This adds roles that, similar to add-build-sshkey, create a per-build WinRM certificate, install it on remote windows nodes, and then switch to using the certificate in Ansible for authentication. A second role is included which can clean up the cert which is useful for static nodes. Since winrm certificates must be acessible within the bubblewrap container, these roles can be used to restrict the system-wide winrm cert to trusted playbooks while untrusted playbooks will only have access to the per-build cert (with appropriate configuration of the executor). Change-Id: I4efe25594c2f543886a000aa02fb0a38683a43cb
2.0 KiB
Generate and install a build-local WinRM certificate on all Windows hosts
This role is intended to be run on the Zuul Executor at the start of every job. It generates a self-signed certificate and installs the certificate on every Windows host in the inventory.
It then updates the host vars for each such host to use the new certificate. The original certificate used to initially connect to the host still remains on disk, but once the build-local certificate is in place, later untrusted playbooks no longer need it to be provided.
Role Variables
A complex argument expected to be supplied from a Zuul secret. These are the Windows login credentials for the account to associate with the certificate.
The username of the account.
The password of the account.