59d7af0e67
This adds roles that, similar to add-build-sshkey, create a per-build WinRM certificate, install it on remote windows nodes, and then switch to using the certificate in Ansible for authentication. A second role is included which can clean up the cert which is useful for static nodes. Since winrm certificates must be acessible within the bubblewrap container, these roles can be used to restrict the system-wide winrm cert to trusted playbooks while untrusted playbooks will only have access to the per-build cert (with appropriate configuration of the executor). Change-Id: I4efe25594c2f543886a000aa02fb0a38683a43cb
50 lines
2.4 KiB
YAML
50 lines
2.4 KiB
YAML
- name: Create temp WinRM cert
|
|
command: "openssl req -x509 -newkey rsa:2048 -keyout {{ zuul_temp_winrm_key }} -out {{ zuul_temp_winrm_cert }} -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN={{ zuul.build }}' -addext 'subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:{{ build_winrm_cert_credentials.username }}' -addext 'keyUsage = digitalSignature,keyEncipherment'"
|
|
delegate_to: localhost
|
|
run_once: true
|
|
|
|
- name: Export temp WinRM cert
|
|
command: "openssl pkcs12 -export -inkey {{ zuul_temp_winrm_key }} -in {{ zuul_temp_winrm_cert }} -out {{ zuul_temp_winrm_pfx }} -passout pass:{{ zuul_temp_winrm_password }}"
|
|
delegate_to: localhost
|
|
run_once: true
|
|
|
|
- name: Change password
|
|
when: build_winrm_cert_change_password
|
|
win_shell: |
|
|
net user {{ build_winrm_cert_credentials.username }} "{{ build_winrm_cert_credentials.password }}"
|
|
|
|
- name: Copy temp WinRM cert
|
|
when: ansible_os_family == "Windows"
|
|
win_copy:
|
|
src: "{{ zuul_temp_winrm_pfx }}"
|
|
dest: "{{ zuul_temp_winrm_remote_tempfile }}"
|
|
|
|
- name: Import temp WinRM cert
|
|
when: ansible_os_family == "Windows"
|
|
win_shell: |
|
|
$cert = Import-PfxCertificate -FilePath {{ zuul_temp_winrm_remote_tempfile }} -CertStoreLocation Cert:\LocalMachine\root -Password (ConvertTo-SecureString -AsPlainText -String "{{ zuul_temp_winrm_password }}" -Force)
|
|
|
|
rm {{ zuul_temp_winrm_remote_tempfile }}
|
|
|
|
$password = ConvertTo-SecureString -AsPlainText -String "{{ build_winrm_cert_credentials.password }}" -Force
|
|
|
|
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist {{ build_winrm_cert_credentials.username }}, $password
|
|
|
|
New-Item -Path WSMan:\localhost\ClientCertificate -Subject {{ build_winrm_cert_credentials.username }} -URI * -Issuer $($cert.Thumbprint) -Force -Credential $cred
|
|
|
|
- name: Update WinRM key location
|
|
when: ansible_os_family == "Windows"
|
|
set_fact:
|
|
cacheable: true
|
|
ansible_winrm_cert_key_pem: "{{ zuul_temp_winrm_key }}"
|
|
ansible_winrm_cert_pem: "{{ zuul_temp_winrm_cert }}"
|
|
# These are likely already set to these values, but set them here
|
|
# anyway to future-proof against potential changes in the executor
|
|
# to support more initial connection methods.
|
|
ansible_winrm_transport: certificate
|
|
ansible_winrm_server_cert_validation: ignore
|
|
|
|
- name: Verify we can still connect to all nodes
|
|
when: ansible_os_family == "Windows"
|
|
win_ping:
|