SSH ECDSA 521 host public key
+  copy:
+    content: "{{ gerrit_ssh_ecdsa_521_pubkey_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ecdsa_521_key.pub"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0644
+
+- name: Write Gerrit SSH ED25519 host private key
+  copy:
+    content: "{{ gerrit_ssh_ed25519_key_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ed25519_key"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0600
+
+- name: Write Gerrit SSH ED25519 host public key
+  copy:
+    content: "{{ gerrit_ssh_ed25519_pubkey_contents }}"
+    dest: "{{ gerrit_site_dir }}/etc/ssh_host_ed25519_key.pub"
+    owner: "{{ gerrit_user_name }}"
+    group: "{{ gerrit_user_name }}"
+    mode: 0644
+
 # Private key for openstack-project-creator user
 - name: Write Gerrit SSH project private key
  copy:
--- a/playbooks/zuul/templates/host_vars/review99.opendev.org.yaml.j2
+++ b/playbooks/zuul/templates/host_vars/review99.opendev.org.yaml.j2
@ -29,6 +29,56 @@ gerrit_ssh_rsa_key_contents: |
  -----END RSA PRIVATE KEY-----
 gerrit_ssh_rsa_pubkey_contents: |
  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pCQlTAQYmCrOY6aPbvbyKQDcOCXibPNGIjnPPMuEItCS0vtRnqEBz7znWZS5Drq9yKpROh6uFF01ao2VnNjw6f+NdRNV19RWVe6mYN+qa2VrH2caLwBrKPiH0Xc/eK41D55dZU7IWwKYAw/NpiBaBfHavFwipI+rmEb68MH2hcimDdr/bji+0hkh3X+42dkNvmMdtkuCW6nKdAEhnXaHZc5SJR/EvzgRCfB8vbML13p46O9xhoJgn7ZWvMb3vaR5jxIkQwstUR36raEVhttBDEuWasWnHYbrM1zd3ooudbTEQf5vXISZKFygHyJFFqb4iQ76i+hDlb0VQKZCdaol test-gerrit-hostkey
+gerrit_ssh_ecdsa_key_contents: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+  1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRZtjWNgtRszhwwxbDSHL2ufeD4TeeT
+  V6KmRH5UcPAvOoNo3//q5mWPUDrrFDK1OlfgxIUdcp3vSvCLIKVVc44kAAAAqLihL2q4oS
+  9qAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFm2NY2C1GzOHDDF
+  sNIcva594PhN55NXoqZEflRw8C86g2jf/+rmZY9QOusUMrU6V+DEhR1yne9K8IsgpVVzji
+  QAAAAgVf9XXCDp1ydUD64uMquWwJSYUMPi63zGfMtVejAGyKUAAAANY2xhcmtAdG9hc3Rl
+  cgECAw==
+  -----END OPENSSH PRIVATE KEY-----
+gerrit_ssh_ecdsa_pubkey_contents: |
+  ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFm2NY2C1GzOHDDFsNIcva594PhN55NXoqZEflRw8C86g2jf/+rmZY9QOusUMrU6V+DEhR1yne9K8IsgpVVzjiQ= test-gerrit-hostkey
+gerrit_ssh_ecdsa_384_key_contents: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAiAAAABNlY2RzYS
+  1zaGEyLW5pc3RwMzg0AAAACG5pc3RwMzg0AAAAYQRjTpPwkO7rGhGVJCMWUrAcIMpGec34
+  0ti6MQ6m/XvfWxYvZ6cIOES1CcFwZrzJ8ImJpb3+tOGg5iGFkKVWFMrDJUPLcrrdgYmMAg
+  AoLsN3RlNohXf3UvGj//8gRs/lLxQAAADYLkUkxi5FJMYAAAATZWNkc2Etc2hhMi1uaXN0
+  cDM4NAAAAAhuaXN0cDM4NAAAAGEEY06T8JDu6xoRlSQjFlKwHCDKRnnN+NLYujEOpv1731
+  sWL2enCDhEtQnBcGa8yfCJiaW9/rThoOYhhZClVhTKwyVDy3K63YGJjAIAKC7Dd0ZTaIV3
+  91Lxo///IEbP5S8UAAAAMG2QdS4dTlRTeMHsw6le5MrI2pcJM+DDF791jn/GOh+0lFWV2H
+  qdHPhs8Cl5wEjOWwAAAA1jbGFya0B0b2FzdGVyAQID
+  -----END OPENSSH PRIVATE KEY-----
+gerrit_ssh_ecdsa_384_pubkey_contents: |
+  ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGNOk/CQ7usaEZUkIxZSsBwgykZ5zfjS2LoxDqb9e99bFi9npwg4RLUJwXBmvMnwiYmlvf604aDmIYWQpVYUysMlQ8tyut2BiYwCACguw3dGU2iFd/dS8aP//yBGz+UvFA== test-gerrit-hostkey
+gerrit_ssh_ecdsa_521_key_contents: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAArAAAABNlY2RzYS
+  1zaGEyLW5pc3RwNTIxAAAACG5pc3RwNTIxAAAAhQQBaJa5U2SwgWTRis4ixQ5Y0F+SL7eL
+  eFPLfukKQ5g+4U3R7/f10k+4YweOuA+aP9PEy0IUixSbdUM8vlydJ0L3jPcA1vDSJ3Vm7S
+  lD5wbDwq/htBU0jKlCsd4Hre2TWlPcl/6rxz9mqNu06XriO2kz5iAOREastwDx3OqGW9QD
+  GoceWVcAAAEQkQYD25EGA9sAAAATZWNkc2Etc2hhMi1uaXN0cDUyMQAAAAhuaXN0cDUyMQ
+  AAAIUEAWiWuVNksIFk0YrOIsUOWNBfki+3i3hTy37pCkOYPuFN0e/39dJPuGMHjrgPmj/T
+  xMtCFIsUm3VDPL5cnSdC94z3ANbw0id1Zu0pQ+cGw8Kv4bQVNIypQrHeB63tk1pT3Jf+q8
+  c/ZqjbtOl64jtpM+YgDkRGrLcA8dzqhlvUAxqHHllXAAAAQgCAYxTk0LklOsGyS/iRfFDy
+  7RGJ6hoTRf6M8FIH5KS9l6++dL66T9Z4T/x/o2U6cBVCBy/ZAFi0Mi7s9KZMdlOlQAAAAA
+  1jbGFya0B0b2FzdGVyAQIDBAU=
+  -----END OPENSSH PRIVATE KEY-----
+gerrit_ssh_ecdsa_521_pubkey_contents: |
+  ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFolrlTZLCBZNGKziLFDljQX5Ivt4t4U8t+6QpDmD7hTdHv9/XST7hjB464D5o/08TLQhSLFJt1Qzy+XJ0nQveM9wDW8NIndWbtKUPnBsPCr+G0FTSMqUKx3get7ZNaU9yX/qvHP2ao27TpeuI7aTPmIA5ERqy3APHc6oZb1AMahx5ZVw== test-gerrit-hostkey
+gerrit_ssh_ed25519_key_contents: |
+  -----BEGIN OPENSSH PRIVATE KEY-----
+  b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+  QyNTUxOQAAACBSWYNC/4rHZ6+8MiQ41Xi8A7BWm2/Ze2U3tVqwLY3lvwAAAJDVdmJE1XZi
+  RAAAAAtzc2gtZWQyNTUxOQAAACBSWYNC/4rHZ6+8MiQ41Xi8A7BWm2/Ze2U3tVqwLY3lvw
+  AAAEDdfaDmCCWyXyX9ewHOeMWwR7aTUcRQmbYy52gjaLcn91JZg0L/isdnr7wyJDjVeLwD
+  sFabb9l7ZTe1WrAtjeW/AAAADWNsYXJrQHRvYXN0ZXI=
+  -----END OPENSSH PRIVATE KEY-----
+gerrit_ssh_ed25519_pubkey_contents: |
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFJZg0L/isdnr7wyJDjVeLwDsFabb9l7ZTe1WrAtjeW/ test-gerrit-hostkey
 gerrit_known_hosts_keys:
  '[{% raw %}{{ gerrit_vhost_name }}{% endraw %}]:29418': |
    [{% raw %}{{ gerrit_vhost_name }}{% endraw %}]:29418,[localhost]:29418,[127.0.0.1]:29418,[::1]:29418 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+pCQlTAQYmCrOY6aPbvbyKQDcOCXibPNGIjnPPMuEItCS0vtRnqEBz7znWZS5Drq9yKpROh6uFF01ao2VnNjw6f+NdRNV19RWVe6mYN+qa2VrH2caLwBrKPiH0Xc/eK41D55dZU7IWwKYAw/NpiBaBfHavFwipI+rmEb68MH2hcimDdr/bji+0hkh3X+42dkNvmMdtkuCW6nKdAEhnXaHZc5SJR/EvzgRCfB8vbML13p46O9xhoJgn7ZWvMb3vaR5jxIkQwstUR36raEVhttBDEuWasWnHYbrM1zd3ooudbTEQf5vXISZKFygHyJFFqb4iQ76i+hDlb0VQKZCdaol