Add a role to remove an ssh private key

A role was added to add a private key. This role is a companion that will remove the private key, as an extra precaution around the secret. There is a non-zero chance the nodepool resource will not get properly cleaned up, so we want to ensure that we do our best to clean out the secrets. Change-Id: Ib365b2d9304d7ccdc03df97b1d2ad924d6e8513b
2017-08-28 10:09:48 -07:00 · 2017-08-28 10:09:48 -07:00 · 01e843d990
parent b214e276ec
commit 01e843d990
2 changed files with 25 additions and 0 deletions
--- a/roles/remove-sshkey/README.rst
+++ b/roles/remove-sshkey/README.rst
@ -0,0 +1,16 @@
+Remove an added ssh key from the host.
+
+**Role Variables**
+
+.. zuul:rolevar:: ssh_key
+
+  Complex argument which contains the ssh key information. It is
+  expected that this argument comes from a `Secret`.
+
+  .. zuul:rolevar:: ssh_known_hosts
+
+    String containing known host signature for the remote host.
+
+  .. zuul:rolevar:: fqdn
+
+    The FQDN of the remote host.
--- a/roles/remove-sshkey/tasks/main.yaml
+++ b/roles/remove-sshkey/tasks/main.yaml
@ -0,0 +1,9 @@
+- name: Remove ssh key
+  command: "shred ~/.ssh/id_rsa"
+
+- name: remove host key information from known hosts
+  known_hosts:
+    name: "{{ ssh_key.fqdn }}"
+    key: "{{ ssh_key.ssh_known_hosts }}"
+    state: absent
+  when: ssh_key.ssh_known_hosts is defined and ssh_key.fqdn is defined