From e2de74033b41f5ac099a83d96eb84042349e1be0 Mon Sep 17 00:00:00 2001 From: Tobias Henkel Date: Fri, 22 Sep 2017 12:21:20 +0200 Subject: [PATCH] Add winrm certificate handling When using the winrm connection we need to specify the certificates to be used for the connection. This is the last missing part to really being able to connect to windows nodes. Change-Id: I8db0df4fa7a32598b8c581e67254a0849915b910 Co-Authored-By: Bernhard Zumbusch --- doc/source/admin/components.rst | 15 +++++++++++++++ releasenotes/notes/winrm-af968bf3269c25d9.yaml | 5 +++++ zuul/executor/server.py | 18 ++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 releasenotes/notes/winrm-af968bf3269c25d9.yaml diff --git a/doc/source/admin/components.rst b/doc/source/admin/components.rst index 84ebc10617..95112b6024 100644 --- a/doc/source/admin/components.rst +++ b/doc/source/admin/components.rst @@ -486,6 +486,21 @@ The following sections of ``zuul.conf`` are used by the executor: SSH private key file to be used when logging into worker nodes. + .. attr:: winrm_cert_key_file + :default: ~/.winrm/winrm_client_cert.key + + The private key file of the client certificate to use for winrm + connections to Windows nodes. + + .. attr:: winrm_cert_pem_file + :default: ~/.winrm/winrm_client_cert.pem + + The certificate file of the client certificate to use for winrm + connections to Windows nodes. + + .. note:: Currently certificate verification is disabled when + connecting to Windows nodes via winrm. + .. _admin_sitewide_variables: .. attr:: variables diff --git a/releasenotes/notes/winrm-af968bf3269c25d9.yaml b/releasenotes/notes/winrm-af968bf3269c25d9.yaml new file mode 100644 index 0000000000..9769d11c6a --- /dev/null +++ b/releasenotes/notes/winrm-af968bf3269c25d9.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Client certificate locations to be used by winrm connections can be + configured now. diff --git a/zuul/executor/server.py b/zuul/executor/server.py index d140a00212..74e5a94b90 100644 --- a/zuul/executor/server.py +++ b/zuul/executor/server.py @@ -587,6 +587,12 @@ class AnsibleJob(object): self.private_key_file = get_default(self.executor_server.config, 'executor', 'private_key_file', '~/.ssh/id_rsa') + self.winrm_key_file = get_default(self.executor_server.config, + 'executor', 'winrm_cert_key_file', + '~/.winrm/winrm_client_cert.key') + self.winrm_pem_file = get_default(self.executor_server.config, + 'executor', 'winrm_cert_pem_file', + '~/.winrm/winrm_client_cert.pem') self.ssh_agent = SshAgent() self.executor_variables_file = None @@ -1007,6 +1013,18 @@ class AnsibleJob(object): connection_type = node.get('connection_type') if connection_type: host_vars['ansible_connection'] = connection_type + if connection_type == "winrm": + host_vars['ansible_winrm_transport'] = 'certificate' + host_vars['ansible_winrm_cert_pem'] = \ + self.winrm_pem_file + host_vars['ansible_winrm_cert_key_pem'] = \ + self.winrm_key_file + # NOTE(tobiash): This is necessary when using default + # winrm self-signed certificates. This is probably what + # most installations want so hard code this here for + # now. + host_vars['ansible_winrm_server_cert_validation'] = \ + 'ignore' host_keys = [] for key in node.get('host_keys'):