Add roles for per-build SSH keys

These roles can be used in trusted pre/post playbooks to ensure that untrusted playbooks never get access to the private SSH key that is shared between nodes. Change-Id: I2482da835bcec68bb09b9a73cb45d2f0bc86feb3
2017-05-16 09:03:37 -07:00 · 2017-05-16 09:03:37 -07:00 · d002b51c17
commit d002b51c17
parent 17787569ca
4 changed files with 35 additions and 0 deletions
--- a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
+++ b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml
@ -0,0 +1,20 @@
 - name: Create Temp SSH key
  command: ssh-keygen -t rsa -b 1024 -N '' -f {{ zuul_temp_ssh_key }}
  delegate_to: localhost
 - name: Distribute it to all nodes
  authorized_key:
    user: "{{ ansible_ssh_user }}"
    state: present
    key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
 - name: Remove all keys from local agent
  command: ssh-add -d
  delegate_to: localhost
 - name: Add back temp key
  command: ssh-add {{ zuul_temp_ssh_key }}
  delegate_to: localhost
 - name: Verify we can still SSH to all nodes
  ping:
--- a/roles/add-build-sshkey/tasks/main.yaml
+++ b/roles/add-build-sshkey/tasks/main.yaml
@ -0,0 +1,9 @@
 - name: Check to see if ssh key was already created for this build
  stat: "{{ zuul_temp_ssh_key }}"
  register: zuul_temp_ssh_key_stat
  delegate_to: localhost
  failed_when: false
 - name: Create a new key in workspace based on build UUID
  include: create-key-and-replace.yaml
  when: zuul_temp_ssh_key_stat is defined
--- a/roles/add-build-sshkey/vars/main.yml
+++ b/roles/add-build-sshkey/vars/main.yml
@ -0,0 +1 @@
 zuul_temp_ssh_key: "{{ zuul.uuid }}_id_rsa"
--- a/roles/remove-build-sshkey/tasks/main.yml
+++ b/roles/remove-build-sshkey/tasks/main.yml
@ -0,0 +1,5 @@
 - name: Remove the build SSH key from all nodes
  authorized_key:
    user: "{{ ansible_ssh_user }}"
    key: "{{ lookup('file', zuul_temp_ssh_key + '.pub') }}"
    state: absent