From 01e843d99084c069d6afbfa49a6337f788a28103 Mon Sep 17 00:00:00 2001
From: Jesse Keating <omgjlk@us.ibm.com>
Date: Mon, 28 Aug 2017 10:09:48 -0700
Subject: [PATCH] Add a role to remove an ssh private key

A role was added to add a private key. This role is a companion that
will remove the private key, as an extra precaution around the secret.
There is a non-zero chance the nodepool resource will not get properly
cleaned up, so we want to ensure that we do our best to clean out the
secrets.

Change-Id: Ib365b2d9304d7ccdc03df97b1d2ad924d6e8513b
---
 roles/remove-sshkey/README.rst      | 16 ++++++++++++++++
 roles/remove-sshkey/tasks/main.yaml |  9 +++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 roles/remove-sshkey/README.rst
 create mode 100644 roles/remove-sshkey/tasks/main.yaml

diff --git a/roles/remove-sshkey/README.rst b/roles/remove-sshkey/README.rst
new file mode 100644
index 000000000..c6d7418a3
--- /dev/null
+++ b/roles/remove-sshkey/README.rst
@@ -0,0 +1,16 @@
+Remove an added ssh key from the host.
+
+**Role Variables**
+
+.. zuul:rolevar:: ssh_key
+
+  Complex argument which contains the ssh key information. It is
+  expected that this argument comes from a `Secret`.
+
+  .. zuul:rolevar:: ssh_known_hosts
+
+    String containing known host signature for the remote host.
+
+  .. zuul:rolevar:: fqdn
+
+    The FQDN of the remote host.
diff --git a/roles/remove-sshkey/tasks/main.yaml b/roles/remove-sshkey/tasks/main.yaml
new file mode 100644
index 000000000..4c3f08124
--- /dev/null
+++ b/roles/remove-sshkey/tasks/main.yaml
@@ -0,0 +1,9 @@
+- name: Remove ssh key
+  command: "shred ~/.ssh/id_rsa"
+
+- name: remove host key information from known hosts
+  known_hosts:
+    name: "{{ ssh_key.fqdn }}"
+    key: "{{ ssh_key.ssh_known_hosts }}"
+    state: absent
+  when: ssh_key.ssh_known_hosts is defined and ssh_key.fqdn is defined