From 68d7196d472b5195c19e871e960996e89a7bcb9c Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Fri, 24 Mar 2017 14:35:09 +0000
Subject: SSH known_hosts config

Fetch the host public keys from each node, combine them all and write to the
system-wide ssh known hosts. The alternative of disabling host key
 verification is vulnerable to a MITM attack.

Change-Id: Ib572b5910720b1991812256e68c975f7fbe2239c
(cherry picked from commit 7d3552a105ad5aa62cad0998c11df5ec6bd06ed6)
---
 overcloud.j2.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'overcloud.j2.yaml')

diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml
index 927f1d0c..a36e4078 100644
--- a/overcloud.j2.yaml
+++ b/overcloud.j2.yaml
@@ -249,6 +249,16 @@ resources:
       type: json
       value: {get_attr: [EndpointMap, endpoint_map]}
 
+  SshKnownHostsConfig:
+    type: OS::TripleO::Ssh::KnownHostsConfig
+    properties:
+      known_hosts:
+        list_join:
+          - ''
+          {% for role in roles %}
+          - {get_attr: [{{role.name}}, known_hosts_entry]}
+          {% endfor %}
+
   # Jinja loop for Role in roles_data.yaml
 {% for role in roles %}
   # Resources generated for {{role.name}} Role
@@ -268,6 +278,13 @@ resources:
       config: {get_attr: [hostsConfig, config_id]}
       servers: {get_attr: [{{role.name}}, attributes, nova_server_resource]}
 
+  {{role.name}}SshKnownHostsDeployment:
+    type: OS::Heat::StructuredDeployments
+    properties:
+      name: {{role.name}}SshKnownHostsDeployment
+      config: {get_resource: SshKnownHostsConfig}
+      servers: {get_attr: [{{role.name}}, attributes, nova_server_resource]}
+
   {{role.name}}AllNodesDeployment:
     type: OS::Heat::StructuredDeployments
     depends_on:
-- 
cgit 1.2.3-korg