Add remove-zuul-sshkey

This change enables a kubectl connection job to just remove the
zuul sshkey, without using the add-build-sshkey role which doesn't
work on pod. To do that, this change moves the sshagent_remove_key
task to a new role and makes add-build-sshkey use the new role.

Change-Id: I5e7288592cad303df919220259f5a360bf522f64

doc/source/general-roles.rst

@@ -35,6 +35,7 @@ General Purpose Roles
 .. zuul:autorole:: remove-gpgkey
 .. zuul:autorole:: remove-sshkey
 .. zuul:autorole:: render-diff
+.. zuul:autorole:: remove-zuul-sshkey
 .. zuul:autorole:: revoke-sudo
 .. zuul:autorole:: run-dstat
 .. zuul:autorole:: sign-artifacts

roles/add-build-sshkey/tasks/create-key-and-replace.yaml

@@ -11,13 +11,8 @@
   include: remote-windows.yaml
   when: ansible_os_family == "Windows"
 
-- name: Remove master key from local agent
-  # The master key has a filename, all others (e.g., per-project keys)
-  # have "(stdin)" as a comment.
-  sshagent_remove_keys:
-    remove: '^(?!\(stdin\)).*'
-  delegate_to: localhost
-  run_once: true
+- import_role:
+    name: remove-zuul-sshkey
 
 - name: Add back temp key
   command: ssh-add {{ zuul_temp_ssh_key }}

roles/remove-zuul-sshkey/README.rst

@@ -0,0 +1,4 @@
+Remove the zuul ssh key
+
+This role is intended to be run on the Zuul Executor at the start of
+every job to prevent access to public Zuul ssh connection.

roles/remove-zuul-sshkey/tasks/main.yaml

@@ -0,0 +1,8 @@
+---
+- name: Remove master key from local agent
+  # The master key has a filename, all others (e.g., per-project keys)
+  # have "(stdin)" as a comment.
+  sshagent_remove_keys:
+    remove: '^(?!\(stdin\)).*'
+  delegate_to: localhost
+  run_once: true