applyConfigPolicy: Configure SSH user certificate
In order to manage servers that are not members of the _pyrocufflink.blue_ AD domain, Jenkins needs a user certificate signed by the SSH CA. Unfortunately, there is not really a good way to get a certificate issued on demand in a non-interactive way, as SSHCA relies on OIDC ID tokens which are issued by Authelia, and Authelica requires browser-based interactive login and consent. Until I can come up with a better option, I've manually signed a certificate for Jenkins to use. The Jenkins SSH Credentials plugin does not support certificates directly, so in order to use one, we have to explicitly configure `ssh` to load it via the `CertificateFile` option.dynamic-inventory
parent
d993d59bee
commit
bc7e7c2475
|
|
@ -18,23 +18,33 @@ def call(rw_limit, stages) {
|
|||
]) {
|
||||
node(POD_LABEL) {
|
||||
checkout scm
|
||||
withEnv([
|
||||
"HOME=${WORKSPACE}",
|
||||
"KRB5CCNAME=${WORKSPACE}/.krb5cc",
|
||||
'ANSIBLE_SSH_EXTRA_ARGS=-A',
|
||||
withCredentials([
|
||||
file(
|
||||
credentialsId: 'jenkins-cfgmgmt-cert',
|
||||
variable: 'SSHCERT',
|
||||
)
|
||||
]) {
|
||||
container('ansible') {
|
||||
try {
|
||||
sshagent(['jenkins-sudo-sshkey']) {
|
||||
withEnv([
|
||||
"HOME=${WORKSPACE}",
|
||||
"KRB5CCNAME=${WORKSPACE}/.krb5cc",
|
||||
"ANSIBLE_SSH_EXTRA_ARGS=-A -oCertificateFile=${SSHCERT}",
|
||||
]) {
|
||||
container('ansible') {
|
||||
try {
|
||||
stageKinit()
|
||||
stageRemountRW(rw_limit)
|
||||
generateStages(stages)
|
||||
stageRemountRO(rw_limit)
|
||||
sshagent([
|
||||
'jenkins-cfgmgmt',
|
||||
'jenkins-sudo-sshkey',
|
||||
]) {
|
||||
stageRemountRW(rw_limit)
|
||||
generateStages(stages)
|
||||
stageRemountRO(rw_limit)
|
||||
}
|
||||
} catch (err) {
|
||||
postFailure(err)
|
||||
} finally {
|
||||
postCleanup()
|
||||
}
|
||||
} catch (err) {
|
||||
postFailure(err)
|
||||
} finally {
|
||||
postCleanup()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue