feat(ansible): host provisioning via steward managed SSH identity
CI / lint (push) Successful in 3s
CI / unit (push) Successful in 8s
CI / integration (push) Successful in 2m18s
CI / publish (push) Successful in 1m3s

Turn the agent-install playbook into a full provisioning + maintenance
path. Solves the bootstrap chicken-and-egg: first contact uses an
operator-supplied password (one run, never stored), which creates a
dedicated `steward` login account with NOPASSWD sudo + Steward's managed
public key. Every run thereafter connects as `steward` with the managed
key — fully unattended (scheduled prune, agent updates).

- core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats.
- settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user
  (default steward); to_ansible_cfg extended.
- settings UI + route: "Generate managed key" (private encrypted, public
  shown to copy) + SSH-user field.
- executor: build_bootstrap() writes a 0600 vars file (-e @file) for the
  per-run user/password — never argv, never DB, never logged; drops the
  managed key when a bootstrap password is given; --user floor from the
  global ssh_user when no override.
- runner.trigger_run: pass-through `connection` kwarg, deliberately NOT
  persisted on AnsibleRun.params (password stays out of the DB).
- bundled/host_agent/provision.yml: create steward user + authorized_keys
  + /etc/sudoers.d/steward (visudo-validated) + agent install.
- host_agent: /provision route + "Provision a fresh host" card (bootstrap
  user/password; injects pubkey + user + token as space-safe JSON hostvars).
- Dockerfile: add sshpass (Ansible shells out to it for password SSH).
- tests: keypair generation + build_bootstrap (secret stays off argv).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-16 17:17:38 -04:00
parent 6e91bdc82b
commit 0318f6423f
12 changed files with 492 additions and 5 deletions
+23
View File
@@ -3,6 +3,7 @@ from steward.core.crypto import (
ENC_PREFIX,
decrypt_secret,
encrypt_secret,
generate_ssh_keypair,
init_crypto,
is_encrypted,
)
@@ -44,3 +45,25 @@ def test_wrong_key_does_not_reveal_plaintext():
assert decrypt_secret(tok) != "secret"
init_crypto("key-A")
assert decrypt_secret(tok) == "secret"
# ── Managed SSH keypair generation ────────────────────────────────────────────
def test_generate_ssh_keypair_formats():
priv, pub = generate_ssh_keypair()
assert priv.startswith("-----BEGIN OPENSSH PRIVATE KEY-----")
assert priv.rstrip().endswith("-----END OPENSSH PRIVATE KEY-----")
assert pub.startswith("ssh-ed25519 ")
assert pub.endswith(" steward-managed")
def test_generate_ssh_keypair_is_unique():
p1, _ = generate_ssh_keypair()
p2, _ = generate_ssh_keypair()
assert p1 != p2
def test_generate_ssh_keypair_custom_comment():
_, pub = generate_ssh_keypair(comment="host-x")
assert pub.endswith(" host-x")
assert len(pub.split()) == 3 # type, key, comment
+35 -1
View File
@@ -1,7 +1,7 @@
"""Unit tests for Ansible credential argv/env construction (task 548)."""
import json
from steward.ansible.executor import ansible_env, build_credentials
from steward.ansible.executor import ansible_env, build_bootstrap, build_credentials
def test_no_creds_is_empty():
@@ -55,3 +55,37 @@ def test_ansible_env_host_key_checking_toggle():
def test_ansible_env_preserves_base():
env = ansible_env({}, {"FOO": "bar"})
assert env["FOO"] == "bar"
# ── Bootstrap connection override (first-contact provisioning) ─────────────────
def test_bootstrap_empty_is_noop():
assert build_bootstrap({}, "/td") == ([], [])
assert build_bootstrap(None, "/td") == ([], [])
def test_bootstrap_user_only():
args, files = build_bootstrap({"user": "root"}, "/td")
assert args == ["-e", "@/td/bootstrap.yml"]
assert files == [("/td/bootstrap.yml", 'ansible_user: "root"\n')]
def test_bootstrap_password_doubles_as_become_and_stays_off_argv():
pw = "p@ss word"
args, files = build_bootstrap({"user": "admin", "password": pw}, "/td")
assert args == ["-e", "@/td/bootstrap.yml"]
body = files[0][1]
assert 'ansible_user: "admin"\n' in body
assert "ansible_password: " + json.dumps(pw) + "\n" in body
# Bare password becomes the become password too.
assert "ansible_become_password: " + json.dumps(pw) + "\n" in body
# Secret must never reach the command line.
assert pw not in " ".join(args)
def test_bootstrap_explicit_become_password():
_, files = build_bootstrap(
{"user": "u", "password": "sshpw", "become_password": "sudopw"}, "/td")
body = files[0][1]
assert 'ansible_password: "sshpw"\n' in body
assert 'ansible_become_password: "sudopw"\n' in body