On Mon, 2017-10-09 at 11:38 +0100, Daniel P. Berrange wrote:
On Fri, Oct 06, 2017 at 02:48:52PM +0200, Andrea Bolognani wrote:
The agent is downloaded and configured to start at boot. The secrets needed to prove the workers' identity to the Jenkins server are stored inside Ansible vaults.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
diff --git a/ansible/host_vars/libvirt-centos-6/vault.yml b/ansible/host_vars/libvirt-centos-6/vault.yml new file mode 100644 index 0000000..2522a28 --- /dev/null +++ b/ansible/host_vars/libvirt-centos-6/vault.yml @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +33376164643732313335383930346630343432643939303864313631353063636663663634616638 +3062306563323630653033656231373634363932336331620a383065336664343663346562353862 +64616131656633653338316232303562363632643530313961316130303335626235653430326530 +3566363365323830660a363063623035333231396337393537626161363634313637323563643161 +36613030333563363630363730656238646138306236643937623266646639616130343734313566 +61356165383464323434333836333030336464326436373731313439626161653931626431343665 +30306236333133333334656430636363366132323132323039356264636465333630653335396662 +38356334386337386135343463323233666432326361656438333961303237353562656339623264 +3765
What is this data & how was it generated ? How is it decrypted ? Presumably there's some local key we're not publishing ?
It just contains the secret used by the Jenkins agent to authenticate with the Jenkins server. Each of the files look like --- vault_jenkins_secret: "IT'S A SECRET TO EVERYBODY" once decrypted; the main variables file for the host references the encrypted variable with jenkins_secret: '{{ vault_jenkins_secret }}' so there is a visible trail to the vaulted variable, and only the jenkins_secret variable is used anywhere else as per best practices. The file was created and can be edited using ansible-vault; the vault password is retrieved automatically from the user's home directory thanks to the line vault_password_file = ~/.ansible/libvirt-jenkins-ci.vault-password being present in the ansible.cfg file. I have already transmitted the vault password using an encrypted side-channel :) -- Andrea Bolognani / Red Hat / Virtualization