Add roles for per-build SSH keys

These roles can be used in trusted pre/post playbooks to ensure that
untrusted playbooks never get access to the private SSH key that is
shared between nodes.

Change-Id: I2482da835bcec68bb09b9a73cb45d2f0bc86feb3
This commit is contained in:
Clint Byrum 2017-05-16 09:03:37 -07:00 committed by James E. Blair
parent 17787569ca
commit d002b51c17
4 changed files with 35 additions and 0 deletions

View File

@ -0,0 +1,20 @@
- name: Create Temp SSH key
command: ssh-keygen -t rsa -b 1024 -N '' -f {{ zuul_temp_ssh_key }}
delegate_to: localhost
- name: Distribute it to all nodes
authorized_key:
user: "{{ ansible_ssh_user }}"
state: present
key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
- name: Remove all keys from local agent
command: ssh-add -d
delegate_to: localhost
- name: Add back temp key
command: ssh-add {{ zuul_temp_ssh_key }}
delegate_to: localhost
- name: Verify we can still SSH to all nodes
ping:

View File

@ -0,0 +1,9 @@
- name: Check to see if ssh key was already created for this build
stat: "{{ zuul_temp_ssh_key }}"
register: zuul_temp_ssh_key_stat
delegate_to: localhost
failed_when: false
- name: Create a new key in workspace based on build UUID
include: create-key-and-replace.yaml
when: zuul_temp_ssh_key_stat is defined

View File

@ -0,0 +1 @@
zuul_temp_ssh_key: "{{ zuul.uuid }}_id_rsa"

View File

@ -0,0 +1,5 @@
- name: Remove the build SSH key from all nodes
authorized_key:
user: "{{ ansible_ssh_user }}"
key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
state: absent