On Mon, 2017-10-09 at 11:38 +0100, Daniel P. Berrange wrote:
> On Fri, Oct 06, 2017 at 02:48:52PM +0200, Andrea Bolognani wrote:
> > The agent is downloaded and configured to start at boot. The
> > secrets needed to prove the workers' identity to the Jenkins server
> > are stored inside Ansible vaults.
> > 
> > Signed-off-by: Andrea Bolognani <abolo...@redhat.com>
> > diff --git a/ansible/host_vars/libvirt-centos-6/vault.yml 
> > b/ansible/host_vars/libvirt-centos-6/vault.yml
> > new file mode 100644
> > index 0000000..2522a28
> > --- /dev/null
> > +++ b/ansible/host_vars/libvirt-centos-6/vault.yml
> > @@ -0,0 +1,10 @@
> > +$ANSIBLE_VAULT;1.1;AES256
> > +33376164643732313335383930346630343432643939303864313631353063636663663634616638
> > +3062306563323630653033656231373634363932336331620a383065336664343663346562353862
> > +64616131656633653338316232303562363632643530313961316130303335626235653430326530
> > +3566363365323830660a363063623035333231396337393537626161363634313637323563643161
> > +36613030333563363630363730656238646138306236643937623266646639616130343734313566
> > +61356165383464323434333836333030336464326436373731313439626161653931626431343665
> > +30306236333133333334656430636363366132323132323039356264636465333630653335396662
> > +38356334386337386135343463323233666432326361656438333961303237353562656339623264
> > +3765
> What is this data & how was it generated ? How is it decrypted ? Presumably
> there's some local key we're not publishing ?

It just contains the secret used by the Jenkins agent to authenticate
with the Jenkins server. Each of the files look like

  vault_jenkins_secret: "IT'S A SECRET TO EVERYBODY"

once decrypted; the main variables file for the host references the
encrypted variable with

  jenkins_secret: '{{ vault_jenkins_secret }}'

so there is a visible trail to the vaulted variable, and only the
jenkins_secret variable is used anywhere else as per best practices.

The file was created and can be edited using ansible-vault; the vault
password is retrieved automatically from the user's home directory
thanks to the line

  vault_password_file = ~/.ansible/libvirt-jenkins-ci.vault-password

being present in the ansible.cfg file. I have already transmitted
the vault password using an encrypted side-channel :)

Andrea Bolognani / Red Hat / Virtualization

libvir-list mailing list

Reply via email to