Add winrm certificate handling

When using the winrm connection we need to specify the certificates to
be used for the connection. This is the last missing part to really
being able to connect to windows nodes.

Change-Id: I8db0df4fa7a32598b8c581e67254a0849915b910
Co-Authored-By: Bernhard Zumbusch <bernhard.zumbusch@bmw.de>
This commit is contained in:
Tobias Henkel 2017-09-22 12:21:20 +02:00
parent f40feca5bb
commit e2de74033b
No known key found for this signature in database
GPG Key ID: 03750DEC158E5FA2
3 changed files with 38 additions and 0 deletions

View File

@ -486,6 +486,21 @@ The following sections of ``zuul.conf`` are used by the executor:
SSH private key file to be used when logging into worker nodes. SSH private key file to be used when logging into worker nodes.
.. attr:: winrm_cert_key_file
:default: ~/.winrm/winrm_client_cert.key
The private key file of the client certificate to use for winrm
connections to Windows nodes.
.. attr:: winrm_cert_pem_file
:default: ~/.winrm/winrm_client_cert.pem
The certificate file of the client certificate to use for winrm
connections to Windows nodes.
.. note:: Currently certificate verification is disabled when
connecting to Windows nodes via winrm.
.. _admin_sitewide_variables: .. _admin_sitewide_variables:
.. attr:: variables .. attr:: variables

View File

@ -0,0 +1,5 @@
---
features:
- |
Client certificate locations to be used by winrm connections can be
configured now.

View File

@ -587,6 +587,12 @@ class AnsibleJob(object):
self.private_key_file = get_default(self.executor_server.config, self.private_key_file = get_default(self.executor_server.config,
'executor', 'private_key_file', 'executor', 'private_key_file',
'~/.ssh/id_rsa') '~/.ssh/id_rsa')
self.winrm_key_file = get_default(self.executor_server.config,
'executor', 'winrm_cert_key_file',
'~/.winrm/winrm_client_cert.key')
self.winrm_pem_file = get_default(self.executor_server.config,
'executor', 'winrm_cert_pem_file',
'~/.winrm/winrm_client_cert.pem')
self.ssh_agent = SshAgent() self.ssh_agent = SshAgent()
self.executor_variables_file = None self.executor_variables_file = None
@ -1007,6 +1013,18 @@ class AnsibleJob(object):
connection_type = node.get('connection_type') connection_type = node.get('connection_type')
if connection_type: if connection_type:
host_vars['ansible_connection'] = connection_type host_vars['ansible_connection'] = connection_type
if connection_type == "winrm":
host_vars['ansible_winrm_transport'] = 'certificate'
host_vars['ansible_winrm_cert_pem'] = \
self.winrm_pem_file
host_vars['ansible_winrm_cert_key_pem'] = \
self.winrm_key_file
# NOTE(tobiash): This is necessary when using default
# winrm self-signed certificates. This is probably what
# most installations want so hard code this here for
# now.
host_vars['ansible_winrm_server_cert_validation'] = \
'ignore'
host_keys = [] host_keys = []
for key in node.get('host_keys'): for key in node.get('host_keys'):