diff --git a/roles/add-build-sshkey/README.rst b/roles/add-build-sshkey/README.rst index 1c644cec3..ec8697125 100644 --- a/roles/add-build-sshkey/README.rst +++ b/roles/add-build-sshkey/README.rst @@ -11,12 +11,30 @@ newly generated private key. **Role Variables** .. zuul:rolevar:: zuul_temp_ssh_key + :default: ``{{ zuul.executor.work_root }}/{{ zuul.build }}_id_rsa`` Where to put the newly-generated SSH private key. +.. zuul:rolevar:: zuul_ssh_key_dest + :default: ``id_{{ zuul_ssh_key_algorithm }}`` + + File name for the the newly-generated SSH private key. + .. zuul:rolevar:: zuul_build_sshkey_cleanup :default: false Remove previous build sshkey. Set it to true for single use static node. Do not set it to true for multi-slot static nodes as it removes the build key configured by other jobs. + +.. zuul:rolevar:: zuul_ssh_key_algorithm + :default: rsa + + The digital signature algorithm to be used to generate the key. Default value + 'rsa'. + +.. zuul:rolevar:: zuul_ssh_key_size + :default: 3072 + + Specifies the number of bits in the key to create. The default length is + 3072 bits (RSA). diff --git a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml index 2c898546e..76fc7a6d1 100644 --- a/roles/add-build-sshkey/tasks/create-key-and-replace.yaml +++ b/roles/add-build-sshkey/tasks/create-key-and-replace.yaml @@ -1,5 +1,5 @@ - name: Create Temp SSH key - command: ssh-keygen -t rsa -N '' -C 'zuul-build-sshkey' -f {{ zuul_temp_ssh_key }} + command: ssh-keygen -t {{ zuul_ssh_key_algorithm }} -N '' -C 'zuul-build-sshkey' -f {{ zuul_temp_ssh_key }} -b {{ zuul_ssh_key_size }} delegate_to: localhost run_once: true diff --git a/roles/add-build-sshkey/tasks/remote-linux.yaml b/roles/add-build-sshkey/tasks/remote-linux.yaml index b8d47e193..42c5dfea4 100644 --- a/roles/add-build-sshkey/tasks/remote-linux.yaml +++ b/roles/add-build-sshkey/tasks/remote-linux.yaml @@ -20,13 +20,13 @@ - name: Install build private key as SSH key on all nodes copy: src: "{{ zuul_temp_ssh_key }}" - dest: "~/.ssh/id_rsa" + dest: "~/.ssh/{{ zuul_ssh_key_dest }}" mode: 0600 force: no - name: Install build public key as SSH key on all nodes copy: src: "{{ zuul_temp_ssh_key }}.pub" - dest: "~/.ssh/id_rsa.pub" + dest: "~/.ssh/{{ zuul_ssh_key_dest }}.pub" mode: 0644 force: no diff --git a/roles/add-build-sshkey/tasks/remote-windows.yaml b/roles/add-build-sshkey/tasks/remote-windows.yaml index 511828ece..44e202824 100644 --- a/roles/add-build-sshkey/tasks/remote-windows.yaml +++ b/roles/add-build-sshkey/tasks/remote-windows.yaml @@ -11,14 +11,14 @@ # We use scp here as this is much more performant than ansible copy echo "Copy build ssh keys to node" ssh -o BatchMode=yes -o ConnectTimeout=10 -o StrictHostKeyChecking=no {{ ansible_user }}@{{ ansible_host }} powershell "md -Force -Path .ssh" - scp -B {{ zuul_temp_ssh_key }} {{ ansible_user }}@{{ ansible_host }}:.ssh/id_rsa - scp -B {{ zuul_temp_ssh_key }}.pub {{ ansible_user }}@{{ ansible_host }}:.ssh/id_rsa.pub + scp -B {{ zuul_temp_ssh_key }} {{ ansible_user }}@{{ ansible_host }}:.ssh/{{ zuul_ssh_key_dest }} + scp -B {{ zuul_temp_ssh_key }}.pub {{ ansible_user }}@{{ ansible_host }}:.ssh/{{ zuul_ssh_key_dest }}.pub echo "Add build ssh keys to authorized_keys" {% if win_admin_ssh | default(false) %} - ssh -o BatchMode=yes {{ ansible_user }}@{{ ansible_host }} cmd /c "type .ssh\\id_rsa.pub >> %programdata%\\ssh\\administrators_authorized_keys" + ssh -o BatchMode=yes {{ ansible_user }}@{{ ansible_host }} cmd /c "type .ssh\\{{ zuul_ssh_key_dest }}.pub >> %programdata%\\ssh\\administrators_authorized_keys" {% else %} - ssh -o BatchMode=yes {{ ansible_user }}@{{ ansible_host }} cmd /c "type .ssh\\id_rsa.pub >> .ssh\\authorized_keys" + ssh -o BatchMode=yes {{ ansible_user }}@{{ ansible_host }} cmd /c "type .ssh\\{{ zuul_ssh_key_dest }}.pub >> .ssh\\authorized_keys" {% endif %} register: windows_remote_ssh # Ignore errors here because this should not break non-ssh enabled windows hosts diff --git a/roles/add-build-sshkey/vars/main.yaml b/roles/add-build-sshkey/vars/main.yaml index 457a12ee6..68564fa19 100644 --- a/roles/add-build-sshkey/vars/main.yaml +++ b/roles/add-build-sshkey/vars/main.yaml @@ -1,2 +1,5 @@ -zuul_temp_ssh_key: "{{ zuul.executor.work_root }}/{{ zuul.build }}_id_rsa" zuul_build_sshkey_cleanup: false +zuul_ssh_key_algorithm: "rsa" +zuul_ssh_key_size: "3072" +zuul_ssh_key_dest: "id_{{ zuul_ssh_key_algorithm }}" +zuul_temp_ssh_key: "{{ zuul.executor.work_root }}/{{ zuul.build }}_id_{{ zuul_ssh_key_algorithm }}" diff --git a/roles/remove-build-sshkey/vars/main.yaml b/roles/remove-build-sshkey/vars/main.yaml index a9a38c8ed..ee72d5e97 100644 --- a/roles/remove-build-sshkey/vars/main.yaml +++ b/roles/remove-build-sshkey/vars/main.yaml @@ -1 +1 @@ -zuul_temp_ssh_key: "{{ zuul.executor.src_root }}/../{{ zuul.build }}_id_rsa" +zuul_temp_ssh_key: "{{ zuul.executor.src_root }}/../{{ zuul.build }}_id_{{ zuul_ssh_key_algorithm }}"