Re: [libvirt] [libvirt-jenkins-ci PATCH v2 16/16] ansible: Install and configure Jenkins agent
On Mon, 2017-10-09 at 11:38 +0100, Daniel P. Berrange wrote:
On Fri, Oct 06, 2017 at 02:48:52PM +0200, Andrea Bolognani wrote:
> The agent is downloaded and configured to start at boot. The
> secrets needed to prove the workers' identity to the Jenkins server
> are stored inside Ansible vaults.
>
> Signed-off-by: Andrea Bolognani <abologna(a)redhat.com>
> diff --git a/ansible/host_vars/libvirt-centos-6/vault.yml
b/ansible/host_vars/libvirt-centos-6/vault.yml
> new file mode 100644
> index 0000000..2522a28
> --- /dev/null
> +++ b/ansible/host_vars/libvirt-centos-6/vault.yml
> @@ -0,0 +1,10 @@
> +$ANSIBLE_VAULT;1.1;AES256
> +33376164643732313335383930346630343432643939303864313631353063636663663634616638
> +3062306563323630653033656231373634363932336331620a383065336664343663346562353862
> +64616131656633653338316232303562363632643530313961316130303335626235653430326530
> +3566363365323830660a363063623035333231396337393537626161363634313637323563643161
> +36613030333563363630363730656238646138306236643937623266646639616130343734313566
> +61356165383464323434333836333030336464326436373731313439626161653931626431343665
> +30306236333133333334656430636363366132323132323039356264636465333630653335396662
> +38356334386337386135343463323233666432326361656438333961303237353562656339623264
> +3765
What is this data & how was it generated ? How is it decrypted ? Presumably
there's some local key we're not publishing ?
It just contains the secret used by the Jenkins agent to authenticate
with the Jenkins server. Each of the files look like
---
vault_jenkins_secret: "IT'S A SECRET TO EVERYBODY"
once decrypted; the main variables file for the host references the
encrypted variable with
jenkins_secret: '{{ vault_jenkins_secret }}'
so there is a visible trail to the vaulted variable, and only the
jenkins_secret variable is used anywhere else as per best practices.
The file was created and can be edited using ansible-vault; the vault
password is retrieved automatically from the user's home directory
thanks to the line
vault_password_file = ~/.ansible/libvirt-jenkins-ci.vault-password
being present in the ansible.cfg file. I have already transmitted
the vault password using an encrypted side-channel :)
--
Andrea Bolognani / Red Hat / Virtualization