search

ansible / ansible-modules-core

Ansible modules - these modules ship with ansible
1.3k stars 1.95k forks source link

authorized_key: pull keys from git server before the module is copied to the target machine #5835

Closed ichundu closed 7 years ago

ichundu commented 7 years ago
ISSUE TYPE
COMPONENT NAME

module: authorized_key

ANSIBLE VERSION
ansible 2.2.0.0
  config file = /home/username/.ansible.cfg
  configured module search path = Default w/o overrides
CONFIGURATION

None which affect module behaviour.

OS / ENVIRONMENT

N/A

SUMMARY

In my company we are using a local git repository server (gitlab) and very few servers are able to access it. The majority of servers don't have network access to our local gitlab instance since we use it exclusively for ansible. So when i use the authorized_key module to deploy ssh keys and tell it to pull the keys from our gitlab instance (https://gitlab_server/{{ username }}.keys) the servers that can't access our gitlab instance cannot pull the keys. I understand that the module is copied to the target machine first and then executed, but it would be neat if there could be a way to get the keys from the git server before the module is copied to the target machine. sorry if this is to much to ask and i know there are other ways to deploy ssh keys, but i find the ability to provide the keys from URL very useful and it seems useless if target servers cannot access the git server to get the keys.

STEPS TO REPRODUCE

Try to deploy the keys to a target that cannot access the git server.

- name: "Deploy public ssh key for username"
  authorized_key:
    user: "username"
    key: "https://gitlab_server/username.keys"
    exclusive: yes
    validate_certs: no
    state: present
EXPECTED RESULTS
changed: [ansible_host]
ACTUAL RESULTS

Because the target server cannot access the local git server the following error appears.

fatal: [ansible_host]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "invocation": {
        "module_args": {
            "exclusive": true, 
            "key": "https://gitlab_server/username.keys", 
            "key_options": null, 
            "manage_dir": true, 
            "path": null, 
            "state": "present", 
            "unique": false, 
            "user": "username", 
            "validate_certs": false
        }, 
        "module_name": "authorized_key"
    }, 
    "msg": "Error getting key from: https://gitlab_server/username.keys"
}
ansibot commented 7 years ago

@ansible ping, this issue is waiting for your response. click here for bot help

ansibot commented 7 years ago

This repository has been locked. All new issues and pull requests should be filed in https://github.com/ansible/ansible

Please read through the repomerge page in the dev guide. The guide contains links to tools which automatically move your issue or pull request to the ansible/ansible repo.

robinro commented 7 years ago

I believe this feature will not be implemented in authorized keys, since as you mention it breaks the convention of running a module with all arguments on the target host.

There is a straight-forward workaround, which makes the transfer of data more explicit (rough scetch, needs to be extended to work): 

- name: pull keys from server
  uri:
    url: https://gitlab_server/username.keys
    return_content: True
  register: keys
  delegate_to: localhost

- name: set authorized_keys
  authorized_key:
    ...
    key: keys.content

With this I'd consider the problem solved. close_me

Feel free to reopen if needed.