Remove auto-generated SSH keys on startup
Auto-generated SSH keys were breaking scaled Gerrit setups, since
every instance would have different keys, which would cause the
known_hosts validation to fail. Thus SSH keys have to be manually
provided and used by all instances in a Gerrit cluster.
SSH keys created by gerrit init are now removed during initialization.
SSH keys should be provided as part of the Secret providing secret
configuration.
Change-Id: I99b5233ba382b22e4bb6b32937916ca7ce4885e5
diff --git a/container-images/gerrit-init/tools/gerrit-initializer/initializer/tasks/init.py b/container-images/gerrit-init/tools/gerrit-initializer/initializer/tasks/init.py
index 8266f6f..29a6ac0 100755
--- a/container-images/gerrit-init/tools/gerrit-initializer/initializer/tasks/init.py
+++ b/container-images/gerrit-init/tools/gerrit-initializer/initializer/tasks/init.py
@@ -162,6 +162,16 @@
os.path.join(etc_dir, file_or_dir),
)
+ def _remove_auto_generated_ssh_keys(self):
+ etc_dir = f"{self.site}/etc"
+ if not os.path.exists(etc_dir):
+ return
+
+ for file_or_dir in os.listdir(etc_dir):
+ full_path = os.path.join(etc_dir, file_or_dir)
+ if os.path.isfile(full_path) and file_or_dir.startswith("ssh_host_"):
+ os.remove(full_path)
+
def execute(self):
if not self.is_replica:
self._symlink_mounted_site_components()
@@ -205,6 +215,7 @@
)
sys.exit(1)
+ self._remove_auto_generated_ssh_keys()
self._symlink_configuration()
if self.is_replica:
