dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

applyConfigPolicy: Configure SSH user certificate 

In order to manage servers that are not members of the
_pyrocufflink.blue_ AD domain, Jenkins needs a user certificate signed
by the SSH CA.  Unfortunately, there is not really a good way to get a
certificate issued on demand in a non-interactive way, as SSHCA relies
on OIDC ID tokens which are issued by Authelia, and Authelica requires
browser-based interactive login and consent.  Until I can come up with a
better option, I've manually signed a certificate for Jenkins to use.

The Jenkins SSH Credentials plugin does not support certificates
directly, so in order to use one, we have to explicitly configure `ssh`
to load it via the `CertificateFile` option.
dynamic-inventory
Dustin 2024-11-25 21:13:09 -06:00
parent d993d59bee
commit bc7e7c2475
1 changed files with 24 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
vars/applyConfigPolicy.groovy
View File

@ -18,23 +18,33 @@ def call(rw_limit, stages) {
]) { ]) {
node(POD_LABEL) { node(POD_LABEL) {
checkout scm checkout scm
withEnv([ withCredentials([
"HOME=${WORKSPACE}", file(
"KRB5CCNAME=${WORKSPACE}/.krb5cc", credentialsId: 'jenkins-cfgmgmt-cert',
'ANSIBLE_SSH_EXTRA_ARGS=-A', variable: 'SSHCERT',
)
]) { ]) {
container('ansible') { withEnv([
try { "HOME=${WORKSPACE}",
sshagent(['jenkins-sudo-sshkey']) { "KRB5CCNAME=${WORKSPACE}/.krb5cc",
"ANSIBLE_SSH_EXTRA_ARGS=-A -oCertificateFile=${SSHCERT}",
]) {
container('ansible') {
try {
stageKinit() stageKinit()
stageRemountRW(rw_limit) sshagent([
generateStages(stages) 'jenkins-cfgmgmt',
stageRemountRO(rw_limit) 'jenkins-sudo-sshkey',
]) {
stageRemountRW(rw_limit)
generateStages(stages)
stageRemountRO(rw_limit)
}
} catch (err) {
postFailure(err)
} finally {
postCleanup()
} }
} catch (err) {
postFailure(err)
} finally {
postCleanup()
} }
} }
} }