jenkins_ssh.yml

# vim: ft=ansible
---
- hosts: jenkins_master
  become: true
  become_user: jenkins
  tags:
    - jenkins_master
    - jenkins_ssh

  vars_files:
    - "{{ inventory_dir  }}/{{ vars_files_relative }}/vars/main.yml"
    - ~/.ansible/vars/toad_vars.yml

  tasks:
    - name: Create Jenkins user .ssh directory
      file:
        path: "{{ jenkins_master_ssh_directory }}"
        state: directory
        owner: jenkins
        group: jenkins
        mode: "0700"

    - name: Generate SSH keypair
      command: ssh-keygen -N '' -f {{ jenkins_master_ssh_directory }}/id_rsa
      args:
        creates: "{{ jenkins_master_ssh_directory }}/id_rsa"

    - name: Validate correct permissions on SSH keys
      file:
        path: "{{ jenkins_master_ssh_directory }}/{{ item.filename }}"
        owner: jenkins
        group: jenkins
        mode: "{{ item.mode }}"
      with_items:
        - { filename: id_rsa, mode: "0400" }
        - { filename: id_rsa.pub, mode: "0664" }

    - name: Get public SSH key contents
      command: cat {{ jenkins_master_ssh_directory }}/id_rsa.pub
      register: jenkins_master_pub
      tags:
        # Skip ANSIBLE0012. We want to validate our public key is copied over.
        - skip_ansible_lint

    - name: Allow SSH into localhost on the master
      authorized_key:
        user: jenkins
        key: "{{ jenkins_master_pub.stdout }}"

    - name: Get localhost SSH fingerprint
      command: ssh-keyscan -4 -t ecdsa-sha2-nistp256 127.0.0.1
      register: jenkins_master_ssh_fingerprint
      tags:
        - skip_ansible_lint

    - name: Add localhost SSH fingerprint to known_hosts
      become: yes
      become_user: jenkins
      known_hosts:
        name: 127.0.0.1
        key: "{{ jenkins_master_ssh_fingerprint.stdout }}"
        state: present
    #** Complete Jenkins Master SSH key creation ***

- hosts: jenkins_slave
  become: yes
  tags:
    - jenkins_slave
    - jenkins_ssh

  vars_files:
    - "{{ inventory_dir  }}/{{ vars_files_relative }}/vars/main.yml"
    - ~/.ansible/vars/toad_vars.yml

  tasks:
    # Deal with SSH key setup for the slave

    # TODO: this is a work around because I haven't figured out how to properly
    #       access the registered hostvars on the jenkins_master.
    - name: Set fact containing the jenkins_master SSH public key
      become: no
      ignore_errors: yes
      set_fact:
        jenkins_master_pub: "{{ hostvars[item].jenkins_master_pub.stdout }}"
      with_inventory_hostnames: jenkins_master
      tags:
        # Skip ANSIBLE0015. Use of bare variable jenkins_master is correct.
        - skip_ansible_lint

    - name: Get contents of stack public key
      command: cat /home/stack/.ssh/id_rsa.pub
      register: stack_slave_pub
      tags:
        # Skip ANSIBLE0012. We want to validate our public key is copied over.
        - skip_ansible_lint

    - name: Add authorized host keys to authorized_keys
      become: true
      become_user: stack
      ignore_errors: yes
      authorized_key:
        user: stack
        key: "{{ item }}"
      with_items:
      - "{{ jenkins_master_pub }}"
      - "{{ stack_slave_pub.stdout }}"

    - name: Add stack public key to local root user
      authorized_key:
        user: root
        key: "{{ stack_slave_pub.stdout }}"

    - name: Get SSH fingerprint of slave
      shell: ssh-keyscan -4 -t ecdsa-sha2-nistp256 $HOSTNAME
      register: jenkins_slave_ssh_fingerprint
      tags:
        - skip_ansible_lint

- hosts: jenkins_master
  become: yes
  tags:
    - jenkins_slave
    - jenkins_ssh

  vars_files:
    - ~/.ansible/vars/toad_vars.yml

  tasks:
    - name: Set fact containing the slave SSH fingerprint
      become: no
      ignore_errors: yes
      set_fact:
        jenkins_slave_ssh_hostname: "{{ hostvars[item].jenkins_slave_ssh_hostname.stdout }}"
        jenkins_slave_ssh_fingerprint: "{{ hostvars[item].jenkins_slave_ssh_fingerprint.stdout }}"
      with_inventory_hostnames: jenkins_slave
      tags:
        # Skip ANSIBLE0015. Use of bare variable jenkins_master is correct.
        - skip_ansible_lint

    - name: Add Jenkins slave SSH fingerprint to known hosts
      become: true
      become_user: jenkins
      known_hosts:
        name: "{{ jenkins_slave_ssh_hostname }}"
        key: "{{ jenkins_slave_ssh_fingerprint }}"
        state: present
      when: jenkins_slave_ssh_hostname is defined and jenkins_slave_ssh_fingerprint is defined and jenkins_slave_ssh_fingerprint != ""