Support ssh keys authorization to nodes (#41)

ppiwowa-csco · web-flow · commit 44930e673501 · 2025-03-28T12:29:51.000+01:00
* Add ssh keys fingerprints to cEdge bootstrap configuration

* Add ssh public keys to control nodes

* Update README
diff --git a/roles/aws_controllers/README.md b/roles/aws_controllers/README.md
@@ -57,6 +57,7 @@ The following variables must be set prior to executing the role:
 - `az_subnets`: A list of subnet definitions for the Azure Virtual Network.
 - `admin_username`: Administrator username for the SD-WAN controller instances.
 - `admin_password`: Administrator password for the SD-WAN controller instances.
+- `admin_ssh_keys`: List of SSH public keys authorized for admin login.
 
 ## Example Playbook
 
diff --git a/roles/aws_controllers/defaults/main.yml b/roles/aws_controllers/defaults/main.yml
@@ -27,6 +27,7 @@ aws_resources_prefix: "{{ organization_name }}"
 # Cloud-init general configurations
 admin_username: admin
 admin_password: null  # pragma: allowlist secret
+admin_ssh_keys: []
 vbond_port: 12346
 default_vbond_ip: 192.168.1.199  # default ips from official Cisco guides
 # vpn0_interface_color: default
diff --git a/roles/aws_controllers/templates/userdata_vbond.j2 b/roles/aws_controllers/templates/userdata_vbond.j2
@@ -78,4 +78,11 @@ write_files:
         </vpn-instance>
       </vpn>
     </config>
+{% if admin_ssh_keys %}
+- path: /home/admin/.ssh/authorized_keys
+  content: |
+{% for k in admin_ssh_keys %}
+    {{ k }}
+{% endfor %}
+{% endif %}
 --===============8815267485200512281==
diff --git a/roles/aws_controllers/templates/userdata_vmanage.j2 b/roles/aws_controllers/templates/userdata_vmanage.j2
@@ -98,6 +98,14 @@ write_files:
       </vpn>
     </config>
 
+{% if admin_ssh_keys %}
+- path: /home/admin/.ssh/authorized_keys
+  content: |
+{% for k in admin_ssh_keys %}
+    {{ k }}
+{% endfor %}
+{% endif %}
+
 {% if vmanage_cluster_private_ip is defined %}
 - path: /home/admin/customized.cfg
   content: |
diff --git a/roles/aws_controllers/templates/userdata_vsmart.j2 b/roles/aws_controllers/templates/userdata_vsmart.j2
@@ -76,4 +76,11 @@ write_files:
         </vpn-instance>
       </vpn>
     </config>
+{% if admin_ssh_keys %}
+- path: /home/admin/.ssh/authorized_keys
+  content: |
+{% for k in admin_ssh_keys %}
+    {{ k }}
+{% endfor %}
+{% endif %}
 --===============8815267485200512281==
diff --git a/roles/aws_edges/README.md b/roles/aws_edges/README.md
@@ -54,6 +54,7 @@ The following variables must be set prior to executing the role:
 - `aws_region`: AWS region to host the resources.
 - `aws_availibility_zone`: Specific AWS availability zone within the selected region.
 - `admin_password`: Password for administrative access to controller instances.
+- `admin_ssh_keys`: List of SSH public keys authorized for admin login.
 - `aws_vpc_config`: Configuration details for the AWS VPC.
 - `aws_security_group_config`: Settings for the AWS security group.
 - `aws_subnets_config`: Specifications for the AWS subnets.
diff --git a/roles/aws_edges/defaults/main.yml b/roles/aws_edges/defaults/main.yml
@@ -27,6 +27,7 @@ aws_resources_prefix: "{{ organization_name }}"
 # Cloud-init general configurations
 admin_username: admin
 admin_password: null  # pragma: allowlist secret
+admin_ssh_keys: []
 vbond_port: 12346
 default_vbond_ip: 192.168.1.199  # default ips from official Cisco guides
 # vpn0_interface_color: default
diff --git a/roles/aws_edges/templates/bootstrap_cedge.j2 b/roles/aws_edges/templates/bootstrap_cedge.j2
@@ -171,6 +171,13 @@ Content-Disposition: attachment; filename="config-{{ uuid }}.txt"
   ip bootp server
   no ip source-route
   no ip ssh bulk-mode
+{% if admin_ssh_keys %}
+  ip ssh pubkey-chain
+   username admin
+{% for k in admin_ssh_keys %}
+    key-hash ssh-rsa {{ k.split()[1] | ansible.builtin.b64decode | ansible.builtin.md5 | upper }}
+{% endfor %}
+{% endif %}
   no ip http server
   no ip http secure-server
   no ip http ctc authentication
diff --git a/roles/azure_controllers/README.md b/roles/azure_controllers/README.md
@@ -62,6 +62,7 @@ The `azure_controllers` role automates the deployment of Cisco SD-WAN controller
 - `az_subnets`: Definitions of Azure subnets within the Virtual Network.
 - `admin_username`: Admin username for the deployed VMs.
 - `admin_password`: Admin password for the deployed VMs.
+- `admin_ssh_keys`: List of SSH public keys authorized for admin login.
 
 ## Example Playbook
 
diff --git a/roles/azure_controllers/defaults/main.yml b/roles/azure_controllers/defaults/main.yml
@@ -60,6 +60,7 @@ az_allowed_subnets: null
 # Cloud-init general configurations
 admin_username: admin
 admin_password: null  # pragma: allowlist secret
+admin_ssh_keys: []
 vbond_port: 12346
 default_vbond_ip: 192.168.1.199
 # vpn0_interface_color: default
diff --git a/roles/azure_controllers/templates/userdata_vbond.j2 b/roles/azure_controllers/templates/userdata_vbond.j2
@@ -81,4 +81,11 @@ write_files:
         </vpn-instance>
       </vpn>
     </config>
+{% if admin_ssh_keys %}
+- path: /home/admin/.ssh/authorized_keys
+  content: |
+{% for k in admin_ssh_keys %}
+    {{ k }}
+{% endfor %}
+{% endif %}
 --===============8815267485200512281==
diff --git a/roles/azure_controllers/templates/userdata_vmanage.j2 b/roles/azure_controllers/templates/userdata_vmanage.j2
@@ -101,6 +101,14 @@ write_files:
       </vpn>
     </config>
 
+{% if admin_ssh_keys %}
+- path: /home/admin/.ssh/authorized_keys
+  content: |
+{% for k in admin_ssh_keys %}
+    {{ k }}
+{% endfor %}
+{% endif %}
+
 {% if vmanage_cluster_private_ip is defined %}
 - path: /home/admin/customized.cfg
   content: |
diff --git a/roles/azure_controllers/templates/userdata_vsmart.j2 b/roles/azure_controllers/templates/userdata_vsmart.j2
@@ -79,4 +79,11 @@ write_files:
         </vpn-instance>
       </vpn>
     </config>
+{% if admin_ssh_keys %}
+- path: /home/admin/.ssh/authorized_keys
+  content: |
+{% for k in admin_ssh_keys %}
+    {{ k }}
+{% endfor %}
+{% endif %}
 --===============8815267485200512281==
diff --git a/roles/azure_edges/README.md b/roles/azure_edges/README.md
@@ -65,6 +65,7 @@ Variables with default values that can be overridden by the user:
 - `az_cedge_image_version`: The version of the Cisco Edge compute image.
 - `admin_username`: The admin username for virtual machine access.
 - `admin_password`: The admin password for virtual machine access.
+- `admin_ssh_keys`: List of SSH public keys authorized for admin login.
 
 ## Example Playbook
 
diff --git a/roles/azure_edges/defaults/main.yml b/roles/azure_edges/defaults/main.yml
@@ -60,6 +60,7 @@ az_allowed_subnets: null
 # Cloud-init general configurations
 admin_username: admin
 admin_password: example_password  # pragma: allowlist secret
+admin_ssh_keys: []
 vbond_port: 12346
 default_vbond_ip: 192.168.1.199
 # vpn0_interface_color: default
diff --git a/roles/azure_edges/templates/userdata_cedge.j2 b/roles/azure_edges/templates/userdata_cedge.j2
@@ -171,6 +171,13 @@ Content-Disposition: attachment; filename="config-{{ uuid }}.txt"
   ip bootp server
   no ip source-route
   no ip ssh bulk-mode
+{% if admin_ssh_keys %}
+  ip ssh pubkey-chain
+   username admin
+{% for k in admin_ssh_keys %}
+    key-hash ssh-rsa {{ k.split()[1] | ansible.builtin.b64decode | ansible.builtin.md5 | upper }}
+{% endfor %}
+{% endif %}
   no ip http server
   no ip http secure-server
   no ip http ctc authentication
