From bc7e7c24750ede22158f3f90876039617317c9cd Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 25 Nov 2024 21:13:09 -0600
Subject: [PATCH] applyConfigPolicy: Configure SSH user certificate

In order to manage servers that are not members of the
_pyrocufflink.blue_ AD domain, Jenkins needs a user certificate signed
by the SSH CA.  Unfortunately, there is not really a good way to get a
certificate issued on demand in a non-interactive way, as SSHCA relies
on OIDC ID tokens which are issued by Authelia, and Authelica requires
browser-based interactive login and consent.  Until I can come up with a
better option, I've manually signed a certificate for Jenkins to use.

The Jenkins SSH Credentials plugin does not support certificates
directly, so in order to use one, we have to explicitly configure `ssh`
to load it via the `CertificateFile` option.
---
 vars/applyConfigPolicy.groovy | 38 ++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/vars/applyConfigPolicy.groovy b/vars/applyConfigPolicy.groovy
index 3cb73b8..5ef33d6 100644
--- a/vars/applyConfigPolicy.groovy
+++ b/vars/applyConfigPolicy.groovy
@@ -18,23 +18,33 @@ def call(rw_limit, stages) {
             ]) {
                 node(POD_LABEL) {
                     checkout scm
-                    withEnv([
-                        "HOME=${WORKSPACE}",
-                        "KRB5CCNAME=${WORKSPACE}/.krb5cc",
-                        'ANSIBLE_SSH_EXTRA_ARGS=-A',
+                    withCredentials([
+                        file(
+                            credentialsId: 'jenkins-cfgmgmt-cert',
+                            variable: 'SSHCERT',
+                        )
                     ]) {
-                        container('ansible') {
-                            try {
-                                sshagent(['jenkins-sudo-sshkey']) {
+                        withEnv([
+                            "HOME=${WORKSPACE}",
+                            "KRB5CCNAME=${WORKSPACE}/.krb5cc",
+                            "ANSIBLE_SSH_EXTRA_ARGS=-A -oCertificateFile=${SSHCERT}",
+                        ]) {
+                            container('ansible') {
+                                try {
                                     stageKinit()
-                                    stageRemountRW(rw_limit)
-                                    generateStages(stages)
-                                    stageRemountRO(rw_limit)
+                                    sshagent([
+                                        'jenkins-cfgmgmt',
+                                        'jenkins-sudo-sshkey',
+                                    ]) {
+                                        stageRemountRW(rw_limit)
+                                        generateStages(stages)
+                                        stageRemountRO(rw_limit)
+                                    }
+                                } catch (err) {
+                                    postFailure(err)
+                                } finally {
+                                    postCleanup()
                                 }
-                            } catch (err) {
-                                postFailure(err)
-                            } finally {
-                                postCleanup()
                             }
                         }
                     }