From 0a4796bb915c173c322f9f5c502f798bbbc6cb98 Mon Sep 17 00:00:00 2001 From: Sebastien Girard Date: Tue, 27 Aug 2024 20:33:44 +0200 Subject: [PATCH] Add support for ssh_key_unlock --- .../credentials/tower_v1alpha1_ansiblecredential-ssh.yaml | 1 + roles/credential/templates/job_definition.yml.j2 | 7 +++++++ roles/job_runner/tasks/credentials.yml | 5 +++++ .../job_runner/tasks/credentials/create_ssh_credential.yml | 1 + 4 files changed, 14 insertions(+) diff --git a/config/samples/credentials/tower_v1alpha1_ansiblecredential-ssh.yaml b/config/samples/credentials/tower_v1alpha1_ansiblecredential-ssh.yaml index 48a7544a..c2da10e6 100644 --- a/config/samples/credentials/tower_v1alpha1_ansiblecredential-ssh.yaml +++ b/config/samples/credentials/tower_v1alpha1_ansiblecredential-ssh.yaml @@ -10,4 +10,5 @@ spec: type: "Machine" ssh_username: "cat" ssh_secret: my-ssh-secret + ssh_key_unlock: my-ssh-secret runner_pull_policy: IfNotPresent diff --git a/roles/credential/templates/job_definition.yml.j2 b/roles/credential/templates/job_definition.yml.j2 index 1f2782a4..e884aa5a 100644 --- a/roles/credential/templates/job_definition.yml.j2 +++ b/roles/credential/templates/job_definition.yml.j2 @@ -48,6 +48,13 @@ spec: name: "{{ ssh_secret }}" key: id_rsa {% endif %} +{% if ssh_key_unlock is defined and ssh_key_unlock != "" %} + - name: SSH_KEY_UNLOCK + valueFrom: + secretKeyRef: + name: "{{ ssh_secret }}" + key: password +{% endif %} {% if ssh_username is defined and ssh_username != "" %} - name: SSH_USERNAME value: "{{ ssh_username }}" diff --git a/roles/job_runner/tasks/credentials.yml b/roles/job_runner/tasks/credentials.yml index 31266c72..e6e30702 100644 --- a/roles/job_runner/tasks/credentials.yml +++ b/roles/job_runner/tasks/credentials.yml @@ -2,6 +2,7 @@ include_tasks: credentials/create_ssh_credential.yml when: - lookup('env','SSH_SECRET') != '' + - lookup('env','SSH_KEY_UNLOCK') != '' - lookup('env','KUBERNETES_BEARER_TOKEN') == '' - lookup('env','USERNAME_SECRET') == '' - lookup('env','PASSWORD_SECRET') == '' @@ -12,6 +13,7 @@ when: - lookup('env','KUBERNETES_BEARER_TOKEN') != '' - lookup('env','SSH_SECRET') == '' + - lookup('env','SSH_KEY_UNLOCK') == '' - lookup('env','USERNAME_SECRET') == '' - lookup('env','PASSWORD_SECRET') == '' - lookup('env','TOKEN_SECRET') == '' @@ -21,6 +23,7 @@ when: - lookup('env','KUBERNETES_BEARER_TOKEN') == '' - lookup('env','SSH_SECRET') == '' + - lookup('env','SSH_KEY_UNLOCK') == '' - lookup('env','USERNAME_SECRET') != '' - lookup('env','PASSWORD_SECRET') != '' - lookup('env','TOKEN_SECRET') == '' @@ -30,6 +33,7 @@ when: - lookup('env','KUBERNETES_BEARER_TOKEN') == '' - lookup('env','SSH_SECRET') == '' + - lookup('env','SSH_KEY_UNLOCK') == '' - lookup('env','USERNAME_SECRET') == '' - lookup('env','PASSWORD_SECRET') == '' - lookup('env','TOKEN_SECRET') != '' @@ -38,6 +42,7 @@ include_tasks: credentials/create_generic_credential.yml when: - lookup('env','SSH_SECRET') == '' + - lookup('env','SSH_KEY_UNLOCK') == '' - lookup('env','KUBERNETES_BEARER_TOKEN') == '' - lookup('env','USERNAME_SECRET') == '' - lookup('env','PASSWORD_SECRET') == '' diff --git a/roles/job_runner/tasks/credentials/create_ssh_credential.yml b/roles/job_runner/tasks/credentials/create_ssh_credential.yml index 7d0e3e0d..e437dfb5 100644 --- a/roles/job_runner/tasks/credentials/create_ssh_credential.yml +++ b/roles/job_runner/tasks/credentials/create_ssh_credential.yml @@ -8,6 +8,7 @@ credential_type: "{{ lookup('env','TYPE') }}" inputs: ssh_key_data: "{{ lookup('env','SSH_SECRET') }}" + ssh_key_unlock: "{{ lookup('env','SSH_KEY_UNLOCK') }}" username: "{{ lookup('env','SSH_USERNAME') }}" state: present register: credentials