zuul-jobs/roles/add-authorized-keys/README.rst
mhuin 77a07ffca1 role: Inject public keys in case of failure
Add a role that injects given public keys on a build's node set
if the build fails. This is intended to be used with zuul's
`autohold` command so that privileged users can SSH into the node set
without having to use Zuul's ansible user's private key.

Change-Id: I963e82f32a99cacea663792049cb39453e776ece
2018-02-28 10:39:07 +00:00

1.1 KiB

Install SSH public key(s) on all hosts

This role is intended to be run at the end of a failed job for which the build node set will be held with zuul's autohold command.

It copies the public key(s) into the authorized_keys file of every host in the inventory, allowing privileged users to access the node set for debugging or post-mortem analysis.

Add this stanza at the end of your project's base post playbook to activate this functionality:

- hosts: all
  roles:
    - role: add-authorized-keys
      public_keys:
        - public_key: ssh-rsa AAAAB... venkman@parapsy.columbia.edu
        - public_key: ssh-rsa AAAAB... spengler@parapsy.columbia.edu
      when: not zuul_success | bool

Caution

Including this role earlier in any playbook may allow the keys' owners to tamper with the execution of the jobs. It is strongly advised against doing so.

Role Variables

A list of keys to inject.

A public key to inject into authorized_keys, or a URL to a public key.