Decrypt project ssh keys in executors

So that we don't store unencrypted ssh private keys in ZK, don't transmit them in the build request; instead provide info on the location so the executors can fetch and decrypt them directly. Change-Id: Ic14848259d5b5b25b29931d85ec373d4435af9b9
2021-05-06 18:04:31 -07:00 · 2021-05-06 18:04:31 -07:00 · 77bde6f765
parent fbb17e1f35
commit 77bde6f765
3 changed files with 11 additions and 7 deletions
--- a/tests/unit/test_web.py
+++ b/tests/unit/test_web.py
@ -1122,7 +1122,7 @@ class TestWebSecrets(BaseTestWeb):
            "project1-secret").json()
        self.assertEqual(
            {'secret_name': 'REDACTED'}, resp['playbooks'][0]['secrets'])
-        self.assertEqual('REDACTED', resp['ssh_keys'][0]['key'])
+        self.assertEqual('REDACTED', resp['ssh_keys'][0])


 class TestInfo(ZuulDBTestCase, BaseTestWeb):
--- a/zuul/executor/common.py
+++ b/zuul/executor/common.py
@ -134,12 +134,11 @@ def construct_gearman_params(uuid, sched, nodeset, job, item, pipeline,
    params['ssh_keys'] = []
    if pipeline.post_review:
        if redact_secrets_and_keys:
-            ssh_key = "REDACTED"
+            params['ssh_keys'].append("REDACTED")
        else:
-            ssh_key = item.change.project.private_ssh_key
-        params['ssh_keys'].append(dict(
-            name='%s project key' % item.change.project.canonical_name,
-            key=ssh_key))
+            params['ssh_keys'].append(dict(
+                connection_name=item.change.project.connection_name,
+                project_name=item.change.project.name))
    params['vars'] = job.combined_variables
    params['extra_vars'] = job.extra_variables
    params['host_vars'] = job.host_variables
--- a/zuul/executor/server.py
+++ b/zuul/executor/server.py
@ -951,7 +951,12 @@ class AnsibleJob(object):
            self.ssh_agent.start()
            self.ssh_agent.add(self.private_key_file)
            for key in self.arguments.get('ssh_keys', []):
-                self.ssh_agent.addData(key['name'], key['key'])
+                private_ssh_key, public_ssh_key = \
+                    self.executor_server.keystore.getProjectSSHKeys(
+                        key['connection_name'],
+                        key['project_name'])
+                name = '%s project key' % (key['project_name'])
+                self.ssh_agent.addData(name, private_ssh_key)
            self.jobdir = JobDir(self.executor_server.jobdir_root,
                                 self.executor_server.keep_jobdir,
                                 str(self.job.unique))