zuul-jobs/roles/add-build-winrm-cert/tasks/main.yaml
James E. Blair 59d7af0e67 Add per-build WinRM cert generation
This adds roles that, similar to add-build-sshkey, create a per-build
WinRM certificate, install it on remote windows nodes, and then switch
to using the certificate in Ansible for authentication.  A second role
is included which can clean up the cert which is useful for static
nodes.

Since winrm certificates must be acessible within the bubblewrap
container, these roles can be used to restrict the system-wide winrm
cert to trusted playbooks while untrusted playbooks will only have access
to the per-build cert (with appropriate configuration of the executor).

Change-Id: I4efe25594c2f543886a000aa02fb0a38683a43cb
2022-04-13 15:04:51 -07:00

18 lines
555 B
YAML

- name: Check to see if WinRM cert was already created for this build
stat:
path: "{{ zuul_temp_winrm_key }}"
register: zuul_temp_winrm_key_stat
delegate_to: localhost
run_once: true
failed_when: false
- name: Generate WinRM export password
set_fact:
zuul_temp_winrm_password: "{{ lookup('password', '/dev/null') }}"
no_log: true
when: not zuul_temp_winrm_key_stat.stat.exists
- name: Create a new key in workspace based on build UUID
include_tasks: create-key-and-replace.yaml
when: not zuul_temp_winrm_key_stat.stat.exists