From 7e3e6558de7639003e078015e770b9e9e7a2a111 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Mon, 19 Aug 2024 15:52:34 +0000
Subject: [PATCH] Support skipping SSH keyscan for older switch devices

Some network devices may use SSH key exchange algorithms that are no
longer supported by the Ansible control host. This will cause
ssh-keyscan to fail, preventing Kayobe from configuring the devices.
This change makes it possible to work around the issue by setting
switch_skip_keyscan to true for the affected devices. The SSH known
hosts file on the Ansible control host will need to be populated
manually.

Change-Id: I4e3394cff1fd86eb5c1a4be55d6fd7fd080b2944
---
 ansible/inventory/group_vars/all/switches/keyscan        | 5 +++++
 ansible/physical-network.yml                             | 7 +++++++
 doc/source/configuration/reference/physical-network.rst  | 9 +++++++++
 .../notes/switch-skip-keyscan-23b1f5006f443323.yaml      | 6 ++++++
 4 files changed, 27 insertions(+)
 create mode 100644 ansible/inventory/group_vars/all/switches/keyscan
 create mode 100644 releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml

diff --git a/ansible/inventory/group_vars/all/switches/keyscan b/ansible/inventory/group_vars/all/switches/keyscan
new file mode 100644
index 00000000..4fcdd1f5
--- /dev/null
+++ b/ansible/inventory/group_vars/all/switches/keyscan
@@ -0,0 +1,5 @@
+---
+# Whether to skip scanning SSH keys for switches. In some cases scanning SSH
+# keys may fail e.g. due to unsupported key exchange algorithms on older
+# devices.  Default is false.
+switch_skip_keyscan: false
diff --git a/ansible/physical-network.yml b/ansible/physical-network.yml
index c00eb642..f3bfaf00 100644
--- a/ansible/physical-network.yml
+++ b/ansible/physical-network.yml
@@ -117,6 +117,7 @@
        default(100) }}
   roles:
     - role: ssh-known-host
+      when: not switch_skip_keyscan | bool
 
     - role: arista-switch
       arista_switch_type: "{{ switch_type }}"
@@ -133,6 +134,7 @@
        default(100) }}
   roles:
     - role: ssh-known-host
+      when: not switch_skip_keyscan | bool
 
     - role: dell-switch
       dell_switch_type: "{{ switch_type }}"
@@ -150,6 +152,7 @@
        default(100) }}
   roles:
     - role: ssh-known-host
+      when: not switch_skip_keyscan | bool
 
     - role: stackhpc.network.dell_powerconnect_switch
       dell_powerconnect_switch_type: "{{ switch_type }}"
@@ -166,6 +169,7 @@
        default(100) }}
   roles:
     - role: ssh-known-host
+      when: not switch_skip_keyscan | bool
 
     - role: junos-switch
       junos_switch_type: "{{ switch_type }}"
@@ -183,6 +187,7 @@
        default(100) }}
   roles:
     - role: ssh-known-host
+      when: not switch_skip_keyscan | bool
 
     - role: stackhpc.network.mellanox_switch
       mellanox_switch_type: "{{ switch_type }}"
@@ -199,6 +204,7 @@
        default(100) }}
   roles:
     - role: ssh-known-host
+      when: not switch_skip_keyscan | bool
 
     - role: nclu-switch
       nclu_switch_config: "{{ switch_config }}"
@@ -209,6 +215,7 @@
   gather_facts: no
   roles:
     - role: ssh-known-host
+      when: not switch_skip_keyscan | bool
 
     - role: nvue-switch
       nvue_switch_config: "{{ switch_config }}"
diff --git a/doc/source/configuration/reference/physical-network.rst b/doc/source/configuration/reference/physical-network.rst
index b9146f77..e0e69cc1 100644
--- a/doc/source/configuration/reference/physical-network.rst
+++ b/doc/source/configuration/reference/physical-network.rst
@@ -181,6 +181,15 @@ example:
        description: compute0
        config: "{{ switch_interface_config_compute }}"
 
+Support for Older Devices
+=========================
+
+Some network devices may use SSH key exchange algorithms that are no longer
+supported by the Ansible control host. This will cause ``ssh-keyscan`` to fail,
+preventing Kayobe from configuring the devices. To work around this, set
+``switch_skip_keyscan`` to ``true`` for the affected devices. The SSH known
+hosts file on the Ansible control host will need to be populated manually.
+
 .. _physical-network-device-specific:
 
 Device-specific Configuration Variables
diff --git a/releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml b/releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml
new file mode 100644
index 00000000..60a434bc
--- /dev/null
+++ b/releasenotes/notes/switch-skip-keyscan-23b1f5006f443323.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds support for skipping SSH keyscan when configuring switches using
+    ``kayobe physical network configure`` using a ``switch_skip_keyscan``
+    variable.
-- 
GitLab