Browse Source

Decrypt project ssh keys in executors

So that we don't store unencrypted ssh private keys in ZK, don't
transmit them in the build request; instead provide info on the
location so the executors can fetch and decrypt them directly.

Change-Id: Ic14848259d5b5b25b29931d85ec373d4435af9b9
changes/96/790196/1
James E. Blair 2 months ago
parent
commit
77bde6f765
3 changed files with 11 additions and 7 deletions
  1. +1
    -1
      tests/unit/test_web.py
  2. +4
    -5
      zuul/executor/common.py
  3. +6
    -1
      zuul/executor/server.py

+ 1
- 1
tests/unit/test_web.py View File

@ -1122,7 +1122,7 @@ class TestWebSecrets(BaseTestWeb):
"project1-secret").json()
self.assertEqual(
{'secret_name': 'REDACTED'}, resp['playbooks'][0]['secrets'])
self.assertEqual('REDACTED', resp['ssh_keys'][0]['key'])
self.assertEqual('REDACTED', resp['ssh_keys'][0])
class TestInfo(ZuulDBTestCase, BaseTestWeb):


+ 4
- 5
zuul/executor/common.py View File

@ -134,12 +134,11 @@ def construct_gearman_params(uuid, sched, nodeset, job, item, pipeline,
params['ssh_keys'] = []
if pipeline.post_review:
if redact_secrets_and_keys:
ssh_key = "REDACTED"
params['ssh_keys'].append("REDACTED")
else:
ssh_key = item.change.project.private_ssh_key
params['ssh_keys'].append(dict(
name='%s project key' % item.change.project.canonical_name,
key=ssh_key))
params['ssh_keys'].append(dict(
connection_name=item.change.project.connection_name,
project_name=item.change.project.name))
params['vars'] = job.combined_variables
params['extra_vars'] = job.extra_variables
params['host_vars'] = job.host_variables


+ 6
- 1
zuul/executor/server.py View File

@ -951,7 +951,12 @@ class AnsibleJob(object):
self.ssh_agent.start()
self.ssh_agent.add(self.private_key_file)
for key in self.arguments.get('ssh_keys', []):
self.ssh_agent.addData(key['name'], key['key'])
private_ssh_key, public_ssh_key = \
self.executor_server.keystore.getProjectSSHKeys(
key['connection_name'],
key['project_name'])
name = '%s project key' % (key['project_name'])
self.ssh_agent.addData(name, private_ssh_key)
self.jobdir = JobDir(self.executor_server.jobdir_root,
self.executor_server.keep_jobdir,
str(self.job.unique))


Loading…
Cancel
Save