fix(ansible): replace steward key on reprovision + distinct agent update path
Provisioning review corrections + the matching frontend, plus breadcrumb header integration. - provision.yml: authorize the managed pubkey with a regexp match on the ' steward-managed' comment so rotating the key REPLACES the host's steward key in place instead of stacking a second authorized entry. Hand-added keys (other comments) are untouched. - update.yml (new): refresh agent.py + restart only. Does NOT rotate the token or rewrite /etc/steward-agent.conf — the host keeps its identity. Asserts the agent is already installed and fails clearly otherwise. - host_agent /update route: runs update.yml as the managed steward user (no token minting). Token rotation stays a deliberate action. - settings/ansible/generate-key honors a safe relative `next` redirect, so an inline trigger elsewhere returns to its page. - Host Agents settings: reworked into a clear lifecycle — an intro card that explains it runs Ansible to deploy the agent (+ inline "generate managed key" warning/trigger when none exists), then three labelled cards: 1 Provision, 2 Install/enroll, 3 Update. Each explains what it does. - base.html: breadcrumb now renders as a kicker line directly above the page title (moved below alerts, tightened margin) so nested and top-level views share one consistent header. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -197,6 +197,7 @@ async def ansible_generate_key():
|
||||
"""
|
||||
from steward.core.crypto import generate_ssh_keypair
|
||||
|
||||
form = await request.form
|
||||
private_pem, public_line = generate_ssh_keypair()
|
||||
async with current_app.db_sessionmaker() as db:
|
||||
async with db.begin():
|
||||
@@ -205,6 +206,10 @@ async def ansible_generate_key():
|
||||
await _reload_app_config()
|
||||
await log_audit(current_app, session.get("user_id"), session.get("username", ""),
|
||||
"settings.saved", detail={"section": "ansible.managed_key"})
|
||||
# Allow the inline trigger on other pages (e.g. Host Agents) to return there.
|
||||
nxt = (form.get("next", "") or "").strip()
|
||||
if nxt.startswith("/") and not nxt.startswith("//"):
|
||||
return redirect(nxt)
|
||||
return redirect(url_for("settings.ansible"))
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user