From 1e0af6779bc207d899dfc41d67a9f9a6229fc620 Mon Sep 17 00:00:00 2001 From: Tristan de Cacqueray Date: Fri, 6 Sep 2019 14:32:40 +0000 Subject: [PATCH] Add remove-zuul-sshkey This change enables a kubectl connection job to just remove the zuul sshkey, without using the add-build-sshkey role which doesn't work on pod. To do that, this change moves the sshagent_remove_key task to a new role and makes add-build-sshkey use the new role. Change-Id: I5e7288592cad303df919220259f5a360bf522f64 --- doc/source/general-roles.rst | 1 + roles/add-build-sshkey/tasks/create-key-and-replace.yaml | 9 ++------- roles/remove-zuul-sshkey/README.rst | 4 ++++ .../{add-build-sshkey => remove-zuul-sshkey}/__init__.py | 0 .../library/__init__.py | 0 .../library/sshagent_remove_keys.py | 0 .../library/test_sshagent_remove_keys.py | 0 roles/remove-zuul-sshkey/tasks/main.yaml | 8 ++++++++ 8 files changed, 15 insertions(+), 7 deletions(-) create mode 100644 roles/remove-zuul-sshkey/README.rst rename roles/{add-build-sshkey => remove-zuul-sshkey}/__init__.py (100%) rename roles/{add-build-sshkey => remove-zuul-sshkey}/library/__init__.py (100%) rename roles/{add-build-sshkey => remove-zuul-sshkey}/library/sshagent_remove_keys.py (100%) rename roles/{add-build-sshkey => remove-zuul-sshkey}/library/test_sshagent_remove_keys.py (100%) create mode 100644 roles/remove-zuul-sshkey/tasks/main.yaml diff --git a/doc/source/general-roles.rst b/doc/source/general-roles.rst index e8153efbc..248e3531b 100644 --- a/doc/source/general-roles.rst +++ b/doc/source/general-roles.rst @@ -35,6 +35,7 @@ General Purpose Roles .. zuul:autorole:: remove-gpgkey .. zuul:autorole:: remove-sshkey .. zuul:autorole:: render-diff +.. zuul:autorole:: remove-zuul-sshkey .. zuul:autorole:: revoke-sudo .. zuul:autorole:: run-dstat .. zuul:autorole:: sign-artifacts diff --git a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml index d4d6db66c..a34d33b05 100644 --- a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml +++ b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml @@ -11,13 +11,8 @@ include: remote-windows.yaml when: ansible_os_family == "Windows" -- name: Remove master key from local agent - # The master key has a filename, all others (e.g., per-project keys) - # have "(stdin)" as a comment. - sshagent_remove_keys: - remove: '^(?!\(stdin\)).*' - delegate_to: localhost - run_once: true +- import_role: + name: remove-zuul-sshkey - name: Add back temp key command: ssh-add {{ zuul_temp_ssh_key }} diff --git a/roles/remove-zuul-sshkey/README.rst b/roles/remove-zuul-sshkey/README.rst new file mode 100644 index 000000000..2c2d3d241 --- /dev/null +++ b/roles/remove-zuul-sshkey/README.rst @@ -0,0 +1,4 @@ +Remove the zuul ssh key + +This role is intended to be run on the Zuul Executor at the start of +every job to prevent access to public Zuul ssh connection. diff --git a/roles/add-build-sshkey/__init__.py b/roles/remove-zuul-sshkey/__init__.py similarity index 100% rename from roles/add-build-sshkey/__init__.py rename to roles/remove-zuul-sshkey/__init__.py diff --git a/roles/add-build-sshkey/library/__init__.py b/roles/remove-zuul-sshkey/library/__init__.py similarity index 100% rename from roles/add-build-sshkey/library/__init__.py rename to roles/remove-zuul-sshkey/library/__init__.py diff --git a/roles/add-build-sshkey/library/sshagent_remove_keys.py b/roles/remove-zuul-sshkey/library/sshagent_remove_keys.py similarity index 100% rename from roles/add-build-sshkey/library/sshagent_remove_keys.py rename to roles/remove-zuul-sshkey/library/sshagent_remove_keys.py diff --git a/roles/add-build-sshkey/library/test_sshagent_remove_keys.py b/roles/remove-zuul-sshkey/library/test_sshagent_remove_keys.py similarity index 100% rename from roles/add-build-sshkey/library/test_sshagent_remove_keys.py rename to roles/remove-zuul-sshkey/library/test_sshagent_remove_keys.py diff --git a/roles/remove-zuul-sshkey/tasks/main.yaml b/roles/remove-zuul-sshkey/tasks/main.yaml new file mode 100644 index 000000000..e417f5830 --- /dev/null +++ b/roles/remove-zuul-sshkey/tasks/main.yaml @@ -0,0 +1,8 @@ +--- +- name: Remove master key from local agent + # The master key has a filename, all others (e.g., per-project keys) + # have "(stdin)" as a comment. + sshagent_remove_keys: + remove: '^(?!\(stdin\)).*' + delegate_to: localhost + run_once: true