[WIFI-6334] Lock down testbed access using Ananda (#186)

* Add Ansible role to setup Ananda gateways Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org> * Add README.md Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org> * Update README.md Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org>
2025-10-29 18:12:20 +00:00 · 2022-06-16 11:06:06 +02:00
parent 5278423cb5
commit b8daa1b2f6
4 changed files with 106 additions and 0 deletions
--- a/ansible/Ananda/README.md
+++ b/ansible/Ananda/README.md
@@ -0,0 +1,20 @@
+## Usage
+This playbook installs and configures the Ananda agent on the lab controllers to set them up as gateways.
+
+You need to install the amazon.aws collection (requires Ansible version 2.9+) and it's dependencies before being able to run the playbook:
+```
+ansible-galaxy collection install amazon.aws
+pip install botocore boto3
+```
+
+
+Since the Ananda tokens are saved as AWS Secrets you also have to login into the SSO account with id `289708231103`. It is required to set the following environment variables:
+```
+export AWS_PROFILE="AdministratorAccess-289708231103" # Depends on your chosen profile name
+export AWS_DEFAULT_REGION="us-east-2"
+```
+
+
+Execute a dry-run with `ansible-playbook -i hosts.yml setup_gateways.yml --diff --check`.
+
+Apply the changes with `ansible-playbook -i hosts.yml setup_gateways.yml --diff`.
--- a/ansible/Ananda/hosts.yml
+++ b/ansible/Ananda/hosts.yml
@@ -0,0 +1,45 @@
+all:
+  hosts:
+    lab-ctlr:
+    lab-ctlr2:
+    lab_ctlr3:
+    lab-ctlr4:
+    lab-ctlr5:
+  children:
+    ananda_gateways:
+      hosts:
+        lab-ctlr:
+          ansible_host: 10.28.3.100
+          ansible_user: lanforge
+          ansible_become_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_common_args: -J ubuntu@3.130.51.163
+          ananda_token: "{{ lookup('amazon.aws.aws_secret', 'Ananda/GatewayTokens.lab-ctlr', nested=true) }}"
+        lab-ctlr2:
+          ansible_host: 10.28.3.101
+          ansible_user: lanforge
+          ansible_become_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_common_args: -J ubuntu@3.130.51.163
+          ananda_token: "{{ lookup('amazon.aws.aws_secret', 'Ananda/GatewayTokens.lab-ctlr2', nested=true) }}"
+        lab-ctlr3:
+          ansible_host: 10.28.3.102
+          ansible_user: lanforge
+          ansible_become_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_common_args: -J ubuntu@3.130.51.163
+          ananda_token: "{{ lookup('amazon.aws.aws_secret', 'Ananda/GatewayTokens.lab-ctlr3', nested=true) }}"
+        lab-ctlr4:
+          ansible_host: 10.28.3.103
+          ansible_user: lanforge
+          ansible_become_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_common_args: -J ubuntu@3.130.51.163
+          ananda_token: "{{ lookup('amazon.aws.aws_secret', 'Ananda/GatewayTokens.lab-ctlr4', nested=true) }}"
+        lab-ctlr5:
+          ansible_host: 10.28.3.104
+          ansible_user: lanforge
+          ansible_become_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_pass: "{{ lookup('amazon.aws.aws_secret', 'Testbeds/UserCredentials.lanforge_user_password', nested=true) }}"
+          ansible_ssh_common_args: -J ubuntu@3.130.51.163
+          ananda_token: "{{ lookup('amazon.aws.aws_secret', 'Ananda/GatewayTokens.lab-ctlr5', nested=true) }}"
--- a/ansible/Ananda/roles/setup_gateways/tasks/main.yml
+++ b/ansible/Ananda/roles/setup_gateways/tasks/main.yml
@@ -0,0 +1,36 @@
+- name: Add Ananda repository on Debian based systems
+  block:
+    - name: Check if repo is already added to apt sources
+      stat:
+        path: /etc/sources.list.d/Ananda_release.list
+      register: ananda_repo_debian
+    
+    - name: Add repo to apt sources if it wasn't added yet
+      ansible.builtin.shell: curl -s https://packagecloud.io/install/repositories/Ananda/release/script.deb.sh | bash
+      args:
+        warn: false
+      when: not ananda_repo_debian.stat.exists
+  when: ansible_facts['os_family] == "Debian"
+
+- name: Add Ananda repository on RedHat based systems
+  block:
+    - name: Check if repo is already added to yum repos
+      stat:
+        path: /etc/yum.repos.d/Ananda_release.repo
+      register: ananda_repo_redhat
+    
+    - name: Add repo to yum repos if it wasn't added yet
+      ansible.builtin.shell: curl -s https://packagecloud.io/install/repositories/Ananda/release/script.rpm.sh | bash
+      args:
+        warn: false
+      when: not ananda_repo_redhat.stat.exists
+  when: ansible_facts['os_family'] == "RedHat"
+
+- name: Install ananda-core
+  ansible.builtin.package:
+    name: ananda-core
+    state: present
+
+- name: Login with token
+  ansible.builtin.shell: /opt/ananda/core/ananda-cli --login "{{ hostvars[inventory_hostname]['ananda_token'] }}"
+  ignore_errors: yes
--- a/ansible/Ananda/setup_gateways.yml
+++ b/ansible/Ananda/setup_gateways.yml
@@ -0,0 +1,5 @@
+- hosts: ananda_gateways
+  become: true
+  gather_facts: true
+  roles:
+    - setup_gateways