Properly setup of jenkins keys

Stop using ssh_authorized_key with a fixed name, and move key generation to a template. It will accept an ssh_key parameter, that can accept either an array or a single string. And it will populate these keys on the .ssh/authorized_keys properly. Doing that we allow to rotate keys properly, and avoid some of the races that could be originated using a single key using the ssh_authorized_key way. Change-Id: I572b7a18186329c4277a3f460fc05e6eb30c63b7
2015-08-20 17:36:29 +02:00 · 2015-08-20 17:36:29 +02:00 · a22f8d8500
parent 74bf1d94fa
commit a22f8d8500
2 changed files with 17 additions and 9 deletions
--- a/manifests/jenkinsuser.pp
+++ b/manifests/jenkinsuser.pp
@ -55,17 +55,15 @@ class jenkins::jenkinsuser(
    require => File['/home/jenkins'],
  }

-  ssh_authorized_key { 'jenkins-master-2014-04-24':
-    ensure  => present,
-    user    => 'jenkins',
-    type    => 'ssh-rsa',
-    key     => $ssh_key,
+  # cleanup old content in directory
+  file { '/home/jenkins/.ssh/authorized_keys':
+    ensure  => 'file',
+    owner   => 'jenkins',
+    group   => 'jenkins',
+    mode    => '0600',
+    content => template('jenkins/authorized_keys.erb'),
    require => File['/home/jenkins/.ssh'],
  }
-  ssh_authorized_key { '/home/jenkins/.ssh/authorized_keys':
-    ensure => absent,
-    user   => 'jenkins',
-  }

  #NOTE: not all distributions have default bash files in /etc/skel
  if ($::osfamily == 'Debian') {
--- a/templates/authorized_keys.erb
+++ b/templates/authorized_keys.erb
@ -0,0 +1,10 @@
+# HEADER: This file has been autogenerated by puppet.
+# HEADER: While it can still be managed manually, it
+# HEADER: is definitely not recommended.
+<% if @ssh_key.is_a? Array -%>
+<% @ssh_key.each do |key| -%>
+ssh-rsa <%= key %>
+<% end -%>
+<% else %>
+ssh-rsa <%= @ssh_key %>
+<% end -%>