From a22f8d850073c30ffeed87be29d827b4190812c2 Mon Sep 17 00:00:00 2001
From: Yolanda Robla <yolanda.robla-mota@hp.com>
Date: Thu, 20 Aug 2015 17:36:29 +0200
Subject: [PATCH] Properly setup of jenkins keys

Stop using ssh_authorized_key with a fixed name,
and move key generation to a template. It will accept
an ssh_key parameter, that can accept either an array
or a single string. And it will populate these keys on the
.ssh/authorized_keys properly.
Doing that we allow to rotate keys properly, and avoid
some of the races that could be originated using a
single key using the ssh_authorized_key way.

Change-Id: I572b7a18186329c4277a3f460fc05e6eb30c63b7
---
 manifests/jenkinsuser.pp      | 16 +++++++---------
 templates/authorized_keys.erb | 10 ++++++++++
 2 files changed, 17 insertions(+), 9 deletions(-)
 create mode 100644 templates/authorized_keys.erb

diff --git a/manifests/jenkinsuser.pp b/manifests/jenkinsuser.pp
index ddc3020..746bd0e 100644
--- a/manifests/jenkinsuser.pp
+++ b/manifests/jenkinsuser.pp
@@ -55,17 +55,15 @@ class jenkins::jenkinsuser(
     require => File['/home/jenkins'],
   }
 
-  ssh_authorized_key { 'jenkins-master-2014-04-24':
-    ensure  => present,
-    user    => 'jenkins',
-    type    => 'ssh-rsa',
-    key     => $ssh_key,
+  # cleanup old content in directory
+  file { '/home/jenkins/.ssh/authorized_keys':
+    ensure  => 'file',
+    owner   => 'jenkins',
+    group   => 'jenkins',
+    mode    => '0600',
+    content => template('jenkins/authorized_keys.erb'),
     require => File['/home/jenkins/.ssh'],
   }
-  ssh_authorized_key { '/home/jenkins/.ssh/authorized_keys':
-    ensure => absent,
-    user   => 'jenkins',
-  }
 
   #NOTE: not all distributions have default bash files in /etc/skel
   if ($::osfamily == 'Debian') {
diff --git a/templates/authorized_keys.erb b/templates/authorized_keys.erb
new file mode 100644
index 0000000..8542cb7
--- /dev/null
+++ b/templates/authorized_keys.erb
@@ -0,0 +1,10 @@
+# HEADER: This file has been autogenerated by puppet.
+# HEADER: While it can still be managed manually, it
+# HEADER: is definitely not recommended.
+<% if @ssh_key.is_a? Array -%>
+<% @ssh_key.each do |key| -%>
+ssh-rsa <%= key %>
+<% end -%>
+<% else %>
+ssh-rsa <%= @ssh_key %>
+<% end -%>