ci: Use SSH key for sudo auth
Now that servers are configured to use *pam_ssh_agent_auth* for `sudo` authentication, the Jenkins CI pipelines no longer need to manage the raw password for the *jenkins* user. A special SSH public key for Jenkins is listed in `/etc/security/sudo.authorized_keys`, so as long as a) the corresponding private key is in the SSH agent and b) SSH agent forwarding is enabled, Ansible will be able to perform privileged operations without a password.frigate-exporter
parent
4b8b5fa90b
commit
6bad6dcb7a
|
|
@ -21,13 +21,16 @@ def call(rw_limit, stages) {
|
|||
withEnv([
|
||||
"HOME=${WORKSPACE}",
|
||||
"KRB5CCNAME=${WORKSPACE}/.krb5cc",
|
||||
'ANSIBLE_SSH_EXTRA_ARGS=-A',
|
||||
]) {
|
||||
container('ansible') {
|
||||
try {
|
||||
stageKinit()
|
||||
stageRemountRW(rw_limit)
|
||||
generateStages(stages)
|
||||
stageRemountRO(rw_limit)
|
||||
sshagent(['jenkins-sudo-sshkey']) {
|
||||
stageKinit()
|
||||
stageRemountRW(rw_limit)
|
||||
generateStages(stages)
|
||||
stageRemountRO(rw_limit)
|
||||
}
|
||||
} catch (err) {
|
||||
postFailure(err)
|
||||
} finally {
|
||||
|
|
@ -49,12 +52,6 @@ def stageKinit() {
|
|||
)]) {
|
||||
sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
|
||||
}
|
||||
withCredentials([file(
|
||||
credentialsId: 'vault-jenkins@pyrocufflink.blue',
|
||||
variable: 'SUDO_PASS_FILE'
|
||||
)]) {
|
||||
sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass'
|
||||
}
|
||||
sh 'rm -rf .fact-cache'
|
||||
sh 'install -m u=rwx,go= -d ~/.ssh'
|
||||
sh 'cp roles/ssh-hostkeys/files/ssh_known_hosts ~/.ssh/known_hosts'
|
||||
|
|
@ -116,7 +113,6 @@ def stageRemountRO(limit) {
|
|||
|
||||
def postCleanup() {
|
||||
sh 'kdestroy'
|
||||
sh 'find . -name sudo-pass -delete'
|
||||
}
|
||||
|
||||
def postFailure(err) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue