doc/researchAnsible: added section for creating ssh keypairs

Signed-off-by: Marc Mattmüller <marc.mattmueller@netmodule.com>

doc/src/nextlevel-ci/researchAnsible.rst

@@ -652,7 +652,7 @@ The same way as we added our getting started template we add a new template:
     -  Select  ``Run`` as Job Type
     -  Select  ``Production`` as Inventory
     -  Select  ``NWL CI`` as Project
-    -  Select  ``playbooks/getting_started/basic-pkg-instatllation.yml`` as Playbook
+    -  Select  ``playbooks/getting_started/basic-pkg-installation.yml`` as Playbook
     -  Select  ``Machine Access Priviledged`` as Credentials
     -  Press Save
 
@@ -665,6 +665,172 @@ The same way as we added our getting started template we add a new template:
 
 
 
+Job to Create SSH keypair as Git Server Credentials
+***************************************************
+Each host shall have its own credentials from a security point of view. Thus, we need to cover sensitive data like the
+passphrases of the SSH keys. Therefore the next subsection shows the mechanism for the preparation according the first
+SSH keypair we create.
+
+The playbook is reflected in the git repository with name ``create-ssh-key.yml``.
+
+Sensitive Data, Passphrases using the Vault
+===========================================
+Ansible comes with an encrypting mechanism which we use. Let's start by encrypting the first SSH passphrase:
+
+.. code-block:: bash
+
+    echo -n 'vmSSHpassphrase!' | ansible-vault encrypt_string --ask-vault-pass
+    New Vault password:
+    Confirm New Vault password:
+    Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a newline)
+
+    Encryption successful
+    !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61323235356163363166663139613464303262333231656236313335313133373330316431333139
+          3135643639363966653938663666653831393132633765340a306665393864343466376637386661
+          39353535616366393631333161613065356666626266396138633866346462316365663339613263
+          6564643935326565630a386266376230613230336564363066373730363239303763663666363462
+          35353634626464656436633165316336323839616463333064633363306337353534
+
+.. note::
+    The command above asks for a *Vault Password* and not for the SSH passphrase (we entered it in plain text and pipe
+    it in the ansible-vault command). Thus, we need to add this *Vault Password* into AWX as new credential. See below
+    about how to add this vault password to the AWX instance.
+
+Now we have the encrypted passphrase we add into our playbook as variable, like in this example:
+
+.. code-block:: bash
+
+    - name: Create SSH Keypair
+      hosts: linux
+      gather_facts: false
+      vars:
+        ssh_passphrase: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61323235356163363166663139613464303262333231656236313335313133373330316431333139
+          3135643639363966653938663666653831393132633765340a306665393864343466376637386661
+          39353535616366393631333161613065356666626266396138633866346462316365663339613263
+          6564643935326565630a386266376230613230336564363066373730363239303763663666363462
+          35353634626464656436633165316336323839616463333064633363306337353534
+      tasks:
+        - name: Generate ssh keypair on host
+          ansible.builtin.shell: |
+            ssh-keygen -t ed25519 -f "{{host_name}}_ed25519" -N "{{ssh_passphrase}}" -C "{{host_name}}@testenv"
+          args:
+            chdir: ~/.ssh
+            executable: /bin/bash
+          no_log: True
+
+.. note:: Please note that we set gather_facts to false and include **no_log: True** to the task to keep it secure.
+
+Without adding the vault password to AWX (and potentially without the line *no_log: True*) we would get this error:
+
+*  ``{"msg": "Attempting to decrypt but no vault secrets found"}``
+
+
+Hence, we add now this vault password in our AWX instance:
+
+*  Select the menu *Resources* >> *Credentials* and click *Add*:
+
+    -  Enter a name, e.g. *Vault Password*
+    -  Enter a description, e.g. *General vault password for decryption of sensitive data*
+    -  Select ``Vault`` as Credential Type
+    -  Enter the Vault Password
+    -  Enter a Vault Identifier, e.g. nwl-vault
+
+    |awxSshPassphrase|
+
+
+Adding the Job Template
+=======================
+In the previous subsection we prepared the environment for handling sensitive data. Now we add the job template for the
+playbook ``create-ssh-key.yml``:
+
+*  Select the menu *Resources* >> *Templates* and click *Add*:
+
+    -  Enter a name, e.g. *Create SSH keypair*
+    -  Enter a description, e.g. *Create host specific SSH keypair*
+    -  Select  ``Run`` as Job Type
+    -  Select ``Testenv`` as Organization
+    -  Select  ``Production`` as Inventory
+    -  Select  ``NWL CI`` as Project
+    -  Select  ``playbooks/getting_started/create-ssh-key.yml`` as Playbook
+    -  Select the following:
+
+        +  Switch the drop-down of *Selected Category* to Machine and then check ``Machine Access``
+        +  Switch the drop-down of *Selected Category* to Vault and then check ``Vault Password | nwl-vault``
+
+    -  Press Save
+
+*  Press Launch
+
+
+Adding the public SSH key to the Git Server
+===========================================
+It would be possible to add the public ssh key of the previously generated keypair to a user of Bitbucket using
+Bitbuckets restAPI as follows:
+
+.. code-block:: bash
+
+    curl --user <user>:<password> -H "Content-Type: application/json" --data @input.json -X POST /rest/ssh/1.0/keys?user=username
+
+    # where payload is:
+    # { "text": "ssh-ed... AAAAB3... host@testenv" }
+
+For the moment there are some points to not doing this with ansible:
+
+*  missing lack of permissions to properly set it up on Bitbucket
+*  unclear situation concerning
+
+    -  CI --> where is this topic going? Integrating all into the environment of the guardians, a mix of it or something
+       new?
+    -  what kind of CI user is available on Bitbucket
+
+Thus I added the public key manually to my user for further tests.
+
+
+
+
+
+Local Setup of Marc (look-ups)
+##############################
+Network with VM and my personal Gateway
+***************************************
+My gateway changes the address range from time to time. But for my getting started work I want a setup with static IPs.
+Thus, I created a bridge over a virtual interface:
+
+.. code-block:: bash
+
+    sudo modprobe dummy
+    sudo ip link add vmeth0 type dummy
+    ip link show vmeth0
+
+    sudo ip link set dev vmeth0 address 4a:f5:ba:c6:26:ff
+    sudo ip addr add 192.168.249.1/24 brd + dev vmeth0 label vmeth0:0
+    sudo ip link set vmeth0 up
+
+    sudo ip link add br-vm0 type bridge
+    sudo ip link show type bridge
+    sudo ip link set vmeth0 master br-vm0
+    sudo ip address add dev br-vm0 192.168.40.1/24
+    ip addr show br-vm0
+    sudo ip link set br-vm0 up
+    sudo ip route add 192.168.249.1 via 192.168.249.51 dev vmeth0
+
+    # within the VM setting use network interface adapter bridge vmeth0
+    # boot the VM
+
+    # cleaning keep in minds:
+    sudo ip addr del 192.168.249.1/24 brd + dev vmeth0 label vmeth0:0
+    sudo ip link delete vmeth0 type dummy
+    sudo rmmod dummy
+
+    sudo ip link set br-vm0 down
+    sudo ip link delete br-vm0 type bridge
+
+
+
 section
 ########
 subsection
@@ -676,9 +842,12 @@ subtitle
 subsubtitle
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+
 .. |awxCredentials|      image:: ./media/awx-credentials.png
                            :width: 700px
 .. |awxGitCredentials|   image:: ./media/awx-git-credentials.png
                            :width: 700px
 .. |awxProjects|         image:: ./media/awx-projects.png
                            :width: 700px
+.. |awxSshPassphrase|    image:: ./media/awx-sshPassphrase.png
+                           :width: 700px