ci: Use SSH key for sudo auth

Now that servers are configured to use *pam_ssh_agent_auth* for `sudo`
authentication, the Jenkins CI pipelines no longer need to manage the
raw password for the *jenkins* user.  A special SSH public key for
Jenkins is listed in `/etc/security/sudo.authorized_keys`, so as long
as a) the corresponding private key is in the SSH agent and b) SSH
agent forwarding is enabled, Ansible will be able to perform privileged
operations without a password.

vars/applyConfigPolicy.groovy

@@ -21,13 +21,16 @@ def call(rw_limit, stages) {
                     withEnv([
                         "HOME=${WORKSPACE}",
                         "KRB5CCNAME=${WORKSPACE}/.krb5cc",
+                        'ANSIBLE_SSH_EXTRA_ARGS=-A',
                     ]) {
                         container('ansible') {
                             try {
+                                sshagent(['jenkins-sudo-sshkey']) {
                                     stageKinit()
                                     stageRemountRW(rw_limit)
                                     generateStages(stages)
                                     stageRemountRO(rw_limit)
+                                }
                             } catch (err) {
                                 postFailure(err)
                             } finally {
@@ -49,12 +52,6 @@ def stageKinit() {
         )]) {
             sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
         }
-        withCredentials([file(
-            credentialsId: 'vault-jenkins@pyrocufflink.blue',
-            variable: 'SUDO_PASS_FILE'
-        )]) {
-            sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass'
-        }
         sh 'rm -rf .fact-cache'
         sh 'install -m u=rwx,go= -d ~/.ssh'
         sh 'cp roles/ssh-hostkeys/files/ssh_known_hosts ~/.ssh/known_hosts'
@@ -116,7 +113,6 @@ def stageRemountRO(limit) {
 
 def postCleanup() {
     sh 'kdestroy'
-    sh 'find . -name sudo-pass -delete'
 }
 
 def postFailure(err) {