Decrypt project ssh keys in executors
So that we don't store unencrypted ssh private keys in ZK, don't transmit them in the build request; instead provide info on the location so the executors can fetch and decrypt them directly. Change-Id: Ic14848259d5b5b25b29931d85ec373d4435af9b9
This commit is contained in:
parent
fbb17e1f35
commit
77bde6f765
|
@ -1122,7 +1122,7 @@ class TestWebSecrets(BaseTestWeb):
|
|||
"project1-secret").json()
|
||||
self.assertEqual(
|
||||
{'secret_name': 'REDACTED'}, resp['playbooks'][0]['secrets'])
|
||||
self.assertEqual('REDACTED', resp['ssh_keys'][0]['key'])
|
||||
self.assertEqual('REDACTED', resp['ssh_keys'][0])
|
||||
|
||||
|
||||
class TestInfo(ZuulDBTestCase, BaseTestWeb):
|
||||
|
|
|
@ -134,12 +134,11 @@ def construct_gearman_params(uuid, sched, nodeset, job, item, pipeline,
|
|||
params['ssh_keys'] = []
|
||||
if pipeline.post_review:
|
||||
if redact_secrets_and_keys:
|
||||
ssh_key = "REDACTED"
|
||||
params['ssh_keys'].append("REDACTED")
|
||||
else:
|
||||
ssh_key = item.change.project.private_ssh_key
|
||||
params['ssh_keys'].append(dict(
|
||||
name='%s project key' % item.change.project.canonical_name,
|
||||
key=ssh_key))
|
||||
params['ssh_keys'].append(dict(
|
||||
connection_name=item.change.project.connection_name,
|
||||
project_name=item.change.project.name))
|
||||
params['vars'] = job.combined_variables
|
||||
params['extra_vars'] = job.extra_variables
|
||||
params['host_vars'] = job.host_variables
|
||||
|
|
|
@ -951,7 +951,12 @@ class AnsibleJob(object):
|
|||
self.ssh_agent.start()
|
||||
self.ssh_agent.add(self.private_key_file)
|
||||
for key in self.arguments.get('ssh_keys', []):
|
||||
self.ssh_agent.addData(key['name'], key['key'])
|
||||
private_ssh_key, public_ssh_key = \
|
||||
self.executor_server.keystore.getProjectSSHKeys(
|
||||
key['connection_name'],
|
||||
key['project_name'])
|
||||
name = '%s project key' % (key['project_name'])
|
||||
self.ssh_agent.addData(name, private_ssh_key)
|
||||
self.jobdir = JobDir(self.executor_server.jobdir_root,
|
||||
self.executor_server.keep_jobdir,
|
||||
str(self.job.unique))
|
||||
|
|
Loading…
Reference in New Issue