From 6bad6dcb7ae7afcbf6aa01f4722b8b2e4df4746e Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 28 Jan 2024 11:52:48 -0600 Subject: [PATCH] ci: Use SSH key for sudo auth Now that servers are configured to use *pam_ssh_agent_auth* for `sudo` authentication, the Jenkins CI pipelines no longer need to manage the raw password for the *jenkins* user. A special SSH public key for Jenkins is listed in `/etc/security/sudo.authorized_keys`, so as long as a) the corresponding private key is in the SSH agent and b) SSH agent forwarding is enabled, Ansible will be able to perform privileged operations without a password. --- vars/applyConfigPolicy.groovy | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/vars/applyConfigPolicy.groovy b/vars/applyConfigPolicy.groovy index 768751a..c14728a 100644 --- a/vars/applyConfigPolicy.groovy +++ b/vars/applyConfigPolicy.groovy @@ -21,13 +21,16 @@ def call(rw_limit, stages) { withEnv([ "HOME=${WORKSPACE}", "KRB5CCNAME=${WORKSPACE}/.krb5cc", + 'ANSIBLE_SSH_EXTRA_ARGS=-A', ]) { container('ansible') { try { - stageKinit() - stageRemountRW(rw_limit) - generateStages(stages) - stageRemountRO(rw_limit) + sshagent(['jenkins-sudo-sshkey']) { + stageKinit() + stageRemountRW(rw_limit) + generateStages(stages) + stageRemountRO(rw_limit) + } } catch (err) { postFailure(err) } finally { @@ -49,12 +52,6 @@ def stageKinit() { )]) { sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE' } - withCredentials([file( - credentialsId: 'vault-jenkins@pyrocufflink.blue', - variable: 'SUDO_PASS_FILE' - )]) { - sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass' - } sh 'rm -rf .fact-cache' sh 'install -m u=rwx,go= -d ~/.ssh' sh 'cp roles/ssh-hostkeys/files/ssh_known_hosts ~/.ssh/known_hosts' @@ -116,7 +113,6 @@ def stageRemountRO(limit) { def postCleanup() { sh 'kdestroy' - sh 'find . -name sudo-pass -delete' } def postFailure(err) {