From eccbf58b3fd7325f31f552d9376be1fe06ef44fa Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Tue, 21 Nov 2023 15:16:25 +0100
Subject: [PATCH] aws_copr: copr-be fix for #11006

We run the playbook first against the `copr-be-temp.aws..`
inventory_hostname, and then once more against `copr-be.aws..`.  We need
to re-sign the pub keys for the later run.

https://pagure.io/fedora-infrastructure/issue/11006
---
 tasks/aws_cloud.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/tasks/aws_cloud.yml b/tasks/aws_cloud.yml
index 9d0866a184..09b720da25 100644
--- a/tasks/aws_cloud.yml
+++ b/tasks/aws_cloud.yml
@@ -46,6 +46,25 @@
     - "{{ hostkey.results }}"
   when: birthday is defined
 
+- name: find old signatures done against the other hostname
+  find:
+    paths: /etc/ssh
+    file_type: file
+    patterns: "ssh_host_*_key-cert.pub"
+  register: found_ssh_certs
+  when:
+    - birthday is defined
+    - additional_known_hosts_cleanup is defined
+    - additional_known_hosts_cleanup[inventory_hostname] is defined
+
+- name: remove old signed certificates
+  file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ found_ssh_certs.files }}"
+  when:
+    - found_ssh_certs is success
+
 # from https://github.com/praiskup/ansible-role-fix-root-ssh
 - name: allow root ssh connections
   lineinfile: