fix(ansible): replace steward key on reprovision + distinct agent update path
Provisioning review corrections + the matching frontend, plus breadcrumb header integration. - provision.yml: authorize the managed pubkey with a regexp match on the ' steward-managed' comment so rotating the key REPLACES the host's steward key in place instead of stacking a second authorized entry. Hand-added keys (other comments) are untouched. - update.yml (new): refresh agent.py + restart only. Does NOT rotate the token or rewrite /etc/steward-agent.conf — the host keeps its identity. Asserts the agent is already installed and fails clearly otherwise. - host_agent /update route: runs update.yml as the managed steward user (no token minting). Token rotation stays a deliberate action. - settings/ansible/generate-key honors a safe relative `next` redirect, so an inline trigger elsewhere returns to its page. - Host Agents settings: reworked into a clear lifecycle — an intro card that explains it runs Ansible to deploy the agent (+ inline "generate managed key" warning/trigger when none exists), then three labelled cards: 1 Provision, 2 Install/enroll, 3 Update. Each explains what it does. - base.html: breadcrumb now renders as a kicker line directly above the page title (moved below alerts, tightened margin) so nested and top-level views share one consistent header. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -50,9 +50,13 @@
|
||||
group: "{{ steward_user }}"
|
||||
mode: "0700"
|
||||
|
||||
- name: Authorize the managed public key
|
||||
- name: Authorize the managed public key (replace any prior steward-managed key)
|
||||
ansible.builtin.lineinfile:
|
||||
path: "/home/{{ steward_user }}/.ssh/authorized_keys"
|
||||
# Match on the ' steward-managed' comment so a rotated key REPLACES the
|
||||
# old one in place rather than stacking a second authorized key. Any
|
||||
# keys the operator added by hand (different comment) are left untouched.
|
||||
regexp: ' steward-managed$'
|
||||
line: "{{ steward_pubkey }}"
|
||||
create: true
|
||||
owner: "{{ steward_user }}"
|
||||
|
||||
@@ -0,0 +1,47 @@
|
||||
---
|
||||
# Update an already-installed Steward host agent: refresh agent.py and restart.
|
||||
#
|
||||
# Deliberately does NOT touch the registration token or /etc/steward-agent.conf
|
||||
# — the host already has a working token, so an update leaves identity alone and
|
||||
# only swaps the agent binary. Connects as the managed `steward` account (set
|
||||
# globally as the SSH user); no bootstrap password or token injection needed.
|
||||
#
|
||||
# For a fresh host with no agent, use provision.yml (new host) or install.yml
|
||||
# (already-provisioned host) instead — those mint and install the token.
|
||||
- name: Update Steward host agent
|
||||
hosts: all
|
||||
become: true
|
||||
gather_facts: false
|
||||
vars:
|
||||
steward_url: ""
|
||||
tasks:
|
||||
- name: Require steward_url
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- steward_url | length > 0
|
||||
fail_msg: "Pass steward_url as an extra-var (the Update action sets it)."
|
||||
|
||||
- name: Confirm the agent is already installed
|
||||
ansible.builtin.stat:
|
||||
path: /usr/local/lib/steward-agent/agent.py
|
||||
register: agent_file
|
||||
|
||||
- name: Fail clearly if the agent is missing
|
||||
ansible.builtin.fail:
|
||||
msg: "No agent at /usr/local/lib/steward-agent — provision or install this host first."
|
||||
when: not agent_file.stat.exists
|
||||
|
||||
- name: Refresh agent.py
|
||||
ansible.builtin.get_url:
|
||||
url: "{{ steward_url }}/plugins/host_agent/agent.py"
|
||||
dest: /usr/local/lib/steward-agent/agent.py
|
||||
mode: "0755"
|
||||
force: true
|
||||
notify: restart steward-agent
|
||||
|
||||
handlers:
|
||||
- name: restart steward-agent
|
||||
ansible.builtin.systemd:
|
||||
name: steward-agent
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
@@ -197,6 +197,7 @@ async def ansible_generate_key():
|
||||
"""
|
||||
from steward.core.crypto import generate_ssh_keypair
|
||||
|
||||
form = await request.form
|
||||
private_pem, public_line = generate_ssh_keypair()
|
||||
async with current_app.db_sessionmaker() as db:
|
||||
async with db.begin():
|
||||
@@ -205,6 +206,10 @@ async def ansible_generate_key():
|
||||
await _reload_app_config()
|
||||
await log_audit(current_app, session.get("user_id"), session.get("username", ""),
|
||||
"settings.saved", detail={"section": "ansible.managed_key"})
|
||||
# Allow the inline trigger on other pages (e.g. Host Agents) to return there.
|
||||
nxt = (form.get("next", "") or "").strip()
|
||||
if nxt.startswith("/") and not nxt.startswith("//"):
|
||||
return redirect(nxt)
|
||||
return redirect(url_for("settings.ansible"))
|
||||
|
||||
|
||||
|
||||
@@ -146,7 +146,9 @@ textarea { resize: vertical; }
|
||||
.empty { color: var(--text-muted); font-size: 0.9rem; padding: 2rem; text-align: center; }
|
||||
|
||||
/* Breadcrumbs */
|
||||
.breadcrumb { display:flex; align-items:center; flex-wrap:wrap; gap:0.35rem; font-size:0.8rem; color:var(--text-dim); margin-bottom:1rem; }
|
||||
/* Breadcrumb renders as a kicker line tucked directly above the page header
|
||||
(.page-title), so nested and top-level views share one consistent header. */
|
||||
.breadcrumb { display:flex; align-items:center; flex-wrap:wrap; gap:0.35rem; font-size:0.78rem; color:var(--text-dim); margin:0 0 0.45rem; }
|
||||
.breadcrumb a { color:var(--text-muted); }
|
||||
.breadcrumb a:hover { color:var(--text); }
|
||||
.breadcrumb-sep { color:var(--border-mid); }
|
||||
@@ -235,7 +237,6 @@ function setTimeRange(val) {
|
||||
</script>
|
||||
|
||||
<main>
|
||||
{% block breadcrumb %}{% endblock %}
|
||||
{% if plugin_failures and session.user_role == 'admin' %}
|
||||
<div style="background:color-mix(in srgb,var(--yellow) 12%,var(--bg-elevated));
|
||||
border:1px solid color-mix(in srgb,var(--yellow) 35%,var(--border));
|
||||
@@ -253,6 +254,7 @@ function setTimeRange(val) {
|
||||
{% if error %}
|
||||
<div class="alert alert-error">{{ error }}</div>
|
||||
{% endif %}
|
||||
{% block breadcrumb %}{% endblock %}
|
||||
{% block content %}{% endblock %}
|
||||
</main>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user